<div dir="ltr"><div>Hi Bogdan-Andrei,</div><div><br></div><div>I checked the mariadb documentation and found mariadb has two options to set ssl connection: two-way TSL and one-way TSL. It seems AWS RDS only supports one-way TSL, that is, TSL is used without a client cert. Does OPENSIPS support such one-way TSL to connect a database? Thanks!</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Sep 14, 2022 at 12:06 AM jacky z <<a href="mailto:zjack0992@gmail.com">zjack0992@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr">Hi Bogdan-Andrei,<div><br></div><div>I have set<font face="arial, sans-serif"> the "certificate" and "private_key" in my script, as I explained in method 1. However, AWS RDS doesn't support a client cert. Please refer to</font></div><div><a href="https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws" target="_blank">https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws</a><br></div><div><br></div><div>Is there any workaround to use the public cert list provided by AWS? Anyone has successfully used RDS with SSL connections? Thanks!</div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Sep 13, 2022 at 9:54 PM Bogdan-Andrei Iancu <<a href="mailto:bogdan@opensips.org" target="_blank">bogdan@opensips.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<font face="monospace">Set the certificate and key you have in the
tls_mgm module, for the "certificate" and "private_key"
parameters.<br>
<br>
Regards,<br>
</font>
<pre cols="72">Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
<a href="https://www.opensips-solutions.com" target="_blank">https://www.opensips-solutions.com</a>
OpenSIPS Summit 27-30 Sept 2022, Athens
<a href="https://www.opensips.org/events/Summit-2022Athens/" target="_blank">https://www.opensips.org/events/Summit-2022Athens/</a></pre>
<div>On 9/13/22 2:57 PM, jacky z wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div>Hi Bogdan-Andrei,</div>
<div><br>
</div>
<div>I tried two methods. </div>
<div><br>
</div>
<div>Method 1: </div>
<div><br>
</div>
<div><font face="monospace">#enabled TLS connection:</font></div>
<div><font face="monospace">modparam("db_mysql",
"use_tls", 1)<br>
</font></div>
<div><font face="monospace"><br>
</font></div>
<div><font face="monospace">#setup a client domain:</font></div>
<div>
<div><font face="monospace">modparam("tls_mgm",
"client_domain", "dom1")</font></div>
<div><font face="monospace">modparam("tls_mgm",
"match_ip_address", "[dom1]*")</font></div>
<div><font face="monospace">modparam("tls_mgm",
"match_sip_domain", "[dom1]*")</font></div>
<div><font face="monospace">modparam("tls_mgm","certificate",
"[dom1]/etc/ssl/certs/rootCACert.pem")</font></div>
<div><font face="monospace">modparam("tls_mgm","private_key",
"[dom1]/etc/ssl/private/rootCAKey.pem")</font></div>
<div><font face="monospace">modparam("tls_mgm","ca_list",
"[dom1]/etc/ssl/certs/rootCACert.pem")</font></div>
<div><font face="monospace">modparam("tls_mgm","tls_method",
"[dom1]SSLv23")</font></div>
<div><font face="monospace">modparam("tls_mgm","verify_cert",
"[dom1]0")</font></div>
<div><font face="monospace">modparam("tls_mgm","require_cert",
"[dom1]0")</font></div>
<div><span style="font-family:monospace;font-size:9pt">#
set db_url</span></div>
<div><span style="font-family:monospace;font-size:9pt">modparam("usrloc",
"db_url",
"mysql://root:1234@<awsrdsaddress>/opensips?tls_domain=dom1")</span></div>
</div>
<div>...</div>
<div><br>
</div>
<div>I couldn't figure out how to use
global-bundle.pem AWS provided with this method.
No luck to get a connection with RDS. If I don't
use ssl, opensips can connect to RDS without
encryption.</div>
<div><br>
</div>
<div>Method 2:</div>
<div><br>
</div>
<div>I tried </div>
<div><span style="font-family:monospace;font-size:12px"><br>
</span></div>
<div><span style="font-family:monospace;font-size:12px">modparam("usrloc",
"db_url",
"mysql://root:1234@<awsrdsaddress>/opensips?ssl=true&</span><font face="monospace"><span style="font-size:12px">ssl_ca_certs=/etc/ssl/certs/global-bundle.pem</span></font><span style="font-family:monospace;font-size:12px">")</span></div>
<div dir="ltr"><br>
</div>
<div>to include the AWS cert. Still no luck.</div>
<div><br>
</div>
<div>Thanks!</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Tue, Sep 13,
2022 at 4:52 PM Bogdan-Andrei Iancu <<a href="mailto:bogdan@opensips.org" target="_blank">bogdan@opensips.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div> <font face="monospace">Hi,<br>
<br>
sorry for my silly question, but how do you
connect from the OpenSIPS side ??<br>
<br>
Regards,<br>
</font>
<pre cols="72">Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
<a href="https://www.opensips-solutions.com" target="_blank">https://www.opensips-solutions.com</a>
OpenSIPS Summit 27-30 Sept 2022, Athens
<a href="https://www.opensips.org/events/Summit-2022Athens/" target="_blank">https://www.opensips.org/events/Summit-2022Athens/</a></pre>
<div>On 9/13/22 10:41 AM, jacky z wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">Hi Team,
<div><br>
</div>
<div>We hope to connect to aws RDS
database with ssl encryption. We
have setup a client domain according
to OPENSIPS documents. However, AWS
RDS does not support client cert as
someone has confirmed with AWS <a href="https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws" target="_blank">https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws</a></div>
<div><br>
</div>
<div>Is there any way to use the cert
provided by AWS to connect? AWS
provides a global-bundle.pem (<a href="https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html" target="_blank">https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html</a>)
for such a connection, but we don't
know how to include it in the config
file.</div>
<div><br>
</div>
<div>Thanks</div>
<div><br>
</div>
<div>Jacky z</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
Users mailing list
<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</div>
</blockquote></div>
</blockquote></div></div>