ERR_TLS_CERT_ALTNAME_INVALID error when using CNAME as host name for RDS connection

[pawelusfr]

We have a CNAME set in Route53 for our RDS cluster. When using that CNAME as host for MySQL connection we are getting ERR_TLS_CERT_ALTNAME_INVALID error (Hostname/IP does not match certificate's altnames).

SSL option in configuration is set to ssl: 'Amazon RDS'.

This is because the certificate from RDS doesn't have the CNAME listed as altname and AFAIK there is no way to do that in RDS.

This was working fine in mysql2 3.5.0 and broke in 3.5.1 with #2119 and the switch to Tls.connect.

[sidorares]

Are you able to connect if you set rejectUnauthorized to false?

Is the error coming from

node-mysql2/lib/connection.js

Lines 375 to 377 in 48c2b8d

	if (serverIdentityCheckError) {
	onSecure(serverIdentityCheckError);
	return;

or from

node-mysql2/lib/connection.js

Line 385 in 48c2b8d

if (secureEstablished) {

?

[sidorares]

Maybe we need to add SNICallback to handle your scenario

[pawelusfr]

Yes I can connect with rejectUnauthorized: false.

The error is coming from

node-mysql2/lib/connection.js

Line 385 in 48c2b8d

if (secureEstablished) {

One possible workaround would be allowing to pass custom checkServerIdentity function to Tls.connect() (I did a quick check and it will connect if that custom function allows it). This way clients could write their own identity handling for such cases (I believe that's what e.g. pg allows for Postgres).
Though it couldn't be used in conjunction with ssl: 'Amazon RDS' as one would have to pass an object to ssl. That means the client would need a string version of the Amazon certs. Maybe you could add an export of it from mysql2 for such cases?

[sidorares]

I'm actually thinking to deprecate "Amazon RDS" and move it to a separate package, something along the line

import amazonRdsSslProfile from "amozon-rds-certs";  // package name TBD


const conn = mysql.createConnection({
   ssl: {
      ...amazonRdsSslProfile,
      checkServerIdentity: () => null,
   }
}

Maybe you could add an export of it from mysql2 for such cases?
I'd rather go with separate package, not worth exporting if there is a plan to deprecate built in buntle

What needs to be done:

• publish a "rds profile only" package ( with updated certs from Update Amazon RDS SSL CA cert #2131
• use a "rds profile only" package as a dependency
• add a warning when "Amazon RDS" string is passed as ssl parameter, with instructions on how to switch to external package ( minor version )
• remove "rds profile only" package dependency, throw an error when "Amazon RDS" string is passed as ssl parameter, with instructions on how to switch to external package ( major version )

[sidorares]

@dougwilson wdyt about above, with profile repo under mysqljs org, and mysqjs/mysql referencing it in a similar way ( with similar deprecation steps )

[dougwilson]

Hi @sidorares that ia a good idea! Sorry I was away, but I am just getting back now and replying to issues 😅. I'll actually set it up here this weekend. I figure it just is an export of the list in the same format Node.js accepts, of course.