Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

SSL Handshake failure after updating RDS Serverless v2 PostreSQL 15.2 Certificate Authority from rds-ca-2019 to rds-ca-ecc384-g1

0

I downloaded the latest global-bundle.pem as directed, and set my env vars:
PGSSLROOTCERT=/.../global-bundle.pem
PGSSLMODE=require

psql -h [myDatabaseName].us-east-1.rds.amazonaws.com -d postgres -U [myUserName]
psql: error: connection to server at ".......us-east-1.rds.amazonaws.com" ([ip_address]), port 5432 failed: SSL error: sslv3 alert handshake failure

keytool -printcert -v -file global-bundle.pem

yielded this:

Certificate[85]:
Owner: L=Seattle, CN=Amazon RDS us-east-1 Root CA ECC384 G1, ST=WA, OU=Amazon RDS, O="Amazon Web Services, Inc.", C=US
Issuer: L=Seattle, CN=Amazon RDS us-east-1 Root CA ECC384 G1, ST=WA, OU=Amazon RDS, O="Amazon Web Services, Inc.", C=US
Serial number: f025124f1524f984cd5451696bd38760
Valid from: Tue May 25 12:41:55 HST 2021 until: Sun May 25 13:41:55 HST 2121
Certificate fingerprints:
SHA1: 24:A9:7B:91:CB:E8:69:11:19:05:76:C3:5C:36:AA:B4:FA:7B:25:DE
SHA256: 82:D9:9E:9E:40:97:03:04:4C:3F:88:6F:87:A0:40:8C:96:CD:74:DE:E2:C9:BA:92:0E:65:53:A3:2E:37:25:39
Signature algorithm name: SHA384withECDSA
Subject Public Key Algorithm: 384-bit EC (secp384r1) key
Version: 3

Which confirms the ECC us-east-1 (where my DB resides) certificate is present.

My DB cluster parameter group includes:

ssl=1, ssl_ciphers includes ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-SHA, ECDHE-RSA-AES256-SHA384, ECDHE-RSA-AES256-GCM-SHA384

openssl s_client -connect .....us-east-1.rds.amazonaws.com:5432 -starttls postgres

yields:

CONNECTED(00000005) 0097844AF87F0000:error:0A000410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1586:SSL alert number 40

no peer certificate available

No client certificate CA names sent

SSL handshake has read 8 bytes and written 374 bytes Verification: OK

New, (NONE), Cipher is (NONE) This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok)

The problem seems to be that AWS is not supplying it's certificate in the handshake.

Everything worked fine before changing the certificate authority, and I can still connect without SSL.

Any ideas?

Themen
DatenbankSicherheit, Identität & Konformität
Tags
Aurora PostgreSQLAWS Private Zertifizierungsstelle
Sprache
English
Christopher Breen
gefragt vor 9 Monaten929 Aufrufe
1 Antwort
0

Hi there,

-ECC based encryptions rds-ca-ecc384-g1 is not supported on Aurora.

-Aurora only supports TLS 1.2 and 1.2.

-Revert to previous cert to resolve the issue

As per doc:

"Amazon Aurora PostgreSQL supports Transport Layer Security (TLS) versions 1.1 and 1.2. We recommend using TLS 1.2 for encrypted connections." https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraPostgreSQL.Security.html#AuroraPostgreSQL.Security.SSL

rePost-User-6123396
beantwortet vor 9 Monaten

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt