Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

AWS Aurora PostgreSQL upgrade from 14.6 to 15.2 => SSL error: sslv3 alert handshake failure

0

Hello,
we have dev/stage environment with Aws aurora postgresql with force ssl turned on.
Everything worked fine until i run upgrade to 15.2.
After upgrade completion all clients (php/symfony/psql v15 cli) refused to connect with following errors:
php/symfony/doctrine => "SSL error: sslv3 alert handshake failure"
psql v15 cli => "FATAL: no pg_hba.conf entry for host "XX.XXX.XX.XXX", user "userXXX", database "dbXXX", no encryption" (or similar copied from web)

php application is using latest global-bundle.pem which i updated again but that did not helped.
with psql i tried to use sslrootcert option pointing to bundle but that did not helped too.
underlying operation system is up-to-date Ubuntu 22.04 LTS with up-to-date php 8.2.x

everything worked just fine without errors until upgrade.
having that said i started debugging it and figure out that switching CA from "rds-ca-ecc384-g1" to "rds-ca-rsa2048-g1" solved the issue.

then i find following lines from aurora postgresql release notes for previous versions
"14.5.0 => Fixed an issue where an attempt to connect to the database would fail with SSLV3_ALERT_CERTIFICATE_UNKNOWN."
"13.8.0 => Fixed an issue where an attempt to connect to the database would fail with SSLV3_ALERT_CERTIFICATE_UNKNOWN."
"12.12.0 => Fixed an issue where an attempt to connect to the database would fail with SSLV3_ALERT_CERTIFICATE_UNKNOWN."
"11.17.0 => Fixed an issue where an attempt to connect to the database would fail with SSLV3_ALERT_CERTIFICATE_UNKNOWN."
May it be the same issue but for 15.2.0 ?

Themen
Datenbank
Tags
Aurora PostgreSQL
Sprache
English
Dimitar Rekinov
gefragt vor einem Jahr1976 Aufrufe
3 Antworten
0

I suspect this is SSL issue - check this link for more info - Looking at the link https://github.com/sabnzbd/sabnzbd/issues/1829

In other end, check inbound rule of the security group of RDS instance and the cluster parameter group of the RDS instance and find out that ssl_cipher parameter values that are supported for your new Aurora version.

Please find the below document on which cipher suites supports what version of Aurora,

[+] Security with Amazon Aurora MySQL - Configuring cipher suites for connections to Aurora MySQL DB clusters - https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Security.html#AuroraMySQL.Security.SSL.ConfiguringCipherSuites

I see others can fix the parameter group with the right cipher suites for ssl_cipher parameter, you were able to connect to the Aurora cluster instances.

I'm attaching below documents for your future references related to SSL,

https://aws.amazon.com/premiumsupport/knowledge-center/rds-error-2026-ssl-connection/

https://docs.aws.amazon.com/cli/latest/reference/rds/describe-db-clusters.html

https://docs.aws.amazon.com/cli/latest/reference/rds/describe-db-clusters.html

AWS
Ram_TAM_AWS
beantwortet vor einem Jahr
0

Same problem. What is the solution?

timonson
beantwortet vor einem Jahr
0

nothing. we switched back rds-ca-rsa2048-g1. still same error appear when we try to switch to rds-ca-ecc384-g1

Dimitar Rekinov
beantwortet vor einem Jahr

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt