By using AWS re:Post, you agree to the Terms of Use
/JDBC and RDS PostgreSQL TLS Encryption connection problem/

JDBC and RDS PostgreSQL TLS Encryption connection problem

0

We used AWS EC2 instance and RDS PostgreSQL, and we deployed java program on EC2 instance, using jdbc for query. According to the AWS&JDBC documentation, AWS RDS PostgreSQL supports TLS encrypted connection by default, jdbc also uses encrypted connection by default(We did not set the sslmode parameter). But when I capture the packet on EC2, I see the packet in plaintext, why?

Command on EC2 Instance: sudo tcpdump -i any port 5432 -w pgtest.pcap

I was expecting to see TLS1.3 or TLS1.2, but the packet content is all PGSQL

2 Answers
0

Hello there

According to the information given,I can fully understand that you want your password to be encrypted.RDS for PostgreSQL uses and expects all clients to connect using SSL/TLS, but you need to require it to use to request connection [1].This means your connection string would still have to specify an SSL certificate like :

  $ psql -h db-name.555555555555.ap-southeast-1.rds.amazonaws.com-p 5432 dbname=testDB user=testusersslrootcert=rds-ca-2019-root.pem sslmode=verify-full
 

You can require that connections to your PostgreSQL DB instance use SSL by using the rds.force_ssl parameter.By default, the rds.force_ssl parameter is set to 0 (off). You can set the rds.force_ssl parameter to 1 (on) to require SSL for connections to your DB instance for more information using SSL with a PostgreSQL DB instance.Learn more about How can you stop Amazon RDS for PostgreSQL from logging my passwords in clear-text in the log files.

Resource: [1]https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/PostgreSQL.Concepts.General.SSL.html [2]https://aws.amazon.com/premiumsupport/knowledge-center/rds-postgresql-cleartext-logging/

answered 12 days ago
0

Hi

If requires ssl connection then need to specify in the

  1. PG parameter group rds.force_ssl [1] https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/PostgreSQL.Concepts.General.SSL.html#PostgreSQL.Concepts.General.SSL.Requiring
  2. JDBC connection string to specify ssl mode and other parameters https://jdbc.postgresql.org/documentation/head/connect.html

The default mode I think is prefer for PostgreSQL, which mentioned in the PG doc [2] https://www.postgresql.org/docs/current/libpq-ssl.html: "I don't care about encryption, but I wish to pay the overhead of encryption if the server supports it." It is when certificate exist otherwise will not use.

SUPPORT ENGINEER
answered 11 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions