JDBC and RDS PostgreSQL TLS Encryption connection problem
We used AWS EC2 instance and RDS PostgreSQL, and we deployed java program on EC2 instance, using jdbc for query. According to the AWS&JDBC documentation, AWS RDS PostgreSQL supports TLS encrypted connection by default, jdbc also uses encrypted connection by default(We did not set the sslmode parameter). But when I capture the packet on EC2, I see the packet in plaintext, why?
Command on EC2 Instance: sudo tcpdump -i any port 5432 -w pgtest.pcap
I was expecting to see TLS1.3 or TLS1.2, but the packet content is all PGSQL
Hello there
According to the information given,I can fully understand that you want your password to be encrypted.RDS for PostgreSQL uses and expects all clients to connect using SSL/TLS, but you need to require it to use to request connection [1].This means your connection string would still have to specify an SSL certificate like :
$ psql -h db-name.555555555555.ap-southeast-1.rds.amazonaws.com-p 5432 dbname=testDB user=testusersslrootcert=rds-ca-2019-root.pem sslmode=verify-full
You can require that connections to your PostgreSQL DB instance use SSL by using the rds.force_ssl parameter.By default, the rds.force_ssl parameter is set to 0 (off). You can set the rds.force_ssl parameter to 1 (on) to require SSL for connections to your DB instance for more information using SSL with a PostgreSQL DB instance.Learn more about How can you stop Amazon RDS for PostgreSQL from logging my passwords in clear-text in the log files.
Resource: [1]https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/PostgreSQL.Concepts.General.SSL.html [2]https://aws.amazon.com/premiumsupport/knowledge-center/rds-postgresql-cleartext-logging/
Hi
If requires ssl connection then need to specify in the
- PG parameter group rds.force_ssl [1] https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/PostgreSQL.Concepts.General.SSL.html#PostgreSQL.Concepts.General.SSL.Requiring
- JDBC connection string to specify ssl mode and other parameters https://jdbc.postgresql.org/documentation/head/connect.html
The default mode I think is prefer for PostgreSQL, which mentioned in the PG doc [2] https://www.postgresql.org/docs/current/libpq-ssl.html: "I don't care about encryption, but I wish to pay the overhead of encryption if the server supports it." It is when certificate exist otherwise will not use.
Relevant questions
Does AWS DMS support ARRAY data type for RDS for PostgreSQL on EC2 to Aurora PostgreSQL migration?
Accepted Answerasked 2 years agoAws glue connects to RDS PostgreSQL
Accepted Answerasked 4 months agoConnecting TypeScript backend in EC2 to PostgreSQL RDS
asked 11 days agoRDS Postgresql migrate to Aurora Postgresql. Not showing "Aurora read replica" & "Migrate snapshot" options.
Accepted Answerasked 6 months agords-db:* and organizations
asked 2 months agoAmazon RDS for PostgreSQL: Configuration differences with PostgreSQL on EC2
Accepted Answerasked 2 years agoProblem with deadlock on AWS RDS MySQL
asked 4 years agoHow to create SSL dblink connection from RDS to postgres on premise?
asked 5 months agoAthena API vs JDBC Driver
asked 3 years agoJDBC and RDS PostgreSQL TLS Encryption connection problem
asked 14 days ago