[OpenSIPS-Users] Connect to AWS RDS database with SSL enabled

jacky z zjack0992 at gmail.com
Mon Sep 26 06:11:42 UTC 2022


Hi Ovidiu,

The version I am using is 3.2. I am not familiar with the debug symbols,
but guess this can be reproduced easily. With ?tls_domain=dom1 attached
after the mysql address, it happens. Can you simply check if it is the same
behavior? If not, I will dig further by learning how to use the debug
symbols. Thanks!

On Mon, Sep 26, 2022 at 12:30 AM Ovidiu Sas <osas at voipembedded.com> wrote:

> Which version of opensips are you using?
> Can you install the debug symbols and get a backtrace from the core file?
> https://www.opensips.org/Documentation/TroubleShooting-Crash
>
> Regards,
> Ovidiu Sas
>
> On Sun, Sep 25, 2022 at 6:32 AM jacky z <zjack0992 at gmail.com> wrote:
> >
> > Hi Vlad,
> >
> > It seems opensips crashed when I set ?tls_domain=dom1 to enable tls
> connection to mysql db.  I followed the method in the manual.
> >
> > modparam("usrloc", "db_url", "mysql://root:1234@localhost
> /opensips?tls_domain=dom1")
> >
> >
> > Here is the log.
> >
> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
> INFO:tls_mgm:mod_init: initializing TLS management
> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
> INFO:tls_mgm:init_tls_dom: Processing TLS domain 'dom'
> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
> NOTICE:tls_mgm:init_tls_dom: no CA dir for tls 'dom' defined, using default
> '/etc/pki/CA/'
> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
> NOTICE:tls_mgm:init_tls_dom: no crl for tls, using none
> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
> NOTICE:tls_openssl:openssl_init_tls_dom: No EC curve defined
> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
> INFO:tls_openssl:get_ssl_ctx_verify_mode: client verification NOT
> activated. Weaker security.
> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
> INFO:tls_mgm:init_tls_dom: Processing TLS domain 'dom1'
> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
> NOTICE:tls_mgm:init_tls_dom: no CA dir for tls 'dom1' defined, using
> default '/etc/pki/CA/'
> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
> NOTICE:tls_mgm:init_tls_dom: no crl for tls, using none
> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
> NOTICE:tls_openssl:openssl_init_tls_dom: No EC curve defined
> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
> INFO:tls_openssl:get_ssl_ctx_verify_mode: server verification NOT
> activated. Weaker security.
> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
> INFO:proto_tls:mod_init: initializing TLS protocol
> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
> INFO:proto_bin:mod_init: initializing BIN protocol
> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
> INFO:clusterer:mod_init: Clusterer module - initializing
> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
> CRITICAL:core:sig_usr: segfault in attendant (starter) process!
> > Sep 25 10:14:01 ip-10-100-20-35 kernel: [39023.653243] opensips[4935]:
> segfault at 0 ip 0000000000000000 sp 00007ffececa3d08 error 14 in
> opensips[558b5bb75000+1c000]
> > Sep 25 10:14:01 ip-10-100-20-35 kernel: [39023.666503] Code: Bad RIP
> value.
> > Sep 25 10:14:01 ip-10-100-20-35 opensips: INFO:core:daemonize:
> pre-daemon process exiting with -1
> >
> > and my client domain settings
> >
> > #client domain
> > modparam("tls_mgm", "client_domain", "dom1")
> > modparam("tls_mgm", "match_ip_address", "[dom1]*")
> > modparam("tls_mgm", "match_sip_domain", "[dom1]*")
> > modparam("tls_mgm","certificate", "[dom1]/etc/ssl/certs/rootCACert.pem")
> > modparam("tls_mgm","private_key", "[dom1]/etc/ssl/private/rootCAKey.pem")
> > modparam("tls_mgm","ca_list", "[dom1]/etc/ssl/certs/rootCACert.pem")
> > modparam("tls_mgm","tls_method", "[dom1]SSLv23")
> > modparam("tls_mgm","verify_cert", "[dom1]0")
> > modparam("tls_mgm","require_cert", "[dom1]0")
> >
> > It is expected to see some other errors such as invalid cert but not
> crash in pre-daemon process. Any clue on this for me to debug? If I remove
> "?tls_domain=dom1", there is no such crash though the opensips server still
> couldn't start because I forced the mysql db to use ssl connection. Thanks!
> >
> > On Mon, Sep 19, 2022 at 9:09 PM Vlad Patrascu <vladp at opensips.org>
> wrote:
> >>
> >> Hi Jacky,
> >>
> >> I cant think of any workaround unfortunately.
> >>
> >> Regards,
> >>
> >> --
> >> Vlad Patrascu
> >> OpenSIPS Core Developer
> >> http://www.opensips-solutions.com
> >>
> >> On 17.09.2022 18:46, jacky z wrote:
> >>
> >> Hi  Vlad,
> >>
> >> Is there any workaround to disable the client cert? Thanks!
> >>
> >> On Wed, Sep 14, 2022 at 9:16 PM Vlad Patrascu <vladp at opensips.org>
> wrote:
> >>>
> >>> Hi Jacky,
> >>>
> >>> OpenSIPS will always require you to configure a client certificate for
> TLS client domains and will also present that certificate when connecting.
> But normally, a TLS server can simply choose not to verify the client
> certificate. I don't have any experience with AWS RDS though but it seems
> odd to not accept a connection only because the client did present a
> certificate.
> >>>
> >>> Regards,
> >>>
> >>> --
> >>> Vlad Patrascu
> >>> OpenSIPS Core Developer
> >>> http://www.opensips-solutions.com
> >>>
> >>> On 14.09.2022 05:42, jacky z wrote:
> >>>
> >>> Hi Bogdan-Andrei,
> >>>
> >>> I checked the mariadb documentation and found mariadb has two options
> to set ssl connection: two-way TSL and one-way TSL. It seems AWS RDS only
> supports one-way TSL, that is, TSL is used without a client cert. Does
> OPENSIPS support such one-way TSL to connect a database? Thanks!
> >>>
> >>> On Wed, Sep 14, 2022 at 12:06 AM jacky z <zjack0992 at gmail.com> wrote:
> >>>>
> >>>> Hi Bogdan-Andrei,
> >>>>
> >>>> I have set the "certificate" and "private_key" in my script, as I
> explained in method 1. However, AWS RDS doesn't support a client cert.
> Please refer to
> >>>>
> https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws
> >>>>
> >>>> Is there any workaround to use the public cert list provided by AWS?
> Anyone has successfully used RDS with SSL connections? Thanks!
> >>>>
> >>>> On Tue, Sep 13, 2022 at 9:54 PM Bogdan-Andrei Iancu <
> bogdan at opensips.org> wrote:
> >>>>>
> >>>>> Set the certificate and key you have in the tls_mgm module, for the
> "certificate" and "private_key" parameters.
> >>>>>
> >>>>> Regards,
> >>>>>
> >>>>> Bogdan-Andrei Iancu
> >>>>>
> >>>>> OpenSIPS Founder and Developer
> >>>>>   https://www.opensips-solutions.com
> >>>>> OpenSIPS Summit 27-30 Sept 2022, Athens
> >>>>>   https://www.opensips.org/events/Summit-2022Athens/
> >>>>>
> >>>>> On 9/13/22 2:57 PM, jacky z wrote:
> >>>>>
> >>>>> Hi Bogdan-Andrei,
> >>>>>
> >>>>> I tried two methods.
> >>>>>
> >>>>> Method 1:
> >>>>>
> >>>>> #enabled TLS connection:
> >>>>> modparam("db_mysql", "use_tls", 1)
> >>>>>
> >>>>> #setup a client domain:
> >>>>> modparam("tls_mgm", "client_domain", "dom1")
> >>>>> modparam("tls_mgm", "match_ip_address", "[dom1]*")
> >>>>> modparam("tls_mgm", "match_sip_domain", "[dom1]*")
> >>>>> modparam("tls_mgm","certificate",
> "[dom1]/etc/ssl/certs/rootCACert.pem")
> >>>>> modparam("tls_mgm","private_key",
> "[dom1]/etc/ssl/private/rootCAKey.pem")
> >>>>> modparam("tls_mgm","ca_list", "[dom1]/etc/ssl/certs/rootCACert.pem")
> >>>>> modparam("tls_mgm","tls_method", "[dom1]SSLv23")
> >>>>> modparam("tls_mgm","verify_cert", "[dom1]0")
> >>>>> modparam("tls_mgm","require_cert", "[dom1]0")
> >>>>> # set db_url
> >>>>> modparam("usrloc", "db_url", "mysql://root:1234@
> <awsrdsaddress>/opensips?tls_domain=dom1")
> >>>>> ...
> >>>>>
> >>>>> I couldn't figure out how to use global-bundle.pem AWS provided with
> this method. No luck to get a connection with RDS. If I don't use ssl,
> opensips can connect to RDS without encryption.
> >>>>>
> >>>>> Method 2:
> >>>>>
> >>>>> I tried
> >>>>>
> >>>>> modparam("usrloc", "db_url", "mysql://root:1234@
> <awsrdsaddress>/opensips?ssl=true&ssl_ca_certs=/etc/ssl/certs/global-bundle.pem")
> >>>>>
> >>>>> to include the AWS cert. Still no luck.
> >>>>>
> >>>>> Thanks!
> >>>>>
> >>>>> On Tue, Sep 13, 2022 at 4:52 PM Bogdan-Andrei Iancu <
> bogdan at opensips.org> wrote:
> >>>>>>
> >>>>>> Hi,
> >>>>>>
> >>>>>> sorry for my silly question, but how do you connect from the
> OpenSIPS side ??
> >>>>>>
> >>>>>> Regards,
> >>>>>>
> >>>>>> Bogdan-Andrei Iancu
> >>>>>>
> >>>>>> OpenSIPS Founder and Developer
> >>>>>>   https://www.opensips-solutions.com
> >>>>>> OpenSIPS Summit 27-30 Sept 2022, Athens
> >>>>>>   https://www.opensips.org/events/Summit-2022Athens/
> >>>>>>
> >>>>>> On 9/13/22 10:41 AM, jacky z wrote:
> >>>>>>
> >>>>>> Hi Team,
> >>>>>>
> >>>>>> We hope to connect to aws RDS database with ssl encryption. We have
> setup a client domain according to OPENSIPS documents. However, AWS RDS
> does not support client cert as someone has confirmed with AWS
> https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws
> >>>>>>
> >>>>>> Is there any way to use the cert provided by AWS to connect? AWS
> provides a global-bundle.pem (
> https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html)
> for such a connection, but we don't know how to include it in the config
> file.
> >>>>>>
> >>>>>> Thanks
> >>>>>>
> >>>>>> Jacky z
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>> Users mailing list
> >>>>>> Users at lists.opensips.org
> >>>>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> >>>>>>
> >>>>>>
> >>>>>
> >>>
> >>> _______________________________________________
> >>> Users mailing list
> >>> Users at lists.opensips.org
> >>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> >>>
> >>> _______________________________________________
> >>> Users mailing list
> >>> Users at lists.opensips.org
> >>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> >>
> >>
> >> _______________________________________________
> >> Users mailing list
> >> Users at lists.opensips.org
> >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> >>
> >> _______________________________________________
> >> Users mailing list
> >> Users at lists.opensips.org
> >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.opensips.org
> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
>
> --
> VoIP Embedded, Inc.
> http://www.voipembedded.com
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20220926/58f674eb/attachment-0001.html>


More information about the Users mailing list