By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS Aurora PostgreSQL upgrade from 14.6 to 15.2 => SSL error: sslv3 alert handshake failure

0

Hello,
we have dev/stage environment with Aws aurora postgresql with force ssl turned on.
Everything worked fine until i run upgrade to 15.2.
After upgrade completion all clients (php/symfony/psql v15 cli) refused to connect with following errors:
php/symfony/doctrine => "SSL error: sslv3 alert handshake failure"
psql v15 cli => "FATAL: no pg_hba.conf entry for host "XX.XXX.XX.XXX", user "userXXX", database "dbXXX", no encryption" (or similar copied from web)

php application is using latest global-bundle.pem which i updated again but that did not helped.
with psql i tried to use sslrootcert option pointing to bundle but that did not helped too.
underlying operation system is up-to-date Ubuntu 22.04 LTS with up-to-date php 8.2.x

everything worked just fine without errors until upgrade.
having that said i started debugging it and figure out that switching CA from "rds-ca-ecc384-g1" to "rds-ca-rsa2048-g1" solved the issue.

then i find following lines from aurora postgresql release notes for previous versions
"14.5.0 => Fixed an issue where an attempt to connect to the database would fail with SSLV3_ALERT_CERTIFICATE_UNKNOWN."
"13.8.0 => Fixed an issue where an attempt to connect to the database would fail with SSLV3_ALERT_CERTIFICATE_UNKNOWN."
"12.12.0 => Fixed an issue where an attempt to connect to the database would fail with SSLV3_ALERT_CERTIFICATE_UNKNOWN."
"11.17.0 => Fixed an issue where an attempt to connect to the database would fail with SSLV3_ALERT_CERTIFICATE_UNKNOWN."
May it be the same issue but for 15.2.0 ?

Topics
Database
Tags
Aurora PostgreSQL
Language
English
Dimitar Rekinov
asked a year ago1950 views
3 Answers
0

I suspect this is SSL issue - check this link for more info - Looking at the link https://github.com/sabnzbd/sabnzbd/issues/1829

In other end, check inbound rule of the security group of RDS instance and the cluster parameter group of the RDS instance and find out that ssl_cipher parameter values that are supported for your new Aurora version.

Please find the below document on which cipher suites supports what version of Aurora,

[+] Security with Amazon Aurora MySQL - Configuring cipher suites for connections to Aurora MySQL DB clusters - https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Security.html#AuroraMySQL.Security.SSL.ConfiguringCipherSuites

I see others can fix the parameter group with the right cipher suites for ssl_cipher parameter, you were able to connect to the Aurora cluster instances.

I'm attaching below documents for your future references related to SSL,

https://aws.amazon.com/premiumsupport/knowledge-center/rds-error-2026-ssl-connection/

https://docs.aws.amazon.com/cli/latest/reference/rds/describe-db-clusters.html

https://docs.aws.amazon.com/cli/latest/reference/rds/describe-db-clusters.html

AWS
Ram_TAM_AWS
answered a year ago
0

Same problem. What is the solution?

timonson
answered 10 months ago
0

nothing. we switched back rds-ca-rsa2048-g1. still same error appear when we try to switch to rds-ca-ecc384-g1

Dimitar Rekinov
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content