Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Issue with OpenSSL Connection to AWS RDS PostgreSQL

0

I'm encountering an issue while trying to establish an SSL connection to my AWS RDS PostgreSQL instance using OpenSSL. Here’s the command I'm using:

openssl s_client -connect <RDS-ENDPOINT>:5432 -CAfile <CaFile>

Received below output

CONNECTED(00000003) 40A77E0541770000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../ssl/record/rec_layer_s3.c:316:

no peer certificate available

No client certificate CA names sent

SSL handshake has read 0 bytes and written 362 bytes Verification: OK

New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok)

I have tried with both regional and global CA.

Questions:

What could be causing the "unexpected eof while reading" error? How can I troubleshoot the SSL handshake issue to establish a successful connection?

Topics
AnalyticsMigration & ModernizationDatabase
Tags
Amazon Relational Database ServicePostgreSQL
Language
English
asked a year ago813 views
1 Answer
0

The "unexpected eof while reading" error you're encountering suggests that the SSL handshake is not completing successfully. This could be due to several reasons:

  1. Security Group Configuration: The most common cause of connection issues is incorrect security group settings. Ensure that your RDS instance's security group allows inbound traffic on port 5432 from your client's IP address.

  2. SSL/TLS Version Mismatch: Your RDS PostgreSQL instance might be configured to use a specific SSL/TLS version that's incompatible with the version OpenSSL is attempting to use. RDS for PostgreSQL supports TLS versions 1.1, 1.2, and 1.3.

  3. Certificate Issues: Verify that you're using the correct and up-to-date CA certificate. AWS periodically updates their certificates, and using an expired or incorrect certificate can cause connection failures.

  4. RDS Configuration: Check if SSL is enforced on your RDS instance. The rds.force_ssl parameter, when set to 1, requires SSL for all connections.

To troubleshoot this issue:

  1. Verify Security Group: Review your RDS instance's security group and ensure it allows inbound connections from your client's IP address on port 5432.

  2. Check SSL Enforcement: Connect to your RDS instance and check if rds.force_ssl is set to 1. If it is, ensure you're using the correct SSL configuration in your connection attempt.

  3. Update CA Certificate: Download the latest CA certificate from AWS and ensure you're using it in your OpenSSL command.

  4. Try Different TLS Versions: Modify your OpenSSL command to explicitly specify TLS versions, e.g., add -tls1_2 to force TLS 1.2.

  5. Check RDS Logs: Review the PostgreSQL logs in Amazon RDS to see if there are any error messages related to SSL connections.

  6. Test with psql: Try connecting using the psql client with SSL to isolate whether the issue is specific to OpenSSL or a general SSL connection problem.

If the issue persists after trying these steps, you may need to contact AWS support for further assistance, as there could be a configuration issue with your RDS instance that's not immediately apparent.
Sources
Troubleshooting connections to your RDS for PostgreSQL instance - Amazon Relational Database Service
Using SSL with a PostgreSQL DB instance - Amazon Relational Database Service
Troubleshoot Amazon RDS expired SSL/TLS certificate connection issues | AWS re:Post

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content