[OpenSIPS-Users] Connect to AWS RDS database with SSL enabled

Bogdan-Andrei Iancu bogdan at opensips.org
Mon Oct 10 12:17:07 UTC 2022


Hi,

That;s a really bad example of how to hide trash beneath the carpet :(....

The instructions on how to get a backtrace are simple and clear [1] - 
please consider doing this and helping back the project you are using.

[1] https://www.opensips.org/Documentation/TroubleShooting-Crash

Best regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
   https://www.opensips-solutions.com
OpenSIPS Summit 27-30 Sept 2022, Athens
   https://www.opensips.org/events/Summit-2022Athens/

On 9/27/22 5:12 AM, jacky z wrote:
> Hi Ovidiu,
>
> I solved this problem by hardcoding the cert address in the my_con.c 
> address. Guess the cert setup in the config file can't be loaded 
> correctly when my_con.c calls it.
>
> On Tue, Sep 27, 2022 at 7:34 AM Ovidiu Sas <osas at voipembedded.com 
> <mailto:osas at voipembedded.com>> wrote:
>
>     I encountered a crash related to TLS connections and I was wondering
>     if it's a similar issue.
>     It seems not, the crash that I encountered happens only on 3.3.
>
>     If you installed opensips from a package, you need to install
>     opensips-dbg package to get the debug symbols.
>     After that, you can locate the core file on your server and
>     inspect it with gdb.
>     Everything should be detailed here:
>     https://www.opensips.org/Documentation/TroubleShooting-Crash
>     <https://www.opensips.org/Documentation/TroubleShooting-Crash>
>
>     -ovidiu
>
>     On Mon, Sep 26, 2022 at 2:54 AM jacky z <zjack0992 at gmail.com
>     <mailto:zjack0992 at gmail.com>> wrote:
>     >
>     > Hi Ovidiu,
>     >
>     > The version I am using is 3.2. I am not familiar with the debug
>     symbols, but guess this can be reproduced easily. With
>     ?tls_domain=dom1 attached after the mysql address, it happens. Can
>     you simply check if it is the same behavior? If not, I will dig
>     further by learning how to use the debug symbols. Thanks!
>     >
>     > On Mon, Sep 26, 2022 at 12:30 AM Ovidiu Sas
>     <osas at voipembedded.com <mailto:osas at voipembedded.com>> wrote:
>     >>
>     >> Which version of opensips are you using?
>     >> Can you install the debug symbols and get a backtrace from the
>     core file?
>     >> https://www.opensips.org/Documentation/TroubleShooting-Crash
>     <https://www.opensips.org/Documentation/TroubleShooting-Crash>
>     >>
>     >> Regards,
>     >> Ovidiu Sas
>     >>
>     >> On Sun, Sep 25, 2022 at 6:32 AM jacky z <zjack0992 at gmail.com
>     <mailto:zjack0992 at gmail.com>> wrote:
>     >> >
>     >> > Hi Vlad,
>     >> >
>     >> > It seems opensips crashed when I set ?tls_domain=dom1 to
>     enable tls connection to mysql db.  I followed the method in the
>     manual.
>     >> >
>     >> > modparam("usrloc", "db_url",
>     "mysql://root:1234@localhost/opensips?tls_domain=dom1")
>     >> >
>     >> >
>     >> > Here is the log.
>     >> >
>     >> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
>     INFO:tls_mgm:mod_init: initializing TLS management
>     >> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
>     INFO:tls_mgm:init_tls_dom: Processing TLS domain 'dom'
>     >> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
>     NOTICE:tls_mgm:init_tls_dom: no CA dir for tls 'dom' defined,
>     using default '/etc/pki/CA/'
>     >> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
>     NOTICE:tls_mgm:init_tls_dom: no crl for tls, using none
>     >> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
>     NOTICE:tls_openssl:openssl_init_tls_dom: No EC curve defined
>     >> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
>     INFO:tls_openssl:get_ssl_ctx_verify_mode: client verification NOT
>     activated. Weaker security.
>     >> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
>     INFO:tls_mgm:init_tls_dom: Processing TLS domain 'dom1'
>     >> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
>     NOTICE:tls_mgm:init_tls_dom: no CA dir for tls 'dom1' defined,
>     using default '/etc/pki/CA/'
>     >> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
>     NOTICE:tls_mgm:init_tls_dom: no crl for tls, using none
>     >> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
>     NOTICE:tls_openssl:openssl_init_tls_dom: No EC curve defined
>     >> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
>     INFO:tls_openssl:get_ssl_ctx_verify_mode: server verification NOT
>     activated. Weaker security.
>     >> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
>     INFO:proto_tls:mod_init: initializing TLS protocol
>     >> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
>     INFO:proto_bin:mod_init: initializing BIN protocol
>     >> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
>     INFO:clusterer:mod_init: Clusterer module - initializing
>     >> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
>     CRITICAL:core:sig_usr: segfault in attendant (starter) process!
>     >> > Sep 25 10:14:01 ip-10-100-20-35 kernel: [39023.653243]
>     opensips[4935]: segfault at 0 ip 0000000000000000 sp
>     00007ffececa3d08 error 14 in opensips[558b5bb75000+1c000]
>     >> > Sep 25 10:14:01 ip-10-100-20-35 kernel: [39023.666503] Code:
>     Bad RIP value.
>     >> > Sep 25 10:14:01 ip-10-100-20-35 opensips:
>     INFO:core:daemonize: pre-daemon process exiting with -1
>     >> >
>     >> > and my client domain settings
>     >> >
>     >> > #client domain
>     >> > modparam("tls_mgm", "client_domain", "dom1")
>     >> > modparam("tls_mgm", "match_ip_address", "[dom1]*")
>     >> > modparam("tls_mgm", "match_sip_domain", "[dom1]*")
>     >> > modparam("tls_mgm","certificate",
>     "[dom1]/etc/ssl/certs/rootCACert.pem")
>     >> > modparam("tls_mgm","private_key",
>     "[dom1]/etc/ssl/private/rootCAKey.pem")
>     >> > modparam("tls_mgm","ca_list",
>     "[dom1]/etc/ssl/certs/rootCACert.pem")
>     >> > modparam("tls_mgm","tls_method", "[dom1]SSLv23")
>     >> > modparam("tls_mgm","verify_cert", "[dom1]0")
>     >> > modparam("tls_mgm","require_cert", "[dom1]0")
>     >> >
>     >> > It is expected to see some other errors such as invalid cert
>     but not crash in pre-daemon process. Any clue on this for me to
>     debug? If I remove "?tls_domain=dom1", there is no such crash
>     though the opensips server still couldn't start because I forced
>     the mysql db to use ssl connection. Thanks!
>     >> >
>     >> > On Mon, Sep 19, 2022 at 9:09 PM Vlad Patrascu
>     <vladp at opensips.org <mailto:vladp at opensips.org>> wrote:
>     >> >>
>     >> >> Hi Jacky,
>     >> >>
>     >> >> I cant think of any workaround unfortunately.
>     >> >>
>     >> >> Regards,
>     >> >>
>     >> >> --
>     >> >> Vlad Patrascu
>     >> >> OpenSIPS Core Developer
>     >> >> http://www.opensips-solutions.com
>     <http://www.opensips-solutions.com>
>     >> >>
>     >> >> On 17.09.2022 18:46, jacky z wrote:
>     >> >>
>     >> >> Hi  Vlad,
>     >> >>
>     >> >> Is there any workaround to disable the client cert? Thanks!
>     >> >>
>     >> >> On Wed, Sep 14, 2022 at 9:16 PM Vlad Patrascu
>     <vladp at opensips.org <mailto:vladp at opensips.org>> wrote:
>     >> >>>
>     >> >>> Hi Jacky,
>     >> >>>
>     >> >>> OpenSIPS will always require you to configure a client
>     certificate for TLS client domains and will also present that
>     certificate when connecting. But normally, a TLS server can simply
>     choose not to verify the client certificate. I don't have any
>     experience with AWS RDS though but it seems odd to not accept a
>     connection only because the client did present a certificate.
>     >> >>>
>     >> >>> Regards,
>     >> >>>
>     >> >>> --
>     >> >>> Vlad Patrascu
>     >> >>> OpenSIPS Core Developer
>     >> >>> http://www.opensips-solutions.com
>     <http://www.opensips-solutions.com>
>     >> >>>
>     >> >>> On 14.09.2022 05:42, jacky z wrote:
>     >> >>>
>     >> >>> Hi Bogdan-Andrei,
>     >> >>>
>     >> >>> I checked the mariadb documentation and found mariadb has
>     two options to set ssl connection: two-way TSL and one-way TSL. It
>     seems AWS RDS only supports one-way TSL, that is, TSL is used
>     without a client cert. Does OPENSIPS support such one-way TSL to
>     connect a database? Thanks!
>     >> >>>
>     >> >>> On Wed, Sep 14, 2022 at 12:06 AM jacky z
>     <zjack0992 at gmail.com <mailto:zjack0992 at gmail.com>> wrote:
>     >> >>>>
>     >> >>>> Hi Bogdan-Andrei,
>     >> >>>>
>     >> >>>> I have set the "certificate" and "private_key" in my
>     script, as I explained in method 1. However, AWS RDS doesn't
>     support a client cert. Please refer to
>     >> >>>>
>     https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws
>     <https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws>
>     >> >>>>
>     >> >>>> Is there any workaround to use the public cert list
>     provided by AWS? Anyone has successfully used RDS with SSL
>     connections? Thanks!
>     >> >>>>
>     >> >>>> On Tue, Sep 13, 2022 at 9:54 PM Bogdan-Andrei Iancu
>     <bogdan at opensips.org <mailto:bogdan at opensips.org>> wrote:
>     >> >>>>>
>     >> >>>>> Set the certificate and key you have in the tls_mgm
>     module, for the "certificate" and "private_key" parameters.
>     >> >>>>>
>     >> >>>>> Regards,
>     >> >>>>>
>     >> >>>>> Bogdan-Andrei Iancu
>     >> >>>>>
>     >> >>>>> OpenSIPS Founder and Developer
>     >> >>>>> https://www.opensips-solutions.com
>     <https://www.opensips-solutions.com>
>     >> >>>>> OpenSIPS Summit 27-30 Sept 2022, Athens
>     >> >>>>> https://www.opensips.org/events/Summit-2022Athens/
>     <https://www.opensips.org/events/Summit-2022Athens/>
>     >> >>>>>
>     >> >>>>> On 9/13/22 2:57 PM, jacky z wrote:
>     >> >>>>>
>     >> >>>>> Hi Bogdan-Andrei,
>     >> >>>>>
>     >> >>>>> I tried two methods.
>     >> >>>>>
>     >> >>>>> Method 1:
>     >> >>>>>
>     >> >>>>> #enabled TLS connection:
>     >> >>>>> modparam("db_mysql", "use_tls", 1)
>     >> >>>>>
>     >> >>>>> #setup a client domain:
>     >> >>>>> modparam("tls_mgm", "client_domain", "dom1")
>     >> >>>>> modparam("tls_mgm", "match_ip_address", "[dom1]*")
>     >> >>>>> modparam("tls_mgm", "match_sip_domain", "[dom1]*")
>     >> >>>>> modparam("tls_mgm","certificate",
>     "[dom1]/etc/ssl/certs/rootCACert.pem")
>     >> >>>>> modparam("tls_mgm","private_key",
>     "[dom1]/etc/ssl/private/rootCAKey.pem")
>     >> >>>>> modparam("tls_mgm","ca_list",
>     "[dom1]/etc/ssl/certs/rootCACert.pem")
>     >> >>>>> modparam("tls_mgm","tls_method", "[dom1]SSLv23")
>     >> >>>>> modparam("tls_mgm","verify_cert", "[dom1]0")
>     >> >>>>> modparam("tls_mgm","require_cert", "[dom1]0")
>     >> >>>>> # set db_url
>     >> >>>>> modparam("usrloc", "db_url",
>     "mysql://root:1234@<awsrdsaddress>/opensips?tls_domain=dom1")
>     >> >>>>> ...
>     >> >>>>>
>     >> >>>>> I couldn't figure out how to use global-bundle.pem AWS
>     provided with this method. No luck to get a connection with RDS.
>     If I don't use ssl, opensips can connect to RDS without encryption.
>     >> >>>>>
>     >> >>>>> Method 2:
>     >> >>>>>
>     >> >>>>> I tried
>     >> >>>>>
>     >> >>>>> modparam("usrloc", "db_url",
>     "mysql://root:1234@<awsrdsaddress>/opensips?ssl=true&ssl_ca_certs=/etc/ssl/certs/global-bundle.pem")
>     >> >>>>>
>     >> >>>>> to include the AWS cert. Still no luck.
>     >> >>>>>
>     >> >>>>> Thanks!
>     >> >>>>>
>     >> >>>>> On Tue, Sep 13, 2022 at 4:52 PM Bogdan-Andrei Iancu
>     <bogdan at opensips.org <mailto:bogdan at opensips.org>> wrote:
>     >> >>>>>>
>     >> >>>>>> Hi,
>     >> >>>>>>
>     >> >>>>>> sorry for my silly question, but how do you connect from
>     the OpenSIPS side ??
>     >> >>>>>>
>     >> >>>>>> Regards,
>     >> >>>>>>
>     >> >>>>>> Bogdan-Andrei Iancu
>     >> >>>>>>
>     >> >>>>>> OpenSIPS Founder and Developer
>     >> >>>>>> https://www.opensips-solutions.com
>     <https://www.opensips-solutions.com>
>     >> >>>>>> OpenSIPS Summit 27-30 Sept 2022, Athens
>     >> >>>>>> https://www.opensips.org/events/Summit-2022Athens/
>     <https://www.opensips.org/events/Summit-2022Athens/>
>     >> >>>>>>
>     >> >>>>>> On 9/13/22 10:41 AM, jacky z wrote:
>     >> >>>>>>
>     >> >>>>>> Hi Team,
>     >> >>>>>>
>     >> >>>>>> We hope to connect to aws RDS database with ssl
>     encryption. We have setup a client domain according to OPENSIPS
>     documents. However, AWS RDS does not support client cert as
>     someone has confirmed with AWS
>     https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws
>     <https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws>
>     >> >>>>>>
>     >> >>>>>> Is there any way to use the cert provided by AWS to
>     connect? AWS provides a global-bundle.pem
>     (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html
>     <https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html>)
>     for such a connection, but we don't know how to include it in the
>     config file.
>     >> >>>>>>
>     >> >>>>>> Thanks
>     >> >>>>>>
>     >> >>>>>> Jacky z
>     >> >>>>>>
>     >> >>>>>> _______________________________________________
>     >> >>>>>> Users mailing list
>     >> >>>>>> Users at lists.opensips.org <mailto:Users at lists.opensips.org>
>     >> >>>>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>     <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>
>     >> >>>>>>
>     >> >>>>>>
>     >> >>>>>
>     >> >>>
>     >> >>> _______________________________________________
>     >> >>> Users mailing list
>     >> >>> Users at lists.opensips.org <mailto:Users at lists.opensips.org>
>     >> >>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>     <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>
>     >> >>>
>     >> >>> _______________________________________________
>     >> >>> Users mailing list
>     >> >>> Users at lists.opensips.org <mailto:Users at lists.opensips.org>
>     >> >>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>     <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>
>     >> >>
>     >> >>
>     >> >> _______________________________________________
>     >> >> Users mailing list
>     >> >> Users at lists.opensips.org <mailto:Users at lists.opensips.org>
>     >> >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>     <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>
>     >> >>
>     >> >> _______________________________________________
>     >> >> Users mailing list
>     >> >> Users at lists.opensips.org <mailto:Users at lists.opensips.org>
>     >> >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>     <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>
>     >> >
>     >> > _______________________________________________
>     >> > Users mailing list
>     >> > Users at lists.opensips.org <mailto:Users at lists.opensips.org>
>     >> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>     <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>
>     >>
>     >>
>     >>
>     >> --
>     >> VoIP Embedded, Inc.
>     >> http://www.voipembedded.com <http://www.voipembedded.com>
>     >>
>     >> _______________________________________________
>     >> Users mailing list
>     >> Users at lists.opensips.org <mailto:Users at lists.opensips.org>
>     >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>     <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>
>     >
>     > _______________________________________________
>     > Users mailing list
>     > Users at lists.opensips.org <mailto:Users at lists.opensips.org>
>     > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>     <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>
>
>
>
>     -- 
>     VoIP Embedded, Inc.
>     http://www.voipembedded.com <http://www.voipembedded.com>
>
>     _______________________________________________
>     Users mailing list
>     Users at lists.opensips.org <mailto:Users at lists.opensips.org>
>     http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>     <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20221010/d92ff419/attachment-0001.html>


More information about the Users mailing list