Hi Vlad, Is there any workaround to disable the client cert? Thanks!
On Wed, Sep 14, 2022 at 9:16 PM Vlad Patrascu <vl...@opensips.org> wrote: > Hi Jacky, > > OpenSIPS will always require you to configure a client certificate for TLS > client domains and will also present that certificate when connecting. But > normally, a TLS server can simply choose not to verify the client > certificate. I don't have any experience with AWS RDS though but it seems > odd to not accept a connection only because the client did present a > certificate. > > Regards, > > -- > Vlad Patrascu > OpenSIPS Core Developerhttp://www.opensips-solutions.com > > On 14.09.2022 05:42, jacky z wrote: > > Hi Bogdan-Andrei, > > I checked the mariadb documentation and found mariadb has two options to > set ssl connection: two-way TSL and one-way TSL. It seems AWS RDS only > supports one-way TSL, that is, TSL is used without a client cert. Does > OPENSIPS support such one-way TSL to connect a database? Thanks! > > On Wed, Sep 14, 2022 at 12:06 AM jacky z <zjack0...@gmail.com> wrote: > >> Hi Bogdan-Andrei, >> >> I have set the "certificate" and "private_key" in my script, as I >> explained in method 1. However, AWS RDS doesn't support a client cert. >> Please refer to >> >> https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws >> >> Is there any workaround to use the public cert list provided by AWS? >> Anyone has successfully used RDS with SSL connections? Thanks! >> >> On Tue, Sep 13, 2022 at 9:54 PM Bogdan-Andrei Iancu <bog...@opensips.org> >> wrote: >> >>> Set the certificate and key you have in the tls_mgm module, for the >>> "certificate" and "private_key" parameters. >>> >>> Regards, >>> >>> Bogdan-Andrei Iancu >>> >>> OpenSIPS Founder and Developer >>> https://www.opensips-solutions.com >>> OpenSIPS Summit 27-30 Sept 2022, Athens >>> https://www.opensips.org/events/Summit-2022Athens/ >>> >>> On 9/13/22 2:57 PM, jacky z wrote: >>> >>> Hi Bogdan-Andrei, >>> >>> I tried two methods. >>> >>> Method 1: >>> >>> #enabled TLS connection: >>> modparam("db_mysql", "use_tls", 1) >>> >>> #setup a client domain: >>> modparam("tls_mgm", "client_domain", "dom1") >>> modparam("tls_mgm", "match_ip_address", "[dom1]*") >>> modparam("tls_mgm", "match_sip_domain", "[dom1]*") >>> modparam("tls_mgm","certificate", "[dom1]/etc/ssl/certs/rootCACert.pem") >>> modparam("tls_mgm","private_key", "[dom1]/etc/ssl/private/rootCAKey.pem") >>> modparam("tls_mgm","ca_list", "[dom1]/etc/ssl/certs/rootCACert.pem") >>> modparam("tls_mgm","tls_method", "[dom1]SSLv23") >>> modparam("tls_mgm","verify_cert", "[dom1]0") >>> modparam("tls_mgm","require_cert", "[dom1]0") >>> # set db_url >>> modparam("usrloc", "db_url", "mysql://root:1234@ >>> <awsrdsaddress>/opensips?tls_domain=dom1") >>> ... >>> >>> I couldn't figure out how to use global-bundle.pem AWS provided with >>> this method. No luck to get a connection with RDS. If I don't use ssl, >>> opensips can connect to RDS without encryption. >>> >>> Method 2: >>> >>> I tried >>> >>> modparam("usrloc", "db_url", "mysql://root:1234@ >>> <awsrdsaddress>/opensips?ssl=true& >>> ssl_ca_certs=/etc/ssl/certs/global-bundle.pem") >>> >>> to include the AWS cert. Still no luck. >>> >>> Thanks! >>> >>> On Tue, Sep 13, 2022 at 4:52 PM Bogdan-Andrei Iancu <bog...@opensips.org> >>> wrote: >>> >>>> Hi, >>>> >>>> sorry for my silly question, but how do you connect from the OpenSIPS >>>> side ?? >>>> >>>> Regards, >>>> >>>> Bogdan-Andrei Iancu >>>> >>>> OpenSIPS Founder and Developer >>>> https://www.opensips-solutions.com >>>> OpenSIPS Summit 27-30 Sept 2022, Athens >>>> https://www.opensips.org/events/Summit-2022Athens/ >>>> >>>> On 9/13/22 10:41 AM, jacky z wrote: >>>> >>>> Hi Team, >>>> >>>> We hope to connect to aws RDS database with ssl encryption. We have >>>> setup a client domain according to OPENSIPS documents. However, AWS RDS >>>> does not support client cert as someone has confirmed with AWS >>>> https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws >>>> >>>> Is there any way to use the cert provided by AWS to connect? AWS >>>> provides a global-bundle.pem ( >>>> https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html) >>>> for such a connection, but we don't know how to include it in the config >>>> file. >>>> >>>> Thanks >>>> >>>> Jacky z >>>> >>>> _______________________________________________ >>>> Users mailing >>>> listUsers@lists.opensips.orghttp://lists.opensips.org/cgi-bin/mailman/listinfo/users >>>> >>>> >>>> >>> > _______________________________________________ > Users mailing > listUsers@lists.opensips.orghttp://lists.opensips.org/cgi-bin/mailman/listinfo/users > > _______________________________________________ > Users mailing list > Users@lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users >
_______________________________________________ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users