stackoom
  简体   繁体   中英

What is the "[full path]" component of the SSL Certificate Authority given by MySQL and PostgreSQL (boto3) calls in the AWS docs?

 原文  2021-11-30 01:00:04       postgresql/ amazon-web-services/ ssl-certificate/ boto3/ amazon-rds

Question

In the AWS documentation for " Connecting to your DB instance using IAM authentication and the AWS SDK for Python (Boto3) ", the following call is made to both psycopg2.connect (shown) and mysql.connector.connect : 

conn =  psycopg2.connect(
    host=ENDPOINT,
    user=USR, 
    passwd=token,
    port=PORT, 
    database=DBNAME,
    ssl_ca='[full path]rds-combined-ca-bundle.pem'
)

I see some discussion about the ssl_ca path ( here and here ) and what those bundles are used for. But none of the three links I've given here describe the [full path] component given by the AWS docs, or where it is pointing to. My current guess (from the second link) is this URL, but I'd like to be sure.

Additionally, what are the advantages to having this bundle downloaded to the remote EC2 on which these Python 3 (boto3) scripts are running?

EDIT: By the way, the above call to psycopg2.connect is working in Jupyter with Python 3.9.5 on an EC2 currently, with the [full path] written as-is...

1 answers

solution1
 0  2021-11-30 04:41:59

You should replace the '[full path]' with the filesystem path (directory path) to where you saved the pem file when you downloaded it (from that last URL you gave) to the local computer.

The advantage of using it is that your client will verify it connected to the correct database, and not some malicious system which is intercepting your traffic. I don't how advantageous you consider this: if someone has compromised Amazon enough to be intercepting their internal traffic, they might also have compromised their CA as well. But there is at least some possibility they did one without the other.

Your code as shown does not work for me, because ssl_ca is not how it is spelled. Assuming you used the code actually given at your first link for PostgreSQL:

sslmode='prefer', sslrootcert="[full path]rds-combined-ca-bundle.pem"

Then the reason it works despite the bogus path is that "prefer" means it doesn't care if the rootcert is missing, it just skips validating in that case. If you change it to 'verify-full', then presumably it would stop working.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS Aurora PostgreSQL - x509: certificate signed by unknown authority Provide SSL certificate to PostgreSQL in a Rails app Deploying postgresql docker with ssl certificate and key with volumes What is meant by this sentence about JSON in the Postgresql docs? How to insert 'NULL' values for 'int' column tupes in Aurora PostgreSQL db using Python boto3 client AWS RDS Postgresql Connect Without Providing Certificate npgsql connecting to AWS RDS PostgreSQL with SSL PostgreSQL pq Open not successful: x509: certificate signed by unknown authority AWS Terraform postgresql provider: SSL is not enabled on the server Converting MySQL Stored Procedures to PostgreSQL function. What do I do with these replace() calls?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM