<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hi Jacky,</p>
<p>I cant think of any workaround unfortunately.<br>
</p>
<p>Regards,<br>
</p>
<pre class="moz-signature" cols="72">--
Vlad Patrascu
OpenSIPS Core Developer
<a class="moz-txt-link-freetext" href="http://www.opensips-solutions.com">http://www.opensips-solutions.com</a></pre>
<div class="moz-cite-prefix">On 17.09.2022 18:46, jacky z wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAOB03DuznLYeZonvm6qyT3-xvWikwiaVd=zTUgGcQ0pNjEYhhg@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">Hi Vlad,<br>
<div><br>
</div>
<div>Is there any workaround to disable the client cert? Thanks!</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Wed, Sep 14, 2022 at 9:16
PM Vlad Patrascu <<a href="mailto:vladp@opensips.org"
moz-do-not-send="true" class="moz-txt-link-freetext">vladp@opensips.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p>Hi Jacky,</p>
<p>OpenSIPS will always require you to configure a client
certificate for TLS client domains and will also present
that certificate when connecting. But normally, a TLS
server can simply choose not to verify the client
certificate. I don't have any experience with AWS RDS
though but it seems odd to not accept a connection only
because the client did present a certificate.</p>
<p>Regards,<br>
</p>
<pre cols="72">--
Vlad Patrascu
OpenSIPS Core Developer
<a href="http://www.opensips-solutions.com" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">http://www.opensips-solutions.com</a></pre>
<div>On 14.09.2022 05:42, jacky z wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Hi Bogdan-Andrei,</div>
<div><br>
</div>
<div>I checked the mariadb documentation and found
mariadb has two options to set ssl connection: two-way
TSL and one-way TSL. It seems AWS RDS only supports
one-way TSL, that is, TSL is used without a client
cert. Does OPENSIPS support such one-way TSL to
connect a database? Thanks!</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Wed, Sep 14, 2022
at 12:06 AM jacky z <<a
href="mailto:zjack0992@gmail.com" target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">zjack0992@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div dir="ltr">Hi Bogdan-Andrei,
<div><br>
</div>
<div>I have set<font face="arial, sans-serif"> the
"certificate" and "private_key" in my
script, as I explained in method 1. However,
AWS RDS doesn't support a client cert.
Please refer to</font></div>
<div><a
href="https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws</a><br>
</div>
<div><br>
</div>
<div>Is there any workaround to use the public
cert list provided by AWS? Anyone has
successfully used RDS with SSL connections?
Thanks!</div>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Tue, Sep 13,
2022 at 9:54 PM Bogdan-Andrei Iancu <<a
href="mailto:bogdan@opensips.org"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">bogdan@opensips.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px
0px 0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div> <font face="monospace">Set the
certificate and key you have in the tls_mgm
module, for the "certificate" and
"private_key" parameters.<br>
<br>
Regards,<br>
</font>
<pre cols="72">Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
<a href="https://www.opensips-solutions.com" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">https://www.opensips-solutions.com</a>
OpenSIPS Summit 27-30 Sept 2022, Athens
<a href="https://www.opensips.org/events/Summit-2022Athens/" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">https://www.opensips.org/events/Summit-2022Athens/</a></pre>
<div>On 9/13/22 2:57 PM, jacky z wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div>Hi Bogdan-Andrei,</div>
<div><br>
</div>
<div>I tried two methods. </div>
<div><br>
</div>
<div>Method 1: </div>
<div><br>
</div>
<div><font face="monospace">#enabled
TLS connection:</font></div>
<div><font face="monospace">modparam("db_mysql",
"use_tls", 1)<br>
</font></div>
<div><font face="monospace"><br>
</font></div>
<div><font face="monospace">#setup
a client domain:</font></div>
<div>
<div><font face="monospace">modparam("tls_mgm",
"client_domain", "dom1")</font></div>
<div><font face="monospace">modparam("tls_mgm",
"match_ip_address",
"[dom1]*")</font></div>
<div><font face="monospace">modparam("tls_mgm",
"match_sip_domain",
"[dom1]*")</font></div>
<div><font face="monospace">modparam("tls_mgm","certificate",
"[dom1]/etc/ssl/certs/rootCACert.pem")</font></div>
<div><font face="monospace">modparam("tls_mgm","private_key",
"[dom1]/etc/ssl/private/rootCAKey.pem")</font></div>
<div><font face="monospace">modparam("tls_mgm","ca_list",
"[dom1]/etc/ssl/certs/rootCACert.pem")</font></div>
<div><font face="monospace">modparam("tls_mgm","tls_method",
"[dom1]SSLv23")</font></div>
<div><font face="monospace">modparam("tls_mgm","verify_cert",
"[dom1]0")</font></div>
<div><font face="monospace">modparam("tls_mgm","require_cert",
"[dom1]0")</font></div>
<div><span
style="font-family:monospace;font-size:9pt">#
set db_url</span></div>
<div><span
style="font-family:monospace;font-size:9pt">modparam("usrloc",
"db_url",
"mysql://root:1234@<awsrdsaddress>/opensips?tls_domain=dom1")</span></div>
</div>
<div>...</div>
<div><br>
</div>
<div>I couldn't figure out how
to use global-bundle.pem AWS
provided with this method.
No luck to get a connection
with RDS. If I don't use
ssl, opensips can connect to
RDS without encryption.</div>
<div><br>
</div>
<div>Method 2:</div>
<div><br>
</div>
<div>I tried </div>
<div><span
style="font-family:monospace;font-size:12px"><br>
</span></div>
<div><span
style="font-family:monospace;font-size:12px">modparam("usrloc",
"db_url",
"mysql://root:1234@<awsrdsaddress>/opensips?ssl=true&</span><font
face="monospace"><span
style="font-size:12px">ssl_ca_certs=/etc/ssl/certs/global-bundle.pem</span></font><span
style="font-family:monospace;font-size:12px">")</span></div>
<div dir="ltr"><br>
</div>
<div>to include the AWS cert.
Still no luck.</div>
<div><br>
</div>
<div>Thanks!</div>
<br>
<div class="gmail_quote">
<div dir="ltr"
class="gmail_attr">On Tue,
Sep 13, 2022 at 4:52 PM
Bogdan-Andrei Iancu <<a
href="mailto:bogdan@opensips.org" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">bogdan@opensips.org</a>> wrote:<br>
</div>
<blockquote
class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left:1px
solid
rgb(204,204,204);padding-left:1ex">
<div> <font
face="monospace">Hi,<br>
<br>
sorry for my silly
question, but how do
you connect from the
OpenSIPS side ??<br>
<br>
Regards,<br>
</font>
<pre cols="72">Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
<a href="https://www.opensips-solutions.com" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">https://www.opensips-solutions.com</a>
OpenSIPS Summit 27-30 Sept 2022, Athens
<a href="https://www.opensips.org/events/Summit-2022Athens/" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">https://www.opensips.org/events/Summit-2022Athens/</a></pre>
<div>On 9/13/22 10:41
AM, jacky z wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">Hi
Team,
<div><br>
</div>
<div>We hope to
connect to aws
RDS database
with ssl
encryption. We
have setup a
client domain
according to
OPENSIPS
documents.
However, AWS
RDS does not
support client
cert as
someone has
confirmed with
AWS <a
href="https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws"
target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws</a></div>
<div><br>
</div>
<div>Is there
any way to use
the cert
provided by
AWS to
connect? AWS
provides a
global-bundle.pem
(<a
href="https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html"
target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html</a>)
for such a
connection,
but we don't
know how to
include it in
the config
file.</div>
<div><br>
</div>
<div>Thanks</div>
<div><br>
</div>
<div>Jacky z</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
Users mailing list
<a href="mailto:Users@lists.opensips.org" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">Users@lists.opensips.org</a>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</div>
</blockquote>
</div>
</blockquote>
</div>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
Users mailing list
<a href="mailto:Users@lists.opensips.org" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">Users@lists.opensips.org</a>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
</div>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">Users@lists.opensips.org</a><br>
<a
href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
</blockquote>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a>
<a class="moz-txt-link-freetext" href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
</body>
</html>