aws_rds_castore
Enable verification of server certificates in AWS RDS DB connections, e.g. through pgo
. Includes the latest private root CA certificate bundle from AWS RDS, along with a helper function to set the connection’s ssl_options
.
Usage: add aws_rds_castore
as a dependency and add the ssl_options
parameter to you DB connection:
PoolConfig = #{pool_size => 10,
host => Host,
database => "test",
user => "test",
ssl => true,
ssl_options => aws_rds_castore:ssl_opts(Host)},
pgo:start_pool(default, PoolConfig).
Credits: Much of the code, in particular the periodic update check in CI, is based on castore | Hex.
Q: Why do I need this?
A: AWS RDS uses privately issued certificates for DB servers, so certificate verification against the standard (OS or Hex package) trust stores would fail; in practice the server certificate is often ignored
Q: Is it not enough to just set ssl: true
?
A: Setting ssl: true
will enable TLS, which ensures the DB connection is encrypted and therefore protected from snooping by a passive attacker. However, on OTP versions prior to 26 the server certificate is ignored by default, which means an active attacker could potentially hijack the communication without being detected.
Q: Does this fix the “Server authenticity is not verified…” message logged by OTP 25?
A: Yes, enabling server certificate verification using the ssl_opts
from this library will eliminate this warning
Q: Will this work with OTP 26, where certificate verification is enabled by default?
A: I have not yet tried OTP 26 with AWS RDS, but I suspect it will fail to connect to AWS RDS over TLS without ssl_opts
, because it will try to verify the server certificate against the OS trust store. Using this package and the ssl_opts
it generates should fix that.
Q: Why do I need to pass the server’s URL/hostname to ssl_opts?
A: At least for Postgres-type databases the TLS handshake is started on a previously established TCP connection. In such cases the ssl
module needs to be told explicitly which hostname to use when verifying the server certificate.
Q: Does this work with all AWS RDS DB types?
A: For now it has only been tested with Postgres-type DB instances. Please let me know if you use it with other DB types, either successfully or unsuccessfully.
Links: