"Update Your Amazon RDS SSL/TLS Certificates by October 31, 2019"
I, like a lot of people, received an email saying to update my RDS instance to use the new rds-ca-2019 certificate for SSL connections (previous being rds-ca-2015 which expires March 5, 2020). Their documentation about the process is a little sparse and says things like "Update your database applications to use the new SSL/TLS certificate." and "Import the certificate into your operating system." with no further details on changes required on the client side.
When I initially set things up, I didn't install any certificates and used a vanilla Ubuntu 18.04 EC2 image. The RDS instance was set to use rds-ca-2015 and when I connected to RDS with psql it reported that it was properly using TLSv1.2. If I look at root certificates installed in the OS I find 4 "Amazon Root CA" certs numbered 1 through 4. Those don't expire until 2038 and 2040.
So, my question has 2 parts:
- How did the SSL/TLS properly work initially if I had never installed the RDS certs and intermediary certs provided by Amazon?
- If I've changed the RDS database instance to use rds-ca-2019 and it seems to "just work" is there anything more I need to do?
Solution 1:
The default sslmode
for PostgreSQL is prefer
which means it will encrypt the connection with the certificate provided by the server but will not verify it. If I were to change the sslmode
setting to verify-ca
or verify-full
then I would need to install the intermediate certs in a particular directory and then it would do proper verification.
As I'm not concerned about a MITM attack on my VPC, I don't think I'll bother switching to the 'verify' modes.
Solution 2:
The RDS certificate in question is an intermediate certificate. You might also know it as a CA certificate. When I use MySQL Workbench, for instance, I have to specify that
- I want to use SSL(TLS)
- Use the RDS CA chain file to verify the certificate
How did the SSL/TLS properly work initially if I had never installed the [certificate]?
Depends how your system is set up. CA certificates simply provide a trusted authority for the presented certificate. It's quite possible to set up something that will accept any certificate at all, without attempting to verify it (i.e. you use a self-signed certificate). Another option is there is something already in your CA store that trusts it implicitly. This is less likely, but not impossible.
If you're doing this locally (such as you have an EC2 instance in the same VPC as your RDS instance) you might not even need SSL.
If I've changed the RDS database instance to use rds-ca-2019 and it seems to "just work" is there anything more I need to do?
No. It's confusing, but if you're connecting and not getting any certificate errors, I wouldn't worry about it.