[OpenSIPS-Users] Connect to AWS RDS database with SSL enabled

jacky z zjack0992 at gmail.com
Sun Sep 25 10:31:49 UTC 2022 

Hi Vlad,

It seems opensips crashed when I set ?tls_domain=dom1 to enable tls
connection to mysql db.  I followed the method in the manual.

modparam("usrloc", "db_url",
"mysql://root:1234@localhost/opensips?tls_domain=dom1")


Here is the log.

Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
INFO:tls_mgm:mod_init: initializing TLS management
Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
INFO:tls_mgm:init_tls_dom: Processing TLS domain 'dom'
Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
NOTICE:tls_mgm:init_tls_dom: no CA dir for tls 'dom' defined, using default
'/etc/pki/CA/'
Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
NOTICE:tls_mgm:init_tls_dom: no crl for tls, using none
Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
NOTICE:tls_openssl:openssl_init_tls_dom: No EC curve defined
Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
INFO:tls_openssl:get_ssl_ctx_verify_mode: client verification NOT
activated. Weaker security.
Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
INFO:tls_mgm:init_tls_dom: Processing TLS domain 'dom1'
Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
NOTICE:tls_mgm:init_tls_dom: no CA dir for tls 'dom1' defined, using
default '/etc/pki/CA/'
Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
NOTICE:tls_mgm:init_tls_dom: no crl for tls, using none
Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
NOTICE:tls_openssl:openssl_init_tls_dom: No EC curve defined
Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
INFO:tls_openssl:get_ssl_ctx_verify_mode: server verification NOT
activated. Weaker security.
Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
INFO:proto_tls:mod_init: initializing TLS protocol
Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
INFO:proto_bin:mod_init: initializing BIN protocol
Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
INFO:clusterer:mod_init: Clusterer module - initializing
Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
CRITICAL:core:sig_usr: segfault in attendant (starter) process!
Sep 25 10:14:01 ip-10-100-20-35 kernel: [39023.653243] opensips[4935]:
segfault at 0 ip 0000000000000000 sp 00007ffececa3d08 error 14 in
opensips[558b5bb75000+1c000]
Sep 25 10:14:01 ip-10-100-20-35 kernel: [39023.666503] Code: Bad RIP value.
Sep 25 10:14:01 ip-10-100-20-35 opensips: INFO:core:daemonize: pre-daemon
process exiting with -1

and my client domain settings

#client domain
modparam("tls_mgm", "client_domain", "dom1")
modparam("tls_mgm", "match_ip_address", "[dom1]*")
modparam("tls_mgm", "match_sip_domain", "[dom1]*")
modparam("tls_mgm","certificate", "[dom1]/etc/ssl/certs/rootCACert.pem")
modparam("tls_mgm","private_key", "[dom1]/etc/ssl/private/rootCAKey.pem")
modparam("tls_mgm","ca_list", "[dom1]/etc/ssl/certs/rootCACert.pem")
modparam("tls_mgm","tls_method", "[dom1]SSLv23")
modparam("tls_mgm","verify_cert", "[dom1]0")
modparam("tls_mgm","require_cert", "[dom1]0")

It is expected to see some other errors such as invalid cert but not crash
in pre-daemon process. Any clue on this for me to debug? If I remove
"?tls_domain=dom1",
there is no such crash though the opensips server still couldn't start
because I forced the mysql db to use ssl connection. Thanks!

On Mon, Sep 19, 2022 at 9:09 PM Vlad Patrascu <vladp at opensips.org> wrote:

> Hi Jacky,
>
> I cant think of any workaround unfortunately.
>
> Regards,
>
> --
> Vlad Patrascu
> OpenSIPS Core Developerhttp://www.opensips-solutions.com
>
> On 17.09.2022 18:46, jacky z wrote:
>
> Hi  Vlad,
>
> Is there any workaround to disable the client cert? Thanks!
>
> On Wed, Sep 14, 2022 at 9:16 PM Vlad Patrascu <vladp at opensips.org> wrote:
>
>> Hi Jacky,
>>
>> OpenSIPS will always require you to configure a client certificate for
>> TLS client domains and will also present that certificate when connecting.
>> But normally, a TLS server can simply choose not to verify the client
>> certificate. I don't have any experience with AWS RDS though but it seems
>> odd to not accept a connection only because the client did present a
>> certificate.
>>
>> Regards,
>>
>> --
>> Vlad Patrascu
>> OpenSIPS Core Developerhttp://www.opensips-solutions.com
>>
>> On 14.09.2022 05:42, jacky z wrote:
>>
>> Hi Bogdan-Andrei,
>>
>> I checked the mariadb documentation and found mariadb has two options to
>> set ssl connection: two-way TSL and one-way TSL. It seems AWS RDS only
>> supports one-way TSL, that is, TSL is used without a client cert. Does
>> OPENSIPS support such one-way TSL to connect a database? Thanks!
>>
>> On Wed, Sep 14, 2022 at 12:06 AM jacky z <zjack0992 at gmail.com> wrote:
>>
>>> Hi Bogdan-Andrei,
>>>
>>> I have set the "certificate" and "private_key" in my script, as I
>>> explained in method 1. However, AWS RDS doesn't support a client cert.
>>> Please refer to
>>>
>>> https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws
>>>
>>> Is there any workaround to use the public cert list provided by AWS?
>>> Anyone has successfully used RDS with SSL connections? Thanks!
>>>
>>> On Tue, Sep 13, 2022 at 9:54 PM Bogdan-Andrei Iancu <bogdan at opensips.org>
>>> wrote:
>>>
>>>> Set the certificate and key you have in the tls_mgm module, for the
>>>> "certificate" and "private_key" parameters.
>>>>
>>>> Regards,
>>>>
>>>> Bogdan-Andrei Iancu
>>>>
>>>> OpenSIPS Founder and Developer
>>>>   https://www.opensips-solutions.com
>>>> OpenSIPS Summit 27-30 Sept 2022, Athens
>>>>   https://www.opensips.org/events/Summit-2022Athens/
>>>>
>>>> On 9/13/22 2:57 PM, jacky z wrote:
>>>>
>>>> Hi Bogdan-Andrei,
>>>>
>>>> I tried two methods.
>>>>
>>>> Method 1:
>>>>
>>>> #enabled TLS connection:
>>>> modparam("db_mysql", "use_tls", 1)
>>>>
>>>> #setup a client domain:
>>>> modparam("tls_mgm", "client_domain", "dom1")
>>>> modparam("tls_mgm", "match_ip_address", "[dom1]*")
>>>> modparam("tls_mgm", "match_sip_domain", "[dom1]*")
>>>> modparam("tls_mgm","certificate", "[dom1]/etc/ssl/certs/rootCACert.pem")
>>>> modparam("tls_mgm","private_key",
>>>> "[dom1]/etc/ssl/private/rootCAKey.pem")
>>>> modparam("tls_mgm","ca_list", "[dom1]/etc/ssl/certs/rootCACert.pem")
>>>> modparam("tls_mgm","tls_method", "[dom1]SSLv23")
>>>> modparam("tls_mgm","verify_cert", "[dom1]0")
>>>> modparam("tls_mgm","require_cert", "[dom1]0")
>>>> # set db_url
>>>> modparam("usrloc", "db_url", "mysql://root:1234@
>>>> <awsrdsaddress>/opensips?tls_domain=dom1")
>>>> ...
>>>>
>>>> I couldn't figure out how to use global-bundle.pem AWS provided with
>>>> this method. No luck to get a connection with RDS. If I don't use ssl,
>>>> opensips can connect to RDS without encryption.
>>>>
>>>> Method 2:
>>>>
>>>> I tried
>>>>
>>>> modparam("usrloc", "db_url", "mysql://root:1234@
>>>> <awsrdsaddress>/opensips?ssl=true&
>>>> ssl_ca_certs=/etc/ssl/certs/global-bundle.pem")
>>>>
>>>> to include the AWS cert. Still no luck.
>>>>
>>>> Thanks!
>>>>
>>>> On Tue, Sep 13, 2022 at 4:52 PM Bogdan-Andrei Iancu <
>>>> bogdan at opensips.org> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> sorry for my silly question, but how do you connect from the OpenSIPS
>>>>> side ??
>>>>>
>>>>> Regards,
>>>>>
>>>>> Bogdan-Andrei Iancu
>>>>>
>>>>> OpenSIPS Founder and Developer
>>>>>   https://www.opensips-solutions.com
>>>>> OpenSIPS Summit 27-30 Sept 2022, Athens
>>>>>   https://www.opensips.org/events/Summit-2022Athens/
>>>>>
>>>>> On 9/13/22 10:41 AM, jacky z wrote:
>>>>>
>>>>> Hi Team,
>>>>>
>>>>> We hope to connect to aws RDS database with ssl encryption. We have
>>>>> setup a client domain according to OPENSIPS documents. However, AWS RDS
>>>>> does not support client cert as someone has confirmed with AWS
>>>>> https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws
>>>>>
>>>>> Is there any way to use the cert provided by AWS to connect? AWS
>>>>> provides a global-bundle.pem (
>>>>> https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html)
>>>>> for such a connection, but we don't know how to include it in the config
>>>>> file.
>>>>>
>>>>> Thanks
>>>>>
>>>>> Jacky z
>>>>>
>>>>> _______________________________________________
>>>>> Users mailing listUsers at lists.opensips.orghttp://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>>>
>>>>>
>>>>>
>>>>
>> _______________________________________________
>> Users mailing listUsers at lists.opensips.orghttp://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>
> _______________________________________________
> Users mailing listUsers at lists.opensips.orghttp://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20220925/896d54fb/attachment-0001.html>

More information about the Users mailing list