subject:"\[OpenSIPS\-Users\] Connect to AWS RDS database with SSL enabled"

Re: [OpenSIPS-Users] Connect to AWS RDS database with SSL enabled

2022-10-10 Thread Bogdan-Andrei Iancu


Hi,

That;s a really bad example of how to hide trash beneath the carpet :(

The instructions on how to get a backtrace are simple and clear [1] - 
please consider doing this and helping back the project you are using.


[1] https://www.opensips.org/Documentation/TroubleShooting-Crash

Best regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
  https://www.opensips-solutions.com
OpenSIPS Summit 27-30 Sept 2022, Athens
  https://www.opensips.org/events/Summit-2022Athens/

On 9/27/22 5:12 AM, jacky z wrote:

Hi Ovidiu,

I solved this problem by hardcoding the cert address in the my_con.c 
address. Guess the cert setup in the config file can't be loaded 
correctly when my_con.c calls it.


On Tue, Sep 27, 2022 at 7:34 AM Ovidiu Sas > wrote:


I encountered a crash related to TLS connections and I was wondering
if it's a similar issue.
It seems not, the crash that I encountered happens only on 3.3.

If you installed opensips from a package, you need to install
opensips-dbg package to get the debug symbols.
After that, you can locate the core file on your server and
inspect it with gdb.
Everything should be detailed here:
https://www.opensips.org/Documentation/TroubleShooting-Crash


-ovidiu

On Mon, Sep 26, 2022 at 2:54 AM jacky z mailto:zjack0...@gmail.com>> wrote:
>
> Hi Ovidiu,
>
> The version I am using is 3.2. I am not familiar with the debug
symbols, but guess this can be reproduced easily. With
?tls_domain=dom1 attached after the mysql address, it happens. Can
you simply check if it is the same behavior? If not, I will dig
further by learning how to use the debug symbols. Thanks!
>
> On Mon, Sep 26, 2022 at 12:30 AM Ovidiu Sas
mailto:o...@voipembedded.com>> wrote:
>>
>> Which version of opensips are you using?
>> Can you install the debug symbols and get a backtrace from the
core file?
>> https://www.opensips.org/Documentation/TroubleShooting-Crash

>>
>> Regards,
>> Ovidiu Sas
>>
>> On Sun, Sep 25, 2022 at 6:32 AM jacky z mailto:zjack0...@gmail.com>> wrote:
>> >
>> > Hi Vlad,
>> >
>> > It seems opensips crashed when I set ?tls_domain=dom1 to
enable tls connection to mysql db.  I followed the method in the
manual.
>> >
>> > modparam("usrloc", "db_url",
"mysql://root:1234@localhost/opensips?tls_domain=dom1")
>> >
>> >
>> > Here is the log.
>> >
>> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
INFO:tls_mgm:mod_init: initializing TLS management
>> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
INFO:tls_mgm:init_tls_dom: Processing TLS domain 'dom'
>> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
NOTICE:tls_mgm:init_tls_dom: no CA dir for tls 'dom' defined,
using default '/etc/pki/CA/'
>> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
NOTICE:tls_mgm:init_tls_dom: no crl for tls, using none
>> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
NOTICE:tls_openssl:openssl_init_tls_dom: No EC curve defined
>> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
INFO:tls_openssl:get_ssl_ctx_verify_mode: client verification NOT
activated. Weaker security.
>> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
INFO:tls_mgm:init_tls_dom: Processing TLS domain 'dom1'
>> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
NOTICE:tls_mgm:init_tls_dom: no CA dir for tls 'dom1' defined,
using default '/etc/pki/CA/'
>> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
NOTICE:tls_mgm:init_tls_dom: no crl for tls, using none
>> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
NOTICE:tls_openssl:openssl_init_tls_dom: No EC curve defined
>> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
INFO:tls_openssl:get_ssl_ctx_verify_mode: server verification NOT
activated. Weaker security.
>> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
INFO:proto_tls:mod_init: initializing TLS protocol
>> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
INFO:proto_bin:mod_init: initializing BIN protocol
>> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
INFO:clusterer:mod_init: Clusterer module - initializing
>> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
CRITICAL:core:sig_usr: segfault in attendant (starter) process!
>> > Sep 25 10:14:01 ip-10-100-20-35 kernel: [39023.653243]
opensips[4935]: segfault at 0 ip  sp
7ffececa3d08 error 14 in opensips[558b5bb75000+1c000]
>> > Sep 25 10:14:01 ip-10-100-20-35 kernel: [39023.666503] Code:
Bad RIP value.
>> > Sep

Re: [OpenSIPS-Users] Connect to AWS RDS database with SSL enabled

2022-09-26 Thread jacky z

Hi Ovidiu,

I solved this problem by hardcoding the cert address in the my_con.c
address. Guess the cert setup in the config file can't be loaded correctly
when my_con.c calls it.

On Tue, Sep 27, 2022 at 7:34 AM Ovidiu Sas  wrote:

> I encountered a crash related to TLS connections and I was wondering
> if it's a similar issue.
> It seems not, the crash that I encountered happens only on 3.3.
>
> If you installed opensips from a package, you need to install
> opensips-dbg package to get the debug symbols.
> After that, you can locate the core file on your server and inspect it
> with gdb.
> Everything should be detailed here:
> https://www.opensips.org/Documentation/TroubleShooting-Crash
>
> -ovidiu
>
> On Mon, Sep 26, 2022 at 2:54 AM jacky z  wrote:
> >
> > Hi Ovidiu,
> >
> > The version I am using is 3.2. I am not familiar with the debug symbols,
> but guess this can be reproduced easily. With ?tls_domain=dom1 attached
> after the mysql address, it happens. Can you simply check if it is the same
> behavior? If not, I will dig further by learning how to use the debug
> symbols. Thanks!
> >
> > On Mon, Sep 26, 2022 at 12:30 AM Ovidiu Sas 
> wrote:
> >>
> >> Which version of opensips are you using?
> >> Can you install the debug symbols and get a backtrace from the core
> file?
> >> https://www.opensips.org/Documentation/TroubleShooting-Crash
> >>
> >> Regards,
> >> Ovidiu Sas
> >>
> >> On Sun, Sep 25, 2022 at 6:32 AM jacky z  wrote:
> >> >
> >> > Hi Vlad,
> >> >
> >> > It seems opensips crashed when I set ?tls_domain=dom1 to enable tls
> connection to mysql db.  I followed the method in the manual.
> >> >
> >> > modparam("usrloc", "db_url", "mysql://root:1234@localhost
> /opensips?tls_domain=dom1")
> >> >
> >> >
> >> > Here is the log.
> >> >
> >> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
> INFO:tls_mgm:mod_init: initializing TLS management
> >> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
> INFO:tls_mgm:init_tls_dom: Processing TLS domain 'dom'
> >> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
> NOTICE:tls_mgm:init_tls_dom: no CA dir for tls 'dom' defined, using default
> '/etc/pki/CA/'
> >> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
> NOTICE:tls_mgm:init_tls_dom: no crl for tls, using none
> >> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
> NOTICE:tls_openssl:openssl_init_tls_dom: No EC curve defined
> >> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
> INFO:tls_openssl:get_ssl_ctx_verify_mode: client verification NOT
> activated. Weaker security.
> >> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
> INFO:tls_mgm:init_tls_dom: Processing TLS domain 'dom1'
> >> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
> NOTICE:tls_mgm:init_tls_dom: no CA dir for tls 'dom1' defined, using
> default '/etc/pki/CA/'
> >> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
> NOTICE:tls_mgm:init_tls_dom: no crl for tls, using none
> >> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
> NOTICE:tls_openssl:openssl_init_tls_dom: No EC curve defined
> >> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
> INFO:tls_openssl:get_ssl_ctx_verify_mode: server verification NOT
> activated. Weaker security.
> >> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
> INFO:proto_tls:mod_init: initializing TLS protocol
> >> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
> INFO:proto_bin:mod_init: initializing BIN protocol
> >> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
> INFO:clusterer:mod_init: Clusterer module - initializing
> >> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
> CRITICAL:core:sig_usr: segfault in attendant (starter) process!
> >> > Sep 25 10:14:01 ip-10-100-20-35 kernel: [39023.653243]
> opensips[4935]: segfault at 0 ip  sp 7ffececa3d08 error
> 14 in opensips[558b5bb75000+1c000]
> >> > Sep 25 10:14:01 ip-10-100-20-35 kernel: [39023.666503] Code: Bad RIP
> value.
> >> > Sep 25 10:14:01 ip-10-100-20-35 opensips: INFO:core:daemonize:
> pre-daemon process exiting with -1
> >> >
> >> > and my client domain settings
> >> >
> >> > #client domain
> >> > modparam("tls_mgm", "client_domain", "dom1")
> >> > modparam("tls_mgm", "match_ip_address", "[dom1]*")
> >> > modparam("tls_mgm", "match_sip_domain", "[dom1]*")
> >> > modparam("tls_mgm","certificate",
> "[dom1]/etc/ssl/certs/rootCACert.pem")
> >> > modparam("tls_mgm","private_key",
> "[dom1]/etc/ssl/private/rootCAKey.pem")
> >> > modparam("tls_mgm","ca_list", "[dom1]/etc/ssl/certs/rootCACert.pem")
> >> > modparam("tls_mgm","tls_method", "[dom1]SSLv23")
> >> > modparam("tls_mgm","verify_cert", "[dom1]0")
> >> > modparam("tls_mgm","require_cert", "[dom1]0")
> >> >
> >> > It is expected to see some other errors such as invalid cert but not
> crash in pre-daemon process. Any clue on this for me to debug? If I remove
> "?tls_domain=dom1", there is no such crash

Re: [OpenSIPS-Users] Connect to AWS RDS database with SSL enabled

2022-09-26 Thread Ovidiu Sas

I encountered a crash related to TLS connections and I was wondering
if it's a similar issue.
It seems not, the crash that I encountered happens only on 3.3.

If you installed opensips from a package, you need to install
opensips-dbg package to get the debug symbols.
After that, you can locate the core file on your server and inspect it with gdb.
Everything should be detailed here:
https://www.opensips.org/Documentation/TroubleShooting-Crash

-ovidiu

On Mon, Sep 26, 2022 at 2:54 AM jacky z  wrote:
>
> Hi Ovidiu,
>
> The version I am using is 3.2. I am not familiar with the debug symbols, but 
> guess this can be reproduced easily. With ?tls_domain=dom1 attached after the 
> mysql address, it happens. Can you simply check if it is the same behavior? 
> If not, I will dig further by learning how to use the debug symbols. Thanks!
>
> On Mon, Sep 26, 2022 at 12:30 AM Ovidiu Sas  wrote:
>>
>> Which version of opensips are you using?
>> Can you install the debug symbols and get a backtrace from the core file?
>> https://www.opensips.org/Documentation/TroubleShooting-Crash
>>
>> Regards,
>> Ovidiu Sas
>>
>> On Sun, Sep 25, 2022 at 6:32 AM jacky z  wrote:
>> >
>> > Hi Vlad,
>> >
>> > It seems opensips crashed when I set ?tls_domain=dom1 to enable tls 
>> > connection to mysql db.  I followed the method in the manual.
>> >
>> > modparam("usrloc", "db_url", 
>> > "mysql://root:1234@localhost/opensips?tls_domain=dom1")
>> >
>> >
>> > Here is the log.
>> >
>> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: 
>> > INFO:tls_mgm:mod_init: initializing TLS management
>> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: 
>> > INFO:tls_mgm:init_tls_dom: Processing TLS domain 'dom'
>> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: 
>> > NOTICE:tls_mgm:init_tls_dom: no CA dir for tls 'dom' defined, using 
>> > default '/etc/pki/CA/'
>> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: 
>> > NOTICE:tls_mgm:init_tls_dom: no crl for tls, using none
>> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: 
>> > NOTICE:tls_openssl:openssl_init_tls_dom: No EC curve defined
>> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: 
>> > INFO:tls_openssl:get_ssl_ctx_verify_mode: client verification NOT 
>> > activated. Weaker security.
>> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: 
>> > INFO:tls_mgm:init_tls_dom: Processing TLS domain 'dom1'
>> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: 
>> > NOTICE:tls_mgm:init_tls_dom: no CA dir for tls 'dom1' defined, using 
>> > default '/etc/pki/CA/'
>> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: 
>> > NOTICE:tls_mgm:init_tls_dom: no crl for tls, using none
>> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: 
>> > NOTICE:tls_openssl:openssl_init_tls_dom: No EC curve defined
>> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: 
>> > INFO:tls_openssl:get_ssl_ctx_verify_mode: server verification NOT 
>> > activated. Weaker security.
>> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: 
>> > INFO:proto_tls:mod_init: initializing TLS protocol
>> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: 
>> > INFO:proto_bin:mod_init: initializing BIN protocol
>> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: 
>> > INFO:clusterer:mod_init: Clusterer module - initializing
>> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: 
>> > CRITICAL:core:sig_usr: segfault in attendant (starter) process!
>> > Sep 25 10:14:01 ip-10-100-20-35 kernel: [39023.653243] opensips[4935]: 
>> > segfault at 0 ip  sp 7ffececa3d08 error 14 in 
>> > opensips[558b5bb75000+1c000]
>> > Sep 25 10:14:01 ip-10-100-20-35 kernel: [39023.666503] Code: Bad RIP value.
>> > Sep 25 10:14:01 ip-10-100-20-35 opensips: INFO:core:daemonize: pre-daemon 
>> > process exiting with -1
>> >
>> > and my client domain settings
>> >
>> > #client domain
>> > modparam("tls_mgm", "client_domain", "dom1")
>> > modparam("tls_mgm", "match_ip_address", "[dom1]*")
>> > modparam("tls_mgm", "match_sip_domain", "[dom1]*")
>> > modparam("tls_mgm","certificate", "[dom1]/etc/ssl/certs/rootCACert.pem")
>> > modparam("tls_mgm","private_key", "[dom1]/etc/ssl/private/rootCAKey.pem")
>> > modparam("tls_mgm","ca_list", "[dom1]/etc/ssl/certs/rootCACert.pem")
>> > modparam("tls_mgm","tls_method", "[dom1]SSLv23")
>> > modparam("tls_mgm","verify_cert", "[dom1]0")
>> > modparam("tls_mgm","require_cert", "[dom1]0")
>> >
>> > It is expected to see some other errors such as invalid cert but not crash 
>> > in pre-daemon process. Any clue on this for me to debug? If I remove 
>> > "?tls_domain=dom1", there is no such crash though the opensips server 
>> > still couldn't start because I forced the mysql db to use ssl connection. 
>> > Thanks!
>> >
>> > On Mon, Sep 19, 2022 at 9:09 PM Vlad Patrascu  wrote:
>> >>
>> >> Hi Jacky,
>> >>
>> >> I cant think of any workaround unfortunately.
>> >>
>> >>

Re: [OpenSIPS-Users] Connect to AWS RDS database with SSL enabled

2022-09-26 Thread jacky z

Hi Ovidiu,

The version I am using is 3.2. I am not familiar with the debug symbols,
but guess this can be reproduced easily. With ?tls_domain=dom1 attached
after the mysql address, it happens. Can you simply check if it is the same
behavior? If not, I will dig further by learning how to use the debug
symbols. Thanks!

On Mon, Sep 26, 2022 at 12:30 AM Ovidiu Sas  wrote:

> Which version of opensips are you using?
> Can you install the debug symbols and get a backtrace from the core file?
> https://www.opensips.org/Documentation/TroubleShooting-Crash
>
> Regards,
> Ovidiu Sas
>
> On Sun, Sep 25, 2022 at 6:32 AM jacky z  wrote:
> >
> > Hi Vlad,
> >
> > It seems opensips crashed when I set ?tls_domain=dom1 to enable tls
> connection to mysql db.  I followed the method in the manual.
> >
> > modparam("usrloc", "db_url", "mysql://root:1234@localhost
> /opensips?tls_domain=dom1")
> >
> >
> > Here is the log.
> >
> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
> INFO:tls_mgm:mod_init: initializing TLS management
> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
> INFO:tls_mgm:init_tls_dom: Processing TLS domain 'dom'
> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
> NOTICE:tls_mgm:init_tls_dom: no CA dir for tls 'dom' defined, using default
> '/etc/pki/CA/'
> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
> NOTICE:tls_mgm:init_tls_dom: no crl for tls, using none
> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
> NOTICE:tls_openssl:openssl_init_tls_dom: No EC curve defined
> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
> INFO:tls_openssl:get_ssl_ctx_verify_mode: client verification NOT
> activated. Weaker security.
> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
> INFO:tls_mgm:init_tls_dom: Processing TLS domain 'dom1'
> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
> NOTICE:tls_mgm:init_tls_dom: no CA dir for tls 'dom1' defined, using
> default '/etc/pki/CA/'
> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
> NOTICE:tls_mgm:init_tls_dom: no crl for tls, using none
> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
> NOTICE:tls_openssl:openssl_init_tls_dom: No EC curve defined
> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
> INFO:tls_openssl:get_ssl_ctx_verify_mode: server verification NOT
> activated. Weaker security.
> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
> INFO:proto_tls:mod_init: initializing TLS protocol
> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
> INFO:proto_bin:mod_init: initializing BIN protocol
> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
> INFO:clusterer:mod_init: Clusterer module - initializing
> > Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
> CRITICAL:core:sig_usr: segfault in attendant (starter) process!
> > Sep 25 10:14:01 ip-10-100-20-35 kernel: [39023.653243] opensips[4935]:
> segfault at 0 ip  sp 7ffececa3d08 error 14 in
> opensips[558b5bb75000+1c000]
> > Sep 25 10:14:01 ip-10-100-20-35 kernel: [39023.666503] Code: Bad RIP
> value.
> > Sep 25 10:14:01 ip-10-100-20-35 opensips: INFO:core:daemonize:
> pre-daemon process exiting with -1
> >
> > and my client domain settings
> >
> > #client domain
> > modparam("tls_mgm", "client_domain", "dom1")
> > modparam("tls_mgm", "match_ip_address", "[dom1]*")
> > modparam("tls_mgm", "match_sip_domain", "[dom1]*")
> > modparam("tls_mgm","certificate", "[dom1]/etc/ssl/certs/rootCACert.pem")
> > modparam("tls_mgm","private_key", "[dom1]/etc/ssl/private/rootCAKey.pem")
> > modparam("tls_mgm","ca_list", "[dom1]/etc/ssl/certs/rootCACert.pem")
> > modparam("tls_mgm","tls_method", "[dom1]SSLv23")
> > modparam("tls_mgm","verify_cert", "[dom1]0")
> > modparam("tls_mgm","require_cert", "[dom1]0")
> >
> > It is expected to see some other errors such as invalid cert but not
> crash in pre-daemon process. Any clue on this for me to debug? If I remove
> "?tls_domain=dom1", there is no such crash though the opensips server still
> couldn't start because I forced the mysql db to use ssl connection. Thanks!
> >
> > On Mon, Sep 19, 2022 at 9:09 PM Vlad Patrascu 
> wrote:
> >>
> >> Hi Jacky,
> >>
> >> I cant think of any workaround unfortunately.
> >>
> >> Regards,
> >>
> >> --
> >> Vlad Patrascu
> >> OpenSIPS Core Developer
> >> http://www.opensips-solutions.com
> >>
> >> On 17.09.2022 18:46, jacky z wrote:
> >>
> >> Hi  Vlad,
> >>
> >> Is there any workaround to disable the client cert? Thanks!
> >>
> >> On Wed, Sep 14, 2022 at 9:16 PM Vlad Patrascu 
> wrote:
> >>>
> >>> Hi Jacky,
> >>>
> >>> OpenSIPS will always require you to configure a client certificate for
> TLS client domains and will also present that certificate when connecting.
> But normally, a TLS server can simply choose not to verify the client
> certificate. I don't have any experience with AWS RDS though but it seems
> odd to not accept a connection only because the client

Re: [OpenSIPS-Users] Connect to AWS RDS database with SSL enabled

2022-09-25 Thread Ovidiu Sas

Which version of opensips are you using?
Can you install the debug symbols and get a backtrace from the core file?
https://www.opensips.org/Documentation/TroubleShooting-Crash

Regards,
Ovidiu Sas

On Sun, Sep 25, 2022 at 6:32 AM jacky z  wrote:
>
> Hi Vlad,
>
> It seems opensips crashed when I set ?tls_domain=dom1 to enable tls 
> connection to mysql db.  I followed the method in the manual.
>
> modparam("usrloc", "db_url", 
> "mysql://root:1234@localhost/opensips?tls_domain=dom1")
>
>
> Here is the log.
>
> Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: 
> INFO:tls_mgm:mod_init: initializing TLS management
> Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: 
> INFO:tls_mgm:init_tls_dom: Processing TLS domain 'dom'
> Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: 
> NOTICE:tls_mgm:init_tls_dom: no CA dir for tls 'dom' defined, using default 
> '/etc/pki/CA/'
> Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: 
> NOTICE:tls_mgm:init_tls_dom: no crl for tls, using none
> Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: 
> NOTICE:tls_openssl:openssl_init_tls_dom: No EC curve defined
> Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: 
> INFO:tls_openssl:get_ssl_ctx_verify_mode: client verification NOT activated. 
> Weaker security.
> Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: 
> INFO:tls_mgm:init_tls_dom: Processing TLS domain 'dom1'
> Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: 
> NOTICE:tls_mgm:init_tls_dom: no CA dir for tls 'dom1' defined, using default 
> '/etc/pki/CA/'
> Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: 
> NOTICE:tls_mgm:init_tls_dom: no crl for tls, using none
> Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: 
> NOTICE:tls_openssl:openssl_init_tls_dom: No EC curve defined
> Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: 
> INFO:tls_openssl:get_ssl_ctx_verify_mode: server verification NOT activated. 
> Weaker security.
> Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: 
> INFO:proto_tls:mod_init: initializing TLS protocol
> Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: 
> INFO:proto_bin:mod_init: initializing BIN protocol
> Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: 
> INFO:clusterer:mod_init: Clusterer module - initializing
> Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]: 
> CRITICAL:core:sig_usr: segfault in attendant (starter) process!
> Sep 25 10:14:01 ip-10-100-20-35 kernel: [39023.653243] opensips[4935]: 
> segfault at 0 ip  sp 7ffececa3d08 error 14 in 
> opensips[558b5bb75000+1c000]
> Sep 25 10:14:01 ip-10-100-20-35 kernel: [39023.666503] Code: Bad RIP value.
> Sep 25 10:14:01 ip-10-100-20-35 opensips: INFO:core:daemonize: pre-daemon 
> process exiting with -1
>
> and my client domain settings
>
> #client domain
> modparam("tls_mgm", "client_domain", "dom1")
> modparam("tls_mgm", "match_ip_address", "[dom1]*")
> modparam("tls_mgm", "match_sip_domain", "[dom1]*")
> modparam("tls_mgm","certificate", "[dom1]/etc/ssl/certs/rootCACert.pem")
> modparam("tls_mgm","private_key", "[dom1]/etc/ssl/private/rootCAKey.pem")
> modparam("tls_mgm","ca_list", "[dom1]/etc/ssl/certs/rootCACert.pem")
> modparam("tls_mgm","tls_method", "[dom1]SSLv23")
> modparam("tls_mgm","verify_cert", "[dom1]0")
> modparam("tls_mgm","require_cert", "[dom1]0")
>
> It is expected to see some other errors such as invalid cert but not crash in 
> pre-daemon process. Any clue on this for me to debug? If I remove 
> "?tls_domain=dom1", there is no such crash though the opensips server still 
> couldn't start because I forced the mysql db to use ssl connection. Thanks!
>
> On Mon, Sep 19, 2022 at 9:09 PM Vlad Patrascu  wrote:
>>
>> Hi Jacky,
>>
>> I cant think of any workaround unfortunately.
>>
>> Regards,
>>
>> --
>> Vlad Patrascu
>> OpenSIPS Core Developer
>> http://www.opensips-solutions.com
>>
>> On 17.09.2022 18:46, jacky z wrote:
>>
>> Hi  Vlad,
>>
>> Is there any workaround to disable the client cert? Thanks!
>>
>> On Wed, Sep 14, 2022 at 9:16 PM Vlad Patrascu  wrote:
>>>
>>> Hi Jacky,
>>>
>>> OpenSIPS will always require you to configure a client certificate for TLS 
>>> client domains and will also present that certificate when connecting. But 
>>> normally, a TLS server can simply choose not to verify the client 
>>> certificate. I don't have any experience with AWS RDS though but it seems 
>>> odd to not accept a connection only because the client did present a 
>>> certificate.
>>>
>>> Regards,
>>>
>>> --
>>> Vlad Patrascu
>>> OpenSIPS Core Developer
>>> http://www.opensips-solutions.com
>>>
>>> On 14.09.2022 05:42, jacky z wrote:
>>>
>>> Hi Bogdan-Andrei,
>>>
>>> I checked the mariadb documentation and found mariadb has two options to 
>>> set ssl connection: two-way TSL and one-way TSL. It seems AWS RDS only 
>>> supports one-way TSL, that is, TSL is used without a client cert. Does 
>>> OPENSIPS support such one-way TSL to

Re: [OpenSIPS-Users] Connect to AWS RDS database with SSL enabled

2022-09-25 Thread jacky z

Hi Vlad,

It seems opensips crashed when I set ?tls_domain=dom1 to enable tls
connection to mysql db.  I followed the method in the manual.

modparam("usrloc", "db_url",
"mysql://root:1234@localhost/opensips?tls_domain=dom1")


Here is the log.

Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
INFO:tls_mgm:mod_init: initializing TLS management
Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
INFO:tls_mgm:init_tls_dom: Processing TLS domain 'dom'
Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
NOTICE:tls_mgm:init_tls_dom: no CA dir for tls 'dom' defined, using default
'/etc/pki/CA/'
Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
NOTICE:tls_mgm:init_tls_dom: no crl for tls, using none
Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
NOTICE:tls_openssl:openssl_init_tls_dom: No EC curve defined
Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
INFO:tls_openssl:get_ssl_ctx_verify_mode: client verification NOT
activated. Weaker security.
Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
INFO:tls_mgm:init_tls_dom: Processing TLS domain 'dom1'
Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
NOTICE:tls_mgm:init_tls_dom: no CA dir for tls 'dom1' defined, using
default '/etc/pki/CA/'
Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
NOTICE:tls_mgm:init_tls_dom: no crl for tls, using none
Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
NOTICE:tls_openssl:openssl_init_tls_dom: No EC curve defined
Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
INFO:tls_openssl:get_ssl_ctx_verify_mode: server verification NOT
activated. Weaker security.
Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
INFO:proto_tls:mod_init: initializing TLS protocol
Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
INFO:proto_bin:mod_init: initializing BIN protocol
Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
INFO:clusterer:mod_init: Clusterer module - initializing
Sep 25 10:14:01 ip-10-100-20-35 /usr/sbin/opensips[4935]:
CRITICAL:core:sig_usr: segfault in attendant (starter) process!
Sep 25 10:14:01 ip-10-100-20-35 kernel: [39023.653243] opensips[4935]:
segfault at 0 ip  sp 7ffececa3d08 error 14 in
opensips[558b5bb75000+1c000]
Sep 25 10:14:01 ip-10-100-20-35 kernel: [39023.666503] Code: Bad RIP value.
Sep 25 10:14:01 ip-10-100-20-35 opensips: INFO:core:daemonize: pre-daemon
process exiting with -1

and my client domain settings

#client domain
modparam("tls_mgm", "client_domain", "dom1")
modparam("tls_mgm", "match_ip_address", "[dom1]*")
modparam("tls_mgm", "match_sip_domain", "[dom1]*")
modparam("tls_mgm","certificate", "[dom1]/etc/ssl/certs/rootCACert.pem")
modparam("tls_mgm","private_key", "[dom1]/etc/ssl/private/rootCAKey.pem")
modparam("tls_mgm","ca_list", "[dom1]/etc/ssl/certs/rootCACert.pem")
modparam("tls_mgm","tls_method", "[dom1]SSLv23")
modparam("tls_mgm","verify_cert", "[dom1]0")
modparam("tls_mgm","require_cert", "[dom1]0")

It is expected to see some other errors such as invalid cert but not crash
in pre-daemon process. Any clue on this for me to debug? If I remove
"?tls_domain=dom1",
there is no such crash though the opensips server still couldn't start
because I forced the mysql db to use ssl connection. Thanks!

On Mon, Sep 19, 2022 at 9:09 PM Vlad Patrascu  wrote:

> Hi Jacky,
>
> I cant think of any workaround unfortunately.
>
> Regards,
>
> --
> Vlad Patrascu
> OpenSIPS Core Developerhttp://www.opensips-solutions.com
>
> On 17.09.2022 18:46, jacky z wrote:
>
> Hi  Vlad,
>
> Is there any workaround to disable the client cert? Thanks!
>
> On Wed, Sep 14, 2022 at 9:16 PM Vlad Patrascu  wrote:
>
>> Hi Jacky,
>>
>> OpenSIPS will always require you to configure a client certificate for
>> TLS client domains and will also present that certificate when connecting.
>> But normally, a TLS server can simply choose not to verify the client
>> certificate. I don't have any experience with AWS RDS though but it seems
>> odd to not accept a connection only because the client did present a
>> certificate.
>>
>> Regards,
>>
>> --
>> Vlad Patrascu
>> OpenSIPS Core Developerhttp://www.opensips-solutions.com
>>
>> On 14.09.2022 05:42, jacky z wrote:
>>
>> Hi Bogdan-Andrei,
>>
>> I checked the mariadb documentation and found mariadb has two options to
>> set ssl connection: two-way TSL and one-way TSL. It seems AWS RDS only
>> supports one-way TSL, that is, TSL is used without a client cert. Does
>> OPENSIPS support such one-way TSL to connect a database? Thanks!
>>
>> On Wed, Sep 14, 2022 at 12:06 AM jacky z  wrote:
>>
>>> Hi Bogdan-Andrei,
>>>
>>> I have set the "certificate" and "private_key" in my script, as I
>>> explained in method 1. However, AWS RDS doesn't support a client cert.
>>> Please refer to
>>>
>>> https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws
>>>
>>> Is there any workaround to use the public cert list

Re: [OpenSIPS-Users] Connect to AWS RDS database with SSL enabled

2022-09-19 Thread Vlad Patrascu

Hi Jacky,

I cant think of any workaround unfortunately.

Regards,

--
Vlad Patrascu
OpenSIPS Core Developer
http://www.opensips-solutions.com

On 17.09.2022 18:46, jacky z wrote:

Hi Vlad,

Is there any workaround to disable the client cert? Thanks!

On Wed, Sep 14, 2022 at 9:16 PM Vlad Patrascu wrote:

Hi Jacky,

OpenSIPS will always require you to configure a client certificate
for TLS client domains and will also present that certificate when
connecting. But normally, a TLS server can simply choose not to
verify the client certificate. I don't have any experience with
AWS RDS though but it seems odd to not accept a connection only
because the client did present a certificate.

Regards,

--
Vlad Patrascu

OpenSIPS Core Developer
http://www.opensips-solutions.com

On 14.09.2022 05:42, jacky z wrote:

Hi Bogdan-Andrei,

I checked the mariadb documentation and found mariadb has two
options to set ssl connection: two-way TSL and one-way TSL. It
seems AWS RDS only supports one-way TSL, that is, TSL is used
without a client cert. Does OPENSIPS support such one-way TSL to
connect a database? Thanks!

On Wed, Sep 14, 2022 at 12:06 AM jacky z wrote:

Hi Bogdan-Andrei,

I have set the "certificate" and "private_key" in my script,
as I explained in method 1. However, AWS RDS doesn't support
a client cert. Please refer to

https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws

Is there any workaround to use the public cert list provided
by AWS? Anyone has successfully used RDS with SSL
connections? Thanks!

On Tue, Sep 13, 2022 at 9:54 PM Bogdan-Andrei Iancu
wrote:

Set the certificate and key you have in the tls_mgm
module, for the "certificate" and "private_key" parameters.

Regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
https://www.opensips-solutions.com
OpenSIPS Summit 27-30 Sept 2022, Athens
https://www.opensips.org/events/Summit-2022Athens/

On 9/13/22 2:57 PM, jacky z wrote:

Hi Bogdan-Andrei,

I tried two methods.

Method 1:

#enabled TLS connection:
modparam("db_mysql", "use_tls", 1)

#setup a client domain:
modparam("tls_mgm", "client_domain", "dom1")
modparam("tls_mgm", "match_ip_address", "[dom1]*")
modparam("tls_mgm", "match_sip_domain", "[dom1]*")
modparam("tls_mgm","certificate",
"[dom1]/etc/ssl/certs/rootCACert.pem")
modparam("tls_mgm","private_key",
"[dom1]/etc/ssl/private/rootCAKey.pem")
modparam("tls_mgm","ca_list",
"[dom1]/etc/ssl/certs/rootCACert.pem")
modparam("tls_mgm","tls_method", "[dom1]SSLv23")
modparam("tls_mgm","verify_cert", "[dom1]0")
modparam("tls_mgm","require_cert", "[dom1]0")
# set db_url
modparam("usrloc", "db_url",
"mysql://root:1234@/opensips?tls_domain=dom1")
...

I couldn't figure out how to use global-bundle.pem AWS
provided with this method. No luck to get a connection
with RDS. If I don't use ssl, opensips can connect to
RDS without encryption.

Method 2:

I tried

modparam("usrloc", "db_url",

"mysql://root:1234@/opensips?ssl=true_ca_certs=/etc/ssl/certs/global-bundle.pem")

to include the AWS cert. Still no luck.

Thanks!

On Tue, Sep 13, 2022 at 4:52 PM Bogdan-Andrei Iancu
wrote:

Hi,

sorry for my silly question, but how do you connect
from the OpenSIPS side ??

Regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
https://www.opensips-solutions.com
OpenSIPS Summit 27-30 Sept 2022, Athens
https://www.opensips.org/events/Summit-2022Athens/

On 9/13/22 10:41 AM, jacky z wrote:

Hi Team,

We hope to connect to aws RDS database with ssl
encryption. We have setup a client domain according
to OPENSIPS documents. However, AWS RDS does not
support client cert as someone has confirmed with
AWS

https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws

Is there any way to use the cert provided by AWS to
connect? AWS provides a global-bundle.pem

(https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html)

Re: [OpenSIPS-Users] Connect to AWS RDS database with SSL enabled

2022-09-17 Thread jacky z

Hi  Vlad,

Is there any workaround to disable the client cert? Thanks!

On Wed, Sep 14, 2022 at 9:16 PM Vlad Patrascu  wrote:

> Hi Jacky,
>
> OpenSIPS will always require you to configure a client certificate for TLS
> client domains and will also present that certificate when connecting. But
> normally, a TLS server can simply choose not to verify the client
> certificate. I don't have any experience with AWS RDS though but it seems
> odd to not accept a connection only because the client did present a
> certificate.
>
> Regards,
>
> --
> Vlad Patrascu
> OpenSIPS Core Developerhttp://www.opensips-solutions.com
>
> On 14.09.2022 05:42, jacky z wrote:
>
> Hi Bogdan-Andrei,
>
> I checked the mariadb documentation and found mariadb has two options to
> set ssl connection: two-way TSL and one-way TSL. It seems AWS RDS only
> supports one-way TSL, that is, TSL is used without a client cert. Does
> OPENSIPS support such one-way TSL to connect a database? Thanks!
>
> On Wed, Sep 14, 2022 at 12:06 AM jacky z  wrote:
>
>> Hi Bogdan-Andrei,
>>
>> I have set the "certificate" and "private_key" in my script, as I
>> explained in method 1. However, AWS RDS doesn't support a client cert.
>> Please refer to
>>
>> https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws
>>
>> Is there any workaround to use the public cert list provided by AWS?
>> Anyone has successfully used RDS with SSL connections? Thanks!
>>
>> On Tue, Sep 13, 2022 at 9:54 PM Bogdan-Andrei Iancu 
>> wrote:
>>
>>> Set the certificate and key you have in the tls_mgm module, for the
>>> "certificate" and "private_key" parameters.
>>>
>>> Regards,
>>>
>>> Bogdan-Andrei Iancu
>>>
>>> OpenSIPS Founder and Developer
>>>   https://www.opensips-solutions.com
>>> OpenSIPS Summit 27-30 Sept 2022, Athens
>>>   https://www.opensips.org/events/Summit-2022Athens/
>>>
>>> On 9/13/22 2:57 PM, jacky z wrote:
>>>
>>> Hi Bogdan-Andrei,
>>>
>>> I tried two methods.
>>>
>>> Method 1:
>>>
>>> #enabled TLS connection:
>>> modparam("db_mysql", "use_tls", 1)
>>>
>>> #setup a client domain:
>>> modparam("tls_mgm", "client_domain", "dom1")
>>> modparam("tls_mgm", "match_ip_address", "[dom1]*")
>>> modparam("tls_mgm", "match_sip_domain", "[dom1]*")
>>> modparam("tls_mgm","certificate", "[dom1]/etc/ssl/certs/rootCACert.pem")
>>> modparam("tls_mgm","private_key", "[dom1]/etc/ssl/private/rootCAKey.pem")
>>> modparam("tls_mgm","ca_list", "[dom1]/etc/ssl/certs/rootCACert.pem")
>>> modparam("tls_mgm","tls_method", "[dom1]SSLv23")
>>> modparam("tls_mgm","verify_cert", "[dom1]0")
>>> modparam("tls_mgm","require_cert", "[dom1]0")
>>> # set db_url
>>> modparam("usrloc", "db_url", "mysql://root:1234@
>>> /opensips?tls_domain=dom1")
>>> ...
>>>
>>> I couldn't figure out how to use global-bundle.pem AWS provided with
>>> this method. No luck to get a connection with RDS. If I don't use ssl,
>>> opensips can connect to RDS without encryption.
>>>
>>> Method 2:
>>>
>>> I tried
>>>
>>> modparam("usrloc", "db_url", "mysql://root:1234@
>>> /opensips?ssl=true&
>>> ssl_ca_certs=/etc/ssl/certs/global-bundle.pem")
>>>
>>> to include the AWS cert. Still no luck.
>>>
>>> Thanks!
>>>
>>> On Tue, Sep 13, 2022 at 4:52 PM Bogdan-Andrei Iancu 
>>> wrote:
>>>
 Hi,

 sorry for my silly question, but how do you connect from the OpenSIPS
 side ??

 Regards,

 Bogdan-Andrei Iancu

 OpenSIPS Founder and Developer
   https://www.opensips-solutions.com
 OpenSIPS Summit 27-30 Sept 2022, Athens
   https://www.opensips.org/events/Summit-2022Athens/

 On 9/13/22 10:41 AM, jacky z wrote:

 Hi Team,

 We hope to connect to aws RDS database with ssl encryption. We have
 setup a client domain according to OPENSIPS documents. However, AWS RDS
 does not support client cert as someone has confirmed with AWS
 https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws

 Is there any way to use the cert provided by AWS to connect? AWS
 provides a global-bundle.pem (
 https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html)
 for such a connection, but we don't know how to include it in the config
 file.

 Thanks

 Jacky z

 ___
 Users mailing 
 listUsers@lists.opensips.orghttp://lists.opensips.org/cgi-bin/mailman/listinfo/users



>>>
> ___
> Users mailing 
> listUsers@lists.opensips.orghttp://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
> ___
> Users mailing list
> Users@lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
___
Users mailing list
Users@lists.opensips.org

Re: [OpenSIPS-Users] Connect to AWS RDS database with SSL enabled

2022-09-15 Thread jacky z

Hi Vlad,

In theory, the RDS server is expected to work like what you mentioned.
However, based on test, when the client cert and key is specified, the
connection can't be set.
For example, if we specify the following when we connect to the RDS server
in the command line in our testing
--ssl-cert=/etc/ssl/certs/rootCACert.pem
--ssl-key=/etc/ssl/private/rootCAKey.pem

RDS returns this error:
ERROR 2013 (HY000): Lost connection to MySQL server at 'reading
authorization packet', system error: 11

On Wed, Sep 14, 2022 at 9:16 PM Vlad Patrascu  wrote:

> Hi Jacky,
>
> OpenSIPS will always require you to configure a client certificate for TLS
> client domains and will also present that certificate when connecting. But
> normally, a TLS server can simply choose not to verify the client
> certificate. I don't have any experience with AWS RDS though but it seems
> odd to not accept a connection only because the client did present a
> certificate.
>
> Regards,
>
> --
> Vlad Patrascu
> OpenSIPS Core Developerhttp://www.opensips-solutions.com
>
> On 14.09.2022 05:42, jacky z wrote:
>
> Hi Bogdan-Andrei,
>
> I checked the mariadb documentation and found mariadb has two options to
> set ssl connection: two-way TSL and one-way TSL. It seems AWS RDS only
> supports one-way TSL, that is, TSL is used without a client cert. Does
> OPENSIPS support such one-way TSL to connect a database? Thanks!
>
> On Wed, Sep 14, 2022 at 12:06 AM jacky z  wrote:
>
>> Hi Bogdan-Andrei,
>>
>> I have set the "certificate" and "private_key" in my script, as I
>> explained in method 1. However, AWS RDS doesn't support a client cert.
>> Please refer to
>>
>> https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws
>>
>> Is there any workaround to use the public cert list provided by AWS?
>> Anyone has successfully used RDS with SSL connections? Thanks!
>>
>> On Tue, Sep 13, 2022 at 9:54 PM Bogdan-Andrei Iancu 
>> wrote:
>>
>>> Set the certificate and key you have in the tls_mgm module, for the
>>> "certificate" and "private_key" parameters.
>>>
>>> Regards,
>>>
>>> Bogdan-Andrei Iancu
>>>
>>> OpenSIPS Founder and Developer
>>>   https://www.opensips-solutions.com
>>> OpenSIPS Summit 27-30 Sept 2022, Athens
>>>   https://www.opensips.org/events/Summit-2022Athens/
>>>
>>> On 9/13/22 2:57 PM, jacky z wrote:
>>>
>>> Hi Bogdan-Andrei,
>>>
>>> I tried two methods.
>>>
>>> Method 1:
>>>
>>> #enabled TLS connection:
>>> modparam("db_mysql", "use_tls", 1)
>>>
>>> #setup a client domain:
>>> modparam("tls_mgm", "client_domain", "dom1")
>>> modparam("tls_mgm", "match_ip_address", "[dom1]*")
>>> modparam("tls_mgm", "match_sip_domain", "[dom1]*")
>>> modparam("tls_mgm","certificate", "[dom1]/etc/ssl/certs/rootCACert.pem")
>>> modparam("tls_mgm","private_key", "[dom1]/etc/ssl/private/rootCAKey.pem")
>>> modparam("tls_mgm","ca_list", "[dom1]/etc/ssl/certs/rootCACert.pem")
>>> modparam("tls_mgm","tls_method", "[dom1]SSLv23")
>>> modparam("tls_mgm","verify_cert", "[dom1]0")
>>> modparam("tls_mgm","require_cert", "[dom1]0")
>>> # set db_url
>>> modparam("usrloc", "db_url", "mysql://root:1234@
>>> /opensips?tls_domain=dom1")
>>> ...
>>>
>>> I couldn't figure out how to use global-bundle.pem AWS provided with
>>> this method. No luck to get a connection with RDS. If I don't use ssl,
>>> opensips can connect to RDS without encryption.
>>>
>>> Method 2:
>>>
>>> I tried
>>>
>>> modparam("usrloc", "db_url", "mysql://root:1234@
>>> /opensips?ssl=true&
>>> ssl_ca_certs=/etc/ssl/certs/global-bundle.pem")
>>>
>>> to include the AWS cert. Still no luck.
>>>
>>> Thanks!
>>>
>>> On Tue, Sep 13, 2022 at 4:52 PM Bogdan-Andrei Iancu 
>>> wrote:
>>>
 Hi,

 sorry for my silly question, but how do you connect from the OpenSIPS
 side ??

 Regards,

 Bogdan-Andrei Iancu

 OpenSIPS Founder and Developer
   https://www.opensips-solutions.com
 OpenSIPS Summit 27-30 Sept 2022, Athens
   https://www.opensips.org/events/Summit-2022Athens/

 On 9/13/22 10:41 AM, jacky z wrote:

 Hi Team,

 We hope to connect to aws RDS database with ssl encryption. We have
 setup a client domain according to OPENSIPS documents. However, AWS RDS
 does not support client cert as someone has confirmed with AWS
 https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws

 Is there any way to use the cert provided by AWS to connect? AWS
 provides a global-bundle.pem (
 https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html)
 for such a connection, but we don't know how to include it in the config
 file.

 Thanks

 Jacky z

 ___
 Users mailing 
 listUsers@lists.opensips.orghttp://lists.opensips.org/cgi-bin/mailman/listinfo/users



>>>
>

Re: [OpenSIPS-Users] Connect to AWS RDS database with SSL enabled

2022-09-14 Thread Vlad Patrascu

Hi Jacky,

OpenSIPS will always require you to configure a client certificate for
TLS client domains and will also present that certificate when
connecting. But normally, a TLS server can simply choose not to verify
the client certificate. I don't have any experience with AWS RDS though
but it seems odd to not accept a connection only because the client did
present a certificate.

Regards,

--
Vlad Patrascu
OpenSIPS Core Developer
http://www.opensips-solutions.com

On 14.09.2022 05:42, jacky z wrote:

Hi Bogdan-Andrei,

I checked the mariadb documentation and found mariadb has two options
to set ssl connection: two-way TSL and one-way TSL. It seems AWS RDS
only supports one-way TSL, that is, TSL is used without a client cert.
Does OPENSIPS support such one-way TSL to connect a database? Thanks!

On Wed, Sep 14, 2022 at 12:06 AM jacky z wrote:

Hi Bogdan-Andrei,

I have set the "certificate" and "private_key" in my script, as I
explained in method 1. However, AWS RDS doesn't support a client
cert. Please refer to

https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws

Is there any workaround to use the public cert list provided by
AWS? Anyone has successfully used RDS with SSL connections? Thanks!

On Tue, Sep 13, 2022 at 9:54 PM Bogdan-Andrei Iancu
wrote:

Set the certificate and key you have in the tls_mgm module,
for the "certificate" and "private_key" parameters.

Regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
https://www.opensips-solutions.com
OpenSIPS Summit 27-30 Sept 2022, Athens
https://www.opensips.org/events/Summit-2022Athens/

On 9/13/22 2:57 PM, jacky z wrote:

Hi Bogdan-Andrei,

I tried two methods.

Method 1:

#enabled TLS connection:
modparam("db_mysql", "use_tls", 1)

I couldn't figure out how to use global-bundle.pem AWS
provided with this method. No luck to get a connection with
RDS. If I don't use ssl, opensips can connect to RDS without
encryption.

Method 2:

I tried

modparam("usrloc", "db_url",

"mysql://root:1234@/opensips?ssl=true_ca_certs=/etc/ssl/certs/global-bundle.pem")

to include the AWS cert. Still no luck.

Thanks!

On Tue, Sep 13, 2022 at 4:52 PM Bogdan-Andrei Iancu
wrote:

Hi,

sorry for my silly question, but how do you connect from
the OpenSIPS side ??

Regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
https://www.opensips-solutions.com
OpenSIPS Summit 27-30 Sept 2022, Athens
https://www.opensips.org/events/Summit-2022Athens/

On 9/13/22 10:41 AM, jacky z wrote:

Hi Team,

We hope to connect to aws RDS database with ssl
encryption. We have setup a client domain according to
OPENSIPS documents. However, AWS RDS does not support
client cert as someone has confirmed with AWS

https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws

Is there any way to use the cert provided by AWS to
connect? AWS provides a global-bundle.pem

(https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html)
for such a connection, but we don't know how to include
it in the config file.

Thanks

Jacky z

___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] Connect to AWS RDS database with SSL enabled

2022-09-13 Thread jacky z

Hi Bogdan-Andrei,

I checked the mariadb documentation and found mariadb has two options to
set ssl connection: two-way TSL and one-way TSL. It seems AWS RDS only
supports one-way TSL, that is, TSL is used without a client cert. Does
OPENSIPS support such one-way TSL to connect a database? Thanks!

On Wed, Sep 14, 2022 at 12:06 AM jacky z  wrote:

> Hi Bogdan-Andrei,
>
> I have set the "certificate" and "private_key" in my script, as I
> explained in method 1. However, AWS RDS doesn't support a client cert.
> Please refer to
>
> https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws
>
> Is there any workaround to use the public cert list provided by AWS?
> Anyone has successfully used RDS with SSL connections? Thanks!
>
> On Tue, Sep 13, 2022 at 9:54 PM Bogdan-Andrei Iancu 
> wrote:
>
>> Set the certificate and key you have in the tls_mgm module, for the
>> "certificate" and "private_key" parameters.
>>
>> Regards,
>>
>> Bogdan-Andrei Iancu
>>
>> OpenSIPS Founder and Developer
>>   https://www.opensips-solutions.com
>> OpenSIPS Summit 27-30 Sept 2022, Athens
>>   https://www.opensips.org/events/Summit-2022Athens/
>>
>> On 9/13/22 2:57 PM, jacky z wrote:
>>
>> Hi Bogdan-Andrei,
>>
>> I tried two methods.
>>
>> Method 1:
>>
>> #enabled TLS connection:
>> modparam("db_mysql", "use_tls", 1)
>>
>> #setup a client domain:
>> modparam("tls_mgm", "client_domain", "dom1")
>> modparam("tls_mgm", "match_ip_address", "[dom1]*")
>> modparam("tls_mgm", "match_sip_domain", "[dom1]*")
>> modparam("tls_mgm","certificate", "[dom1]/etc/ssl/certs/rootCACert.pem")
>> modparam("tls_mgm","private_key", "[dom1]/etc/ssl/private/rootCAKey.pem")
>> modparam("tls_mgm","ca_list", "[dom1]/etc/ssl/certs/rootCACert.pem")
>> modparam("tls_mgm","tls_method", "[dom1]SSLv23")
>> modparam("tls_mgm","verify_cert", "[dom1]0")
>> modparam("tls_mgm","require_cert", "[dom1]0")
>> # set db_url
>> modparam("usrloc", "db_url", "mysql://root:1234@
>> /opensips?tls_domain=dom1")
>> ...
>>
>> I couldn't figure out how to use global-bundle.pem AWS provided with this
>> method. No luck to get a connection with RDS. If I don't use ssl, opensips
>> can connect to RDS without encryption.
>>
>> Method 2:
>>
>> I tried
>>
>> modparam("usrloc", "db_url", "mysql://root:1234@
>> /opensips?ssl=true&
>> ssl_ca_certs=/etc/ssl/certs/global-bundle.pem")
>>
>> to include the AWS cert. Still no luck.
>>
>> Thanks!
>>
>> On Tue, Sep 13, 2022 at 4:52 PM Bogdan-Andrei Iancu 
>> wrote:
>>
>>> Hi,
>>>
>>> sorry for my silly question, but how do you connect from the OpenSIPS
>>> side ??
>>>
>>> Regards,
>>>
>>> Bogdan-Andrei Iancu
>>>
>>> OpenSIPS Founder and Developer
>>>   https://www.opensips-solutions.com
>>> OpenSIPS Summit 27-30 Sept 2022, Athens
>>>   https://www.opensips.org/events/Summit-2022Athens/
>>>
>>> On 9/13/22 10:41 AM, jacky z wrote:
>>>
>>> Hi Team,
>>>
>>> We hope to connect to aws RDS database with ssl encryption. We have
>>> setup a client domain according to OPENSIPS documents. However, AWS RDS
>>> does not support client cert as someone has confirmed with AWS
>>> https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws
>>>
>>> Is there any way to use the cert provided by AWS to connect? AWS
>>> provides a global-bundle.pem (
>>> https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html)
>>> for such a connection, but we don't know how to include it in the config
>>> file.
>>>
>>> Thanks
>>>
>>> Jacky z
>>>
>>> ___
>>> Users mailing 
>>> listUsers@lists.opensips.orghttp://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>
>>>
>>>
>>
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] Connect to AWS RDS database with SSL enabled

2022-09-13 Thread jacky z

Hi Bogdan-Andrei,

I have set the "certificate" and "private_key" in my script, as I explained
in method 1. However, AWS RDS doesn't support a client cert. Please refer to
https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws

Is there any workaround to use the public cert list provided by AWS? Anyone
has successfully used RDS with SSL connections? Thanks!

On Tue, Sep 13, 2022 at 9:54 PM Bogdan-Andrei Iancu 
wrote:

> Set the certificate and key you have in the tls_mgm module, for the
> "certificate" and "private_key" parameters.
>
> Regards,
>
> Bogdan-Andrei Iancu
>
> OpenSIPS Founder and Developer
>   https://www.opensips-solutions.com
> OpenSIPS Summit 27-30 Sept 2022, Athens
>   https://www.opensips.org/events/Summit-2022Athens/
>
> On 9/13/22 2:57 PM, jacky z wrote:
>
> Hi Bogdan-Andrei,
>
> I tried two methods.
>
> Method 1:
>
> #enabled TLS connection:
> modparam("db_mysql", "use_tls", 1)
>
> #setup a client domain:
> modparam("tls_mgm", "client_domain", "dom1")
> modparam("tls_mgm", "match_ip_address", "[dom1]*")
> modparam("tls_mgm", "match_sip_domain", "[dom1]*")
> modparam("tls_mgm","certificate", "[dom1]/etc/ssl/certs/rootCACert.pem")
> modparam("tls_mgm","private_key", "[dom1]/etc/ssl/private/rootCAKey.pem")
> modparam("tls_mgm","ca_list", "[dom1]/etc/ssl/certs/rootCACert.pem")
> modparam("tls_mgm","tls_method", "[dom1]SSLv23")
> modparam("tls_mgm","verify_cert", "[dom1]0")
> modparam("tls_mgm","require_cert", "[dom1]0")
> # set db_url
> modparam("usrloc", "db_url", "mysql://root:1234@
> /opensips?tls_domain=dom1")
> ...
>
> I couldn't figure out how to use global-bundle.pem AWS provided with this
> method. No luck to get a connection with RDS. If I don't use ssl, opensips
> can connect to RDS without encryption.
>
> Method 2:
>
> I tried
>
> modparam("usrloc", "db_url", "mysql://root:1234@
> /opensips?ssl=true&
> ssl_ca_certs=/etc/ssl/certs/global-bundle.pem")
>
> to include the AWS cert. Still no luck.
>
> Thanks!
>
> On Tue, Sep 13, 2022 at 4:52 PM Bogdan-Andrei Iancu 
> wrote:
>
>> Hi,
>>
>> sorry for my silly question, but how do you connect from the OpenSIPS
>> side ??
>>
>> Regards,
>>
>> Bogdan-Andrei Iancu
>>
>> OpenSIPS Founder and Developer
>>   https://www.opensips-solutions.com
>> OpenSIPS Summit 27-30 Sept 2022, Athens
>>   https://www.opensips.org/events/Summit-2022Athens/
>>
>> On 9/13/22 10:41 AM, jacky z wrote:
>>
>> Hi Team,
>>
>> We hope to connect to aws RDS database with ssl encryption. We have setup
>> a client domain according to OPENSIPS documents. However, AWS RDS does not
>> support client cert as someone has confirmed with AWS
>> https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws
>>
>> Is there any way to use the cert provided by AWS to connect? AWS provides
>> a global-bundle.pem (
>> https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html)
>> for such a connection, but we don't know how to include it in the config
>> file.
>>
>> Thanks
>>
>> Jacky z
>>
>> ___
>> Users mailing 
>> listUsers@lists.opensips.orghttp://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>>
>>
>
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] Connect to AWS RDS database with SSL enabled

2022-09-13 Thread Bogdan-Andrei Iancu

Set the certificate and key you have in the tls_mgm module, for the 
"certificate" and "private_key" parameters.


Regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
  https://www.opensips-solutions.com
OpenSIPS Summit 27-30 Sept 2022, Athens
  https://www.opensips.org/events/Summit-2022Athens/

On 9/13/22 2:57 PM, jacky z wrote:

Hi Bogdan-Andrei,

I tried two methods.

Method 1:

#enabled TLS connection:
modparam("db_mysql", "use_tls", 1)

#setup a client domain:
modparam("tls_mgm", "client_domain", "dom1")
modparam("tls_mgm", "match_ip_address", "[dom1]*")
modparam("tls_mgm", "match_sip_domain", "[dom1]*")
modparam("tls_mgm","certificate", "[dom1]/etc/ssl/certs/rootCACert.pem")
modparam("tls_mgm","private_key", "[dom1]/etc/ssl/private/rootCAKey.pem")
modparam("tls_mgm","ca_list", "[dom1]/etc/ssl/certs/rootCACert.pem")
modparam("tls_mgm","tls_method", "[dom1]SSLv23")
modparam("tls_mgm","verify_cert", "[dom1]0")
modparam("tls_mgm","require_cert", "[dom1]0")
# set db_url
modparam("usrloc", "db_url", 
"mysql://root:1234@/opensips?tls_domain=dom1")

...

I couldn't figure out how to use global-bundle.pem AWS provided with 
this method. No luck to get a connection with RDS. If I don't use ssl, 
opensips can connect to RDS without encryption.


Method 2:

I tried

modparam("usrloc", "db_url", 
"mysql://root:1234@/opensips?ssl=true_ca_certs=/etc/ssl/certs/global-bundle.pem")


to include the AWS cert. Still no luck.

Thanks!

On Tue, Sep 13, 2022 at 4:52 PM Bogdan-Andrei Iancu 
mailto:bog...@opensips.org>> wrote:


Hi,

sorry for my silly question, but how do you connect from the
OpenSIPS side ??

Regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
   https://www.opensips-solutions.com  
OpenSIPS Summit 27-30 Sept 2022, Athens
   https://www.opensips.org/events/Summit-2022Athens/  


On 9/13/22 10:41 AM, jacky z wrote:

Hi Team,

We hope to connect to aws RDS database with ssl encryption. We
have setup a client domain according to OPENSIPS documents.
However, AWS RDS does not support client cert as someone has
confirmed with AWS

https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws



Is there any way to use the cert provided by AWS to connect? AWS
provides a global-bundle.pem

(https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html

)
for such a connection, but we don't know how to include it in the
config file.

Thanks

Jacky z

___
Users mailing list
Users@lists.opensips.org  
http://lists.opensips.org/cgi-bin/mailman/listinfo/users  





___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] Connect to AWS RDS database with SSL enabled

2022-09-13 Thread jacky z

Hi Bogdan-Andrei,

I tried two methods.

Method 1:

#enabled TLS connection:
modparam("db_mysql", "use_tls", 1)

#setup a client domain:
modparam("tls_mgm", "client_domain", "dom1")
modparam("tls_mgm", "match_ip_address", "[dom1]*")
modparam("tls_mgm", "match_sip_domain", "[dom1]*")
modparam("tls_mgm","certificate", "[dom1]/etc/ssl/certs/rootCACert.pem")
modparam("tls_mgm","private_key", "[dom1]/etc/ssl/private/rootCAKey.pem")
modparam("tls_mgm","ca_list", "[dom1]/etc/ssl/certs/rootCACert.pem")
modparam("tls_mgm","tls_method", "[dom1]SSLv23")
modparam("tls_mgm","verify_cert", "[dom1]0")
modparam("tls_mgm","require_cert", "[dom1]0")
# set db_url
modparam("usrloc", "db_url", "mysql://root:1234@
/opensips?tls_domain=dom1")
...

I couldn't figure out how to use global-bundle.pem AWS provided with this
method. No luck to get a connection with RDS. If I don't use ssl, opensips
can connect to RDS without encryption.

Method 2:

I tried

modparam("usrloc", "db_url", "mysql://root:1234@
/opensips?ssl=true&
ssl_ca_certs=/etc/ssl/certs/global-bundle.pem")

to include the AWS cert. Still no luck.

Thanks!

On Tue, Sep 13, 2022 at 4:52 PM Bogdan-Andrei Iancu 
wrote:

> Hi,
>
> sorry for my silly question, but how do you connect from the OpenSIPS side
> ??
>
> Regards,
>
> Bogdan-Andrei Iancu
>
> OpenSIPS Founder and Developer
>   https://www.opensips-solutions.com
> OpenSIPS Summit 27-30 Sept 2022, Athens
>   https://www.opensips.org/events/Summit-2022Athens/
>
> On 9/13/22 10:41 AM, jacky z wrote:
>
> Hi Team,
>
> We hope to connect to aws RDS database with ssl encryption. We have setup
> a client domain according to OPENSIPS documents. However, AWS RDS does not
> support client cert as someone has confirmed with AWS
> https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws
>
> Is there any way to use the cert provided by AWS to connect? AWS provides
> a global-bundle.pem (
> https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html)
> for such a connection, but we don't know how to include it in the config
> file.
>
> Thanks
>
> Jacky z
>
> ___
> Users mailing 
> listUsers@lists.opensips.orghttp://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
>
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] Connect to AWS RDS database with SSL enabled

2022-09-13 Thread Bogdan-Andrei Iancu


Hi,

sorry for my silly question, but how do you connect from the OpenSIPS 
side ??


Regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
  https://www.opensips-solutions.com
OpenSIPS Summit 27-30 Sept 2022, Athens
  https://www.opensips.org/events/Summit-2022Athens/

On 9/13/22 10:41 AM, jacky z wrote:

Hi Team,

We hope to connect to aws RDS database with ssl encryption. We have 
setup a client domain according to OPENSIPS documents. However, AWS 
RDS does not support client cert as someone has confirmed with AWS 
https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws 



Is there any way to use the cert provided by AWS to connect? AWS 
provides a global-bundle.pem 
(https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html 
) 
for such a connection, but we don't know how to include it in the 
config file.


Thanks

Jacky z

___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

[OpenSIPS-Users] Connect to AWS RDS database with SSL enabled

2022-09-13 Thread jacky z

Hi Team,

We hope to connect to aws RDS database with ssl encryption. We have setup a
client domain according to OPENSIPS documents. However, AWS RDS does not
support client cert as someone has confirmed with AWS
https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws

Is there any way to use the cert provided by AWS to connect? AWS provides a
global-bundle.pem (
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html)
for such a connection, but we don't know how to include it in the config
file.

Thanks

Jacky z
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] Connect to AWS RDS database with SSL enabled

Re: [OpenSIPS-Users] Connect to AWS RDS database with SSL enabled

Re: [OpenSIPS-Users] Connect to AWS RDS database with SSL enabled

Re: [OpenSIPS-Users] Connect to AWS RDS database with SSL enabled

Re: [OpenSIPS-Users] Connect to AWS RDS database with SSL enabled

Re: [OpenSIPS-Users] Connect to AWS RDS database with SSL enabled

Re: [OpenSIPS-Users] Connect to AWS RDS database with SSL enabled

Re: [OpenSIPS-Users] Connect to AWS RDS database with SSL enabled

Re: [OpenSIPS-Users] Connect to AWS RDS database with SSL enabled

Re: [OpenSIPS-Users] Connect to AWS RDS database with SSL enabled

Re: [OpenSIPS-Users] Connect to AWS RDS database with SSL enabled

Re: [OpenSIPS-Users] Connect to AWS RDS database with SSL enabled

Re: [OpenSIPS-Users] Connect to AWS RDS database with SSL enabled

Re: [OpenSIPS-Users] Connect to AWS RDS database with SSL enabled

Re: [OpenSIPS-Users] Connect to AWS RDS database with SSL enabled

[OpenSIPS-Users] Connect to AWS RDS database with SSL enabled

16 matches

Site Navigation

Mail list logo

Footer information