RDS PG : able to connect without CA even if rds.force_ssl is enabled

0

I am able to connect RDS PG without giving CA inspite of enabling rds.force_ssl in Cluster parameter group associated to my DB cluster. How is it possible? Am I missing something?

Here is the output,

$ psql 'host=database-aurora-serverless-v2.cluster-cv55oxgkbnkf.us-east-1.rds.amazonaws.com user=postgres dbname=postgres' Password for user postgres: psql (14.8 (Ubuntu 14.8-0ubuntu0.22.04.1), server 14.6) SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES128-GCM-SHA256, bits: 128, compression: off) Type "help" for help.

postgres=> SELECT * FROM pg_hba_file_rules; line_number | type | database | user_name | address | netmask | auth_method | options | error -------------+---------+---------------+------------+----------+---------+---------------+-----------+------- 2 | local | {all} | {rdsadmin} | | | peer | {map=rds} | 6 | local | {all} | {all} | | | scram-sha-256 | | 12 | host | {all} | {rdsadmin} | samehost | | scram-sha-256 | | 13 | host | {all} | {rdsadmin} | all | | reject | | 14 | host | {rdsadmin} | {all} | all | | reject | | 15 | hostssl | {all} | {all} | all | | md5 | | 16 | host | {replication} | {all} | samehost | | md5 | | (7 rows)

postgres=>

Vaibhav
질문됨 일 년 전709회 조회
2개 답변
0
수락된 답변

Hi,

I think the following StackOverflow page answers your question.

The server can force the client to use ssl to establish the connection, but it cannot force the client to verify the server's certificate. If your client is libpq based, then it will verify the certificate if and only if it can find the root certificate file (generally at ~/.postgresql/root.crt, if not specified as something else). If you specify PGSSLMODE=verify-ca or above on the client, then the client will throw an error if can't find the root cert file. If the sslmode is below that level and the client can't find the root cert file, then it will use the server's certificate to negotiate encryption, but will not use it to verify the identity of the server. So you get protection from passive eavesdropping, but not from active MITM attacks.

profile picture
전문가
답변함 일 년 전
profile picture
전문가
검토됨 일 년 전
profile picture
전문가
검토됨 일 년 전
0

psql has SSL connections enabled by default.
So to prevent SSL connections from being made, try setting an environment variable as follows.
This would allow us to test if the connection fails if SSL connection is not used since it would be a non-SSL connection.
https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/ssl-certificate-rotation-aurora-postgresql.html#ssl-certificate-rotation-aurora-postgresql.determining-client

$ PGSSLMODE=disable \
  psql -h $HOST "dbname=dbname user=username"
profile picture
전문가
답변함 일 년 전
profile picture
전문가
검토됨 일 년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠