Hi Jacky,
OpenSIPS will always require you to configure a client certificate for
TLS client domains and will also present that certificate when
connecting. But normally, a TLS server can simply choose not to verify
the client certificate. I don't have any experience with AWS RDS though
but it seems odd to not accept a connection only because the client did
present a certificate.
Regards,
--
Vlad Patrascu
OpenSIPS Core Developer
http://www.opensips-solutions.com
On 14.09.2022 05:42, jacky z wrote:
Hi Bogdan-Andrei,
I checked the mariadb documentation and found mariadb has two options
to set ssl connection: two-way TSL and one-way TSL. It seems AWS RDS
only supports one-way TSL, that is, TSL is used without a client cert.
Does OPENSIPS support such one-way TSL to connect a database? Thanks!
On Wed, Sep 14, 2022 at 12:06 AM jacky z <[email protected]> wrote:
Hi Bogdan-Andrei,
I have set the "certificate" and "private_key" in my script, as I
explained in method 1. However, AWS RDS doesn't support a client
cert. Please refer to
https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws
Is there any workaround to use the public cert list provided by
AWS? Anyone has successfully used RDS with SSL connections? Thanks!
On Tue, Sep 13, 2022 at 9:54 PM Bogdan-Andrei Iancu
<[email protected]> wrote:
Set the certificate and key you have in the tls_mgm module,
for the "certificate" and "private_key" parameters.
Regards,
Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
https://www.opensips-solutions.com
OpenSIPS Summit 27-30 Sept 2022, Athens
https://www.opensips.org/events/Summit-2022Athens/
On 9/13/22 2:57 PM, jacky z wrote:
Hi Bogdan-Andrei,
I tried two methods.
Method 1:
#enabled TLS connection:
modparam("db_mysql", "use_tls", 1)
#setup a client domain:
modparam("tls_mgm", "client_domain", "dom1")
modparam("tls_mgm", "match_ip_address", "[dom1]*")
modparam("tls_mgm", "match_sip_domain", "[dom1]*")
modparam("tls_mgm","certificate",
"[dom1]/etc/ssl/certs/rootCACert.pem")
modparam("tls_mgm","private_key",
"[dom1]/etc/ssl/private/rootCAKey.pem")
modparam("tls_mgm","ca_list",
"[dom1]/etc/ssl/certs/rootCACert.pem")
modparam("tls_mgm","tls_method", "[dom1]SSLv23")
modparam("tls_mgm","verify_cert", "[dom1]0")
modparam("tls_mgm","require_cert", "[dom1]0")
# set db_url
modparam("usrloc", "db_url",
"mysql://root:1234@<awsrdsaddress>/opensips?tls_domain=dom1")
...
I couldn't figure out how to use global-bundle.pem AWS
provided with this method. No luck to get a connection with
RDS. If I don't use ssl, opensips can connect to RDS without
encryption.
Method 2:
I tried
modparam("usrloc", "db_url",
"mysql://root:1234@<awsrdsaddress>/opensips?ssl=true&ssl_ca_certs=/etc/ssl/certs/global-bundle.pem")
to include the AWS cert. Still no luck.
Thanks!
On Tue, Sep 13, 2022 at 4:52 PM Bogdan-Andrei Iancu
<[email protected]> wrote:
Hi,
sorry for my silly question, but how do you connect from
the OpenSIPS side ??
Regards,
Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
https://www.opensips-solutions.com
OpenSIPS Summit 27-30 Sept 2022, Athens
https://www.opensips.org/events/Summit-2022Athens/
On 9/13/22 10:41 AM, jacky z wrote:
Hi Team,
We hope to connect to aws RDS database with ssl
encryption. We have setup a client domain according to
OPENSIPS documents. However, AWS RDS does not support
client cert as someone has confirmed with AWS
https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws
Is there any way to use the cert provided by AWS to
connect? AWS provides a global-bundle.pem
(https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html)
for such a connection, but we don't know how to include
it in the config file.
Thanks
Jacky z
_______________________________________________
Users mailing list
[email protected]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
_______________________________________________
Users mailing list
[email protected]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
_______________________________________________
Users mailing list
[email protected]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
