Hi Jacky, I cant think of any workaround unfortunately.
Regards, -- Vlad Patrascu OpenSIPS Core Developer http://www.opensips-solutions.com On 17.09.2022 18:46, jacky z wrote:
Hi Vlad, Is there any workaround to disable the client cert? Thanks! On Wed, Sep 14, 2022 at 9:16 PM Vlad Patrascu <[email protected]> wrote: Hi Jacky, OpenSIPS will always require you to configure a client certificate for TLS client domains and will also present that certificate when connecting. But normally, a TLS server can simply choose not to verify the client certificate. I don't have any experience with AWS RDS though but it seems odd to not accept a connection only because the client did present a certificate. Regards,-- Vlad PatrascuOpenSIPS Core Developer http://www.opensips-solutions.com On 14.09.2022 05:42, jacky z wrote:Hi Bogdan-Andrei, I checked the mariadb documentation and found mariadb has two options to set ssl connection: two-way TSL and one-way TSL. It seems AWS RDS only supports one-way TSL, that is, TSL is used without a client cert. Does OPENSIPS support such one-way TSL to connect a database? Thanks! On Wed, Sep 14, 2022 at 12:06 AM jacky z <[email protected]> wrote: Hi Bogdan-Andrei, I have set the "certificate" and "private_key" in my script, as I explained in method 1. However, AWS RDS doesn't support a client cert. Please refer to https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws Is there any workaround to use the public cert list provided by AWS? Anyone has successfully used RDS with SSL connections? Thanks! On Tue, Sep 13, 2022 at 9:54 PM Bogdan-Andrei Iancu <[email protected]> wrote: Set the certificate and key you have in the tls_mgm module, for the "certificate" and "private_key" parameters. Regards, Bogdan-Andrei Iancu OpenSIPS Founder and Developer https://www.opensips-solutions.com OpenSIPS Summit 27-30 Sept 2022, Athens https://www.opensips.org/events/Summit-2022Athens/ On 9/13/22 2:57 PM, jacky z wrote:Hi Bogdan-Andrei, I tried two methods. Method 1: #enabled TLS connection: modparam("db_mysql", "use_tls", 1) #setup a client domain: modparam("tls_mgm", "client_domain", "dom1") modparam("tls_mgm", "match_ip_address", "[dom1]*") modparam("tls_mgm", "match_sip_domain", "[dom1]*") modparam("tls_mgm","certificate", "[dom1]/etc/ssl/certs/rootCACert.pem") modparam("tls_mgm","private_key", "[dom1]/etc/ssl/private/rootCAKey.pem") modparam("tls_mgm","ca_list", "[dom1]/etc/ssl/certs/rootCACert.pem") modparam("tls_mgm","tls_method", "[dom1]SSLv23") modparam("tls_mgm","verify_cert", "[dom1]0") modparam("tls_mgm","require_cert", "[dom1]0") # set db_url modparam("usrloc", "db_url", "mysql://root:1234@<awsrdsaddress>/opensips?tls_domain=dom1") ... I couldn't figure out how to use global-bundle.pem AWS provided with this method. No luck to get a connection with RDS. If I don't use ssl, opensips can connect to RDS without encryption. Method 2: I tried modparam("usrloc", "db_url", "mysql://root:1234@<awsrdsaddress>/opensips?ssl=true&ssl_ca_certs=/etc/ssl/certs/global-bundle.pem") to include the AWS cert. Still no luck. Thanks! On Tue, Sep 13, 2022 at 4:52 PM Bogdan-Andrei Iancu <[email protected]> wrote: Hi, sorry for my silly question, but how do you connect from the OpenSIPS side ?? Regards, Bogdan-Andrei Iancu OpenSIPS Founder and Developer https://www.opensips-solutions.com OpenSIPS Summit 27-30 Sept 2022, Athens https://www.opensips.org/events/Summit-2022Athens/ On 9/13/22 10:41 AM, jacky z wrote:Hi Team, We hope to connect to aws RDS database with ssl encryption. We have setup a client domain according to OPENSIPS documents. However, AWS RDS does not support client cert as someone has confirmed with AWS https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws Is there any way to use the cert provided by AWS to connect? AWS provides a global-bundle.pem (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html) for such a connection, but we don't know how to include it in the config file. Thanks Jacky z _______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users_______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users_______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users _______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
_______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
