By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

SSL Handshake failure after updating RDS Serverless v2 PostreSQL 15.2 Certificate Authority from rds-ca-2019 to rds-ca-ecc384-g1

0

I downloaded the latest global-bundle.pem as directed, and set my env vars:
PGSSLROOTCERT=/.../global-bundle.pem
PGSSLMODE=require

psql -h [myDatabaseName].us-east-1.rds.amazonaws.com -d postgres -U [myUserName]
psql: error: connection to server at ".......us-east-1.rds.amazonaws.com" ([ip_address]), port 5432 failed: SSL error: sslv3 alert handshake failure

keytool -printcert -v -file global-bundle.pem

yielded this:

Certificate[85]:
Owner: L=Seattle, CN=Amazon RDS us-east-1 Root CA ECC384 G1, ST=WA, OU=Amazon RDS, O="Amazon Web Services, Inc.", C=US
Issuer: L=Seattle, CN=Amazon RDS us-east-1 Root CA ECC384 G1, ST=WA, OU=Amazon RDS, O="Amazon Web Services, Inc.", C=US
Serial number: f025124f1524f984cd5451696bd38760
Valid from: Tue May 25 12:41:55 HST 2021 until: Sun May 25 13:41:55 HST 2121
Certificate fingerprints:
SHA1: 24:A9:7B:91:CB:E8:69:11:19:05:76:C3:5C:36:AA:B4:FA:7B:25:DE
SHA256: 82:D9:9E:9E:40:97:03:04:4C:3F:88:6F:87:A0:40:8C:96:CD:74:DE:E2:C9:BA:92:0E:65:53:A3:2E:37:25:39
Signature algorithm name: SHA384withECDSA
Subject Public Key Algorithm: 384-bit EC (secp384r1) key
Version: 3

Which confirms the ECC us-east-1 (where my DB resides) certificate is present.

My DB cluster parameter group includes:

ssl=1, ssl_ciphers includes ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-SHA, ECDHE-RSA-AES256-SHA384, ECDHE-RSA-AES256-GCM-SHA384

openssl s_client -connect .....us-east-1.rds.amazonaws.com:5432 -starttls postgres

yields:

CONNECTED(00000005) 0097844AF87F0000:error:0A000410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1586:SSL alert number 40

no peer certificate available

No client certificate CA names sent

SSL handshake has read 8 bytes and written 374 bytes Verification: OK

New, (NONE), Cipher is (NONE) This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok)

The problem seems to be that AWS is not supplying it's certificate in the handshake.

Everything worked fine before changing the certificate authority, and I can still connect without SSL.

Any ideas?

Topics
DatabaseSecurity, Identity, & Compliance
Tags
Aurora PostgreSQLAWS Private Certificate Authority
Language
English
Christopher Breen
asked 8 months ago905 views
1 Answer
0

Hi there,

-ECC based encryptions rds-ca-ecc384-g1 is not supported on Aurora.

-Aurora only supports TLS 1.2 and 1.2.

-Revert to previous cert to resolve the issue

As per doc:

"Amazon Aurora PostgreSQL supports Transport Layer Security (TLS) versions 1.1 and 1.2. We recommend using TLS 1.2 for encrypted connections." https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraPostgreSQL.Security.html#AuroraPostgreSQL.Security.SSL

rePost-User-6123396
answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content