<div dir="ltr"><div dir="ltr"><div dir="ltr">Hi Vlad,<br><div><br></div><div>In theory, the RDS server is expected to work like what you mentioned. However, based on test, when the client cert and key is specified, the connection can't be set.</div><div>For example, if we specify the following when we connect to the RDS server in the command line in our testing</div><div>--ssl-cert=/etc/ssl/certs/rootCACert.pem --ssl-key=/etc/ssl/private/rootCAKey.pem<br></div><div><br></div><div>RDS returns this error:</div><div>ERROR 2013 (HY000): Lost connection to MySQL server at 'reading authorization packet', system error: 11<br></div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Sep 14, 2022 at 9:16 PM Vlad Patrascu <<a href="mailto:vladp@opensips.org" target="_blank">vladp@opensips.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p>Hi Jacky,</p>
<p>OpenSIPS will always require you to configure a client
certificate for TLS client domains and will also present that
certificate when connecting. But normally, a TLS server can simply
choose not to verify the client certificate. I don't have any
experience with AWS RDS though but it seems odd to not accept a
connection only because the client did present a certificate.</p>
<p>Regards,<br>
</p>
<pre cols="72">--
Vlad Patrascu
OpenSIPS Core Developer
<a href="http://www.opensips-solutions.com" target="_blank">http://www.opensips-solutions.com</a></pre>
<div>On 14.09.2022 05:42, jacky z wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Hi Bogdan-Andrei,</div>
<div><br>
</div>
<div>I checked the mariadb documentation and found mariadb has
two options to set ssl connection: two-way TSL and one-way
TSL. It seems AWS RDS only supports one-way TSL, that is, TSL
is used without a client cert. Does OPENSIPS support such
one-way TSL to connect a database? Thanks!</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Wed, Sep 14, 2022 at
12:06 AM jacky z <<a href="mailto:zjack0992@gmail.com" target="_blank">zjack0992@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div dir="ltr">Hi Bogdan-Andrei,
<div><br>
</div>
<div>I have set<font face="arial, sans-serif"> the
"certificate" and "private_key" in my script, as I
explained in method 1. However, AWS RDS doesn't
support a client cert. Please refer to</font></div>
<div><a href="https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws" target="_blank">https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws</a><br>
</div>
<div><br>
</div>
<div>Is there any workaround to use the public cert list
provided by AWS? Anyone has successfully used RDS with
SSL connections? Thanks!</div>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Tue, Sep 13, 2022 at
9:54 PM Bogdan-Andrei Iancu <<a href="mailto:bogdan@opensips.org" target="_blank">bogdan@opensips.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div> <font face="monospace">Set the certificate and
key you have in the tls_mgm module, for the
"certificate" and "private_key" parameters.<br>
<br>
Regards,<br>
</font>
<pre cols="72">Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
<a href="https://www.opensips-solutions.com" target="_blank">https://www.opensips-solutions.com</a>
OpenSIPS Summit 27-30 Sept 2022, Athens
<a href="https://www.opensips.org/events/Summit-2022Athens/" target="_blank">https://www.opensips.org/events/Summit-2022Athens/</a></pre>
<div>On 9/13/22 2:57 PM, jacky z wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div>Hi Bogdan-Andrei,</div>
<div><br>
</div>
<div>I tried two methods. </div>
<div><br>
</div>
<div>Method 1: </div>
<div><br>
</div>
<div><font face="monospace">#enabled
TLS connection:</font></div>
<div><font face="monospace">modparam("db_mysql",
"use_tls", 1)<br>
</font></div>
<div><font face="monospace"><br>
</font></div>
<div><font face="monospace">#setup a
client domain:</font></div>
<div>
<div><font face="monospace">modparam("tls_mgm",
"client_domain", "dom1")</font></div>
<div><font face="monospace">modparam("tls_mgm",
"match_ip_address", "[dom1]*")</font></div>
<div><font face="monospace">modparam("tls_mgm",
"match_sip_domain", "[dom1]*")</font></div>
<div><font face="monospace">modparam("tls_mgm","certificate",
"[dom1]/etc/ssl/certs/rootCACert.pem")</font></div>
<div><font face="monospace">modparam("tls_mgm","private_key",
"[dom1]/etc/ssl/private/rootCAKey.pem")</font></div>
<div><font face="monospace">modparam("tls_mgm","ca_list",
"[dom1]/etc/ssl/certs/rootCACert.pem")</font></div>
<div><font face="monospace">modparam("tls_mgm","tls_method",
"[dom1]SSLv23")</font></div>
<div><font face="monospace">modparam("tls_mgm","verify_cert",
"[dom1]0")</font></div>
<div><font face="monospace">modparam("tls_mgm","require_cert",
"[dom1]0")</font></div>
<div><span style="font-family:monospace;font-size:9pt">#
set db_url</span></div>
<div><span style="font-family:monospace;font-size:9pt">modparam("usrloc",
"db_url",
"mysql://root:1234@<awsrdsaddress>/opensips?tls_domain=dom1")</span></div>
</div>
<div>...</div>
<div><br>
</div>
<div>I couldn't figure out how to use
global-bundle.pem AWS provided with
this method. No luck to get a
connection with RDS. If I don't use
ssl, opensips can connect to RDS
without encryption.</div>
<div><br>
</div>
<div>Method 2:</div>
<div><br>
</div>
<div>I tried </div>
<div><span style="font-family:monospace;font-size:12px"><br>
</span></div>
<div><span style="font-family:monospace;font-size:12px">modparam("usrloc",
"db_url",
"mysql://root:1234@<awsrdsaddress>/opensips?ssl=true&</span><font face="monospace"><span style="font-size:12px">ssl_ca_certs=/etc/ssl/certs/global-bundle.pem</span></font><span style="font-family:monospace;font-size:12px">")</span></div>
<div dir="ltr"><br>
</div>
<div>to include the AWS cert. Still no
luck.</div>
<div><br>
</div>
<div>Thanks!</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On
Tue, Sep 13, 2022 at 4:52 PM
Bogdan-Andrei Iancu <<a href="mailto:bogdan@opensips.org" target="_blank">bogdan@opensips.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div> <font face="monospace">Hi,<br>
<br>
sorry for my silly question,
but how do you connect from
the OpenSIPS side ??<br>
<br>
Regards,<br>
</font>
<pre cols="72">Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
<a href="https://www.opensips-solutions.com" target="_blank">https://www.opensips-solutions.com</a>
OpenSIPS Summit 27-30 Sept 2022, Athens
<a href="https://www.opensips.org/events/Summit-2022Athens/" target="_blank">https://www.opensips.org/events/Summit-2022Athens/</a></pre>
<div>On 9/13/22 10:41 AM, jacky
z wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">Hi Team,
<div><br>
</div>
<div>We hope to connect
to aws RDS database
with ssl encryption.
We have setup a client
domain according to
OPENSIPS documents.
However, AWS RDS does
not support client
cert as someone has
confirmed with AWS <a href="https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws" target="_blank">https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws</a></div>
<div><br>
</div>
<div>Is there any way to
use the cert provided
by AWS to connect? AWS
provides a
global-bundle.pem (<a href="https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html" target="_blank">https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html</a>)
for such a connection,
but we don't know how
to include it in the
config file.</div>
<div><br>
</div>
<div>Thanks</div>
<div><br>
</div>
<div>Jacky z</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
Users mailing list
<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</div>
</blockquote>
</div>
</blockquote>
</div>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
Users mailing list
<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
</div>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
</blockquote></div>