Aws_rds_castore - Certificate validation for AWS RDS DBs

Your Libraries & OS Mentoring Libraries
, ,
1

aws_rds_castore

Enable verification of server certificates in AWS RDS DB connections, e.g. through pgo. Includes the latest private root CA certificate bundle from AWS RDS, along with a helper function to set the connection’s ssl_options.

Usage: add aws_rds_castore as a dependency and add the ssl_options parameter to you DB connection:

PoolConfig = #{pool_size => 10,
               host => Host,
               database => "test",
               user => "test",
               ssl => true,
               ssl_options => aws_rds_castore:ssl_opts(Host)},
pgo:start_pool(default, PoolConfig).

Credits: Much of the code, in particular the periodic update check in CI, is based on castore | Hex.

Q: Why do I need this?
A: AWS RDS uses privately issued certificates for DB servers, so certificate verification against the standard (OS or Hex package) trust stores would fail; in practice the server certificate is often ignored

Q: Is it not enough to just set ssl: true ?
A: Setting ssl: true will enable TLS, which ensures the DB connection is encrypted and therefore protected from snooping by a passive attacker. However, on OTP versions prior to 26 the server certificate is ignored by default, which means an active attacker could potentially hijack the communication without being detected.

Q: Does this fix the “Server authenticity is not verified…” message logged by OTP 25?
A: Yes, enabling server certificate verification using the ssl_opts from this library will eliminate this warning

Q: Will this work with OTP 26, where certificate verification is enabled by default?
A: I have not yet tried OTP 26 with AWS RDS, but I suspect it will fail to connect to AWS RDS over TLS without ssl_opts, because it will try to verify the server certificate against the OS trust store. Using this package and the ssl_opts it generates should fix that.

Q: Why do I need to pass the server’s URL/hostname to ssl_opts?
A: At least for Postgres-type databases the TLS handshake is started on a previously established TCP connection. In such cases the ssl module needs to be told explicitly which hostname to use when verifying the server certificate.

Q: Does this work with all AWS RDS DB types?
A: For now it has only been tested with Postgres-type DB instances. Please let me know if you use it with other DB types, either successfully or unsuccessfully.

Links:

2 Likes