Amazon RDS 2019 Intermediate Certificates #2292
Conversation
|
It's hard for me to believe after all the hub-bub and begging for that PR to be merged that it does not work. I need some more folks to better explain this and how after the 3 months of that PR this was never noticed and how, specifically this one is going to fix it and how we're going to verify it this time... |
|
What additional info can I provide you? |
I need more people with access to Amazon RDS instances to explain before I just merge something blindly again. That, or access to Amazon RDS to test it myself. |
|
So there is already one response on that PR and I see you responded. It is currently 3:30am in my time zone, so I'm going to head to bed, but once we can get some clarification on this, then we can determine to merge or not, and once we know it should be merged, I can put it in a patch. |
|
As noted on #2280, the global CA is sufficient for most people however some setups require the intermediates provided on this PR. #2280 really should have had them included also for consistency however I never thought to check them. Detail on global / intermediates for RDS available here : https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html |
So the question I would like to understand first is can someone explain what, specifically, the differences are between the setups that requires one vs the other? For example, just to explain the change as like "MySQL 5.6.x requires these" would be a big step towards getting it merged, but right not it sounds like it's just a mystery as to why, which makes is extremely hesitant to merge in blindly... |
|
@dougwilson it may be simply down to which region the RDS instance is in. @jthele which region are your RDS instances in? Additionally which OS is the application accessing RDS running, not that I think that will be important but thought it worth asking. Unfortunately the AWS docs are vague, simply stating that "you might need to use an intermediate". I do not believe it is down to MySQL version though, as that would not alter how TDS works particularly. |
|
So part of the reason to understand the specifics here is that maybe the answer is just that the RDS instance itself is just misconfigured? Adding all the intermediates should not be necessary, since the root is trusted. Why they were added for the original is beyond me, and being a maintainer of the module and not even being able to answer that is a problem for ongoing maintenance and support. It also means that over time intermediates should (?) probably keep getting added as well, which is just more maintenance. And of course don't forget those previous disk bytes used by all the folks who will never use Amazon RDS :) |
|
Anyway, I'm going to sleep now, so I won't be responding for some time, but to reiterate: I'm mainly looking to better understand the change here and what it means. If I stopped to get a better understanding in the original, then I likely would have realized the intermediates not being in this recent PR were missing. Just looking for the specific reason why they are required, not just for my understanding, but at the very least to make a somewhat helpful change log entry :) |
|
Node: 10.17.0 |
#1001 has some discussion on why the intermediates had to be added in 2015. But that looks like it was a different issue related to verification and |
|
Right, I already looked up that PR :) but the question I have here has never been answered to my knowledge: why does only the root work for some people and not for others? What is the difference? Just having the root is much less work of course, and so I just want to know the answer if this (adding all the intermediates) is going to happen again, lol. Node.js support certificate chains perfectly fine as far as I know, which is the only reason the linked web page gives. So that would maybe leave that the server you are connecting to is maybe just misconfigured somehow? |
|
Based on what I saw when I was looking into issues with mssql / tedious, the nodejs tds implementation ends up at the OS level and so I can only jump to the conclusion that this somehow ends up being a host OS issue. I am typically using the official node image as a base instead of ubuntu, currently node:10.16.0, which ends up at debian:stretch |
|
I can't speak to mssql, but this module uses the Node.js native SSL, which is the specific OpenSSL that Node.js statically links into the binary; it does not use the host OS for SSL. |
|
I just did an experiment. I stood up 3 brand new MySQL RDS instances in us-east-1 with versions 5.6.37, 5.7.26, and 8.0.16. I then connected to them from a Node 10.18.1 REPL running on my MacOS 10.15.2 laptop. This reproduced the error I saw before for 5.6.37. Both 5.7.26 and 8.0.16 succeeded without error and were queryable. |
|
Some supporting evidence that suggests RDS 5.6 is not happy with chained certificates: MySQL 5.6 documentation at https://dev.mysql.com/doc/refman/5.6/en/ssl-libraries.html says that
And this Amazon blog entry at https://aws.amazon.com/blogs/database/selecting-the-right-encryption-options-for-amazon-rds-and-amazon-aurora-database-engines/ says that:
|
I'm using it with AWS Lambda Functions. v2.18.0 works with nodejs8.10, nodejs10.x and nodejs12.x lambda runtimes in the US-East-1 region when connecting to an Aurora MySQL RDS instance on MySQL 5.7.12 engine. It's a standard account, not GovCloud or any other specialty. I've put thousands of requests against the DB since putting v2.18.0 in with no DB connectivity issues. |
|
Some additional info that may help. I found this VERY OLD MySQL bug:
While that does not mention 5.6.x explicitly, it does mention yaSSL. Per AWS Documentation:
Edit - Sorry I mis-clicked before finishing my comment. |
|
Edit: @jthele was correct in that I had not updated the RDS instance yet. |
Could you verify which certificate your RDS instance is currently using? Depending on when you created it and if you chose to use the defaults or not, you will have either A common pattern if you wish to transition is to specify certificates for both old and new so your client will work with both old and new configurations as you transition your database configuration. |
|
Thanks @CovertLeopard for the sleuthing to find that AWS documentation of yaSSL versions:
As I refresher, I had tested the following versions:
To further narrow in on the theory that yaSSL is the issue, I just tested a couple more versions on the other sides of the yaSSL dividing line. As before these were brand new MySQL RDS instances in us-east-1. I then connected to them from a Node 10.18.1 REPL running on my MacOS 10.15.2 laptop
Those results align perfectly with the yaSSL boundaries that @CovertLeopard pointed out. |
|
So to sum up what I believe is being said here: since the MySQL server uses it's own, bundled SSL library (just like Node.js) the way it works is dependent on the version. And apparently versions 5.6 (and likely earlier) simply only send the leaf certificate to the client during the Server Hello instead of the entire chain. Thus, in order to connect to those older MySQL server versions, the client needs to hold a copy of these intermediates so it can complete the chain of trust for verficiation. Does this sound like an accurate summary @jthele ? |
|
Yes, that sounds accurate to me. And to further clarify which versions are affected, my testing aligns with the versions specified in the AWS documentation that @CovertLeopard found: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_MySQL.html#MySQL.Concepts.SSLSupport |
|
Thanks @jthele I really appreciate it. I plan to merge & push in a patch release (so 2.18.1) today (i.e. within the next 8 hours). |
Thanks for the quick turnaround on this PR. I appreciate it. |
Thanks to both of you! While this change doesn't impact our QA/Dev testing, our PROD instance is still on 5.6.10 and will require this. I appreciate the quick turnaround as well. |
|
mysqljs with RDS (ssl = 'Amazon RDS') had been working fine for us for the past year until we upgraded RDS and configured mysqljs However we're using the global root certificate and every so often the connection fails. We've now set |
|
FYI: after turning debug on, the errors we were seeing were
When we checked the
For now, we've set our connection config to use both the root and intermediate certificates, as well as increase max_connect_errors to 100: |
|
Regarding:
Was your RDS change isolated to altering the certificate authority from |
Thanks for the reply. We upgraded RDS from 5.5.59 to 5.5.61 which included the certificate change. When the change occurred we maintained the same version of mysqljs (and same mysql param group) but turned SSL off while we waited for an update to mysqljs. With SSL off we had occasional errors, so we switched SSL back on but started passing the new certificates to mysqljs assuming it was certificate related. It wasn't until we turned debug on, we saw it was related to max_connect_errors - hence the possibility that it's something else in this new version of RDS causing connection errors to occur occasionally. |
|
If you saw similar connection errors with SSL off, then I'd be inclined to believe that the errors you are seeing are tied to the engine version change rather than the certificate change. Further, I would be very surprised if the problem that I am addressing with this PR produces a sporadic issue like you describe. If the particular client and server pair you are working with are not processing the intermediate certificates (either because the server cannot process certificate chaining or the certificates are not provided in the client configuration), then certification validation should fail 100% of the time. You might have better luck investigating what changed from 5.5.59 to 5.5.61: I see a couple interesting things in there. 5.5.61 mentions a bug fix related to SSL connections, and 5.5.60 mentions a bug fix related to failed connections. That definitely suggests there were code changes related to connections introduced by the engine version change you applied. |
|
Should the ssl_profiles.js contain the contents of the file that is linked here: |
|
Perhaps. I concur there are differences between those 2 collections of certificates. I sourced the ones documented in the section titled "Intermediate Certificates" because they unambiguously fit the problem I was trying to solve: The global PEM is not as clearly documented, but I wouldn't be surprised if it had certs for other situations like GovCloud. You should be able to research the provenance of each certificate in the PEM. and determine if there are additional certificates that should be added. |
|
I had the same issue after rotating the certificate on my mysql instance. pkg version: 2.18.1 |
Does it work with the contents of the global PEM? As noted earlier, there are differences, and if you can show those differences are substantive than you'll have diagnosed where your issue lies. |
|
We had this issue with MySQL 5.6.10 and nodejs12.x lambda runtime on aws.
It turned out to be a node12 compatibility issue with that version of MySQL
server. Particularly, MySQL 5.6 only supports TLS 1.0 while nodejs12.x
disables that by default. We had to revert our lambda runtime to
nodejs10.x. I hope this helps.
2.18.1 connecting to RDS MySQL 5.6.10a when run in Lambda functions using
runtime nodejs10.x works for us, same config on nodejs12.x fails with an
equivalent error to what you described.
…On Sat, Feb 1, 2020, 3:34 PM Alan Zavari ***@***.***> wrote:
I had the same issue.
I used the latest version with the fix but still getting
HANDSHAKE_SSL_ERROR.
Am I missing something?
pkg version: 2.18.1
Node v12.x
MySQL engine version: 5.6.41
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#2292?email_source=notifications&email_token=ACTRJJGRL3UUJRVJZPXIHALRAXMGZA5CNFSM4KKBTFKKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEKRGBCQ#issuecomment-581066890>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACTRJJCR6XTFRW6HZTJU5K3RAXMGZANCNFSM4KKBTFKA>
.
|
|
Thank you so much @CovertLeopard |
Glad it helped. We found this out when updating our PROD servers last Thursday night due to a discrepancy in MySQL versions between our dev (5.7.12) where it worked fine with nodejs12 and our prod (5.6.10) where it failed. Luckily we were able to research the error and quickly find out that nodejs12 didn't leave TLS 1.0 enabled. Since we use lambda and can't pass arguments to node when it starts, we went back to nodejs10. If you have access to the actual server running node, you might be able to pass the flag in at node launch to enable TLS 1.0. |
|
If you're running in Lambda and you want to remain on to Node v12.x and connect to an older version of MySQL, you can get around the TLS issue by setting this environment variable: |
#2280 added the RDS 2019 global root certificate, sourced from:
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html
That documentation provides a caveat:
When I attempted to use just the global root certificate as provided in v2.18.0 to connect to an AWS RDS MySQL 5.6.37 server configured with the
rds-ca-2019certificate, I gotHANDSHAKE_SSL_ERRORandError: unable to verify the first certificate. Adding the intermediate certificates tossl_profiles.jsremedied that problem.Adding the intermediate certificates in addition to the root certificate is consistent with what was done when the AWS RDS 2015 certificates were added to this module.
Editing to add: This was using Node 10.17.0, and the RDS instance was in us-east-1.