voltone

voltone

Aws_rds_castore - Certificate validation for AWS RDS DBs

aws_rds_castore

Enable verification of server certificates in AWS RDS DB connections, e.g. through EctoSql. Includes the latest private root CA certificate bundle from AWS RDS, along with a helper function to set the connection’s ssl_opts.

Usage: add aws_rds_castore as a dependency and update your DB configuration in runtime.exs as follows:

config :my_app, MyApp.Repo,
  url: database_url,
  ssl: true,
  ssl_opts: AwsRdsCAStore.ssl_opts(database_url)

Also supports Erlang projects, e.g. via pgo.

Credits: Much of the code, in particular the periodic update check in CI, is based on castore | Hex.

Q: Why do I need this?
A: AWS RDS uses privately issued certificates for DB servers, so certificate verification against the standard (OS or Hex package) trust stores would fail; in practice the server certificate is often ignored

Q: Is it not enough to just set ssl: true ?
A: Setting ssl: true will enable TLS, which ensures the DB connection is encrypted and therefore protected from snooping by a passive attacker. However, on OTP versions prior to 26 the server certificate is ignored by default, which means an active attacker could potentially hijack the communication without being detected.

Q: Does this fix the “Server authenticity is not verified…” message logged by OTP 25?
A: Yes, enabling server certificate verification using the ssl_opts from this library will eliminate this warning

Q: Will this work with OTP 26, where certificate verification is enabled by default?
A: I have not yet tried OTP 26 with AWS RDS, but I suspect it will fail to connect to AWS RDS over TLS without ssl_opts, because it will try to verify the server certificate against the OS trust store. Using this package and the ssl_opts it generates should fix that.

Q: Why do I need to pass the server’s URL/hostname to ssl_opts?
A: At least for Postgres-type databases the TLS handshake is started on a previously established TCP connection. In such cases the ssl module needs to be told explicitly which hostname to use when verifying the server certificate.

Q: Does this work with all AWS RDS DB types?
A: For now it has only been tested with Postgres-type DB instances. Please let me know if you use it with other DB types, either successfully or unsuccessfully.

Links:

Most Liked

voltone

voltone

Due to the increased relevance (thanks to ssl changes in OTP 26) and interest I decided to turn this project into a hybrid Elixir/Erlang project: v1.1 can be built using Rebar3 and includes an Erlang module aws_rds_castore with the same API as the Elixir module.

One small warning: in order to ensure consistent behavior in Elixir and Erlang projects, this new version relies on the uri_string module from the Erlang/OTP standard library. This module is only available on OTP 21 or later, on older versions the ssl_opts function does not accept URIs, only hostnames.

Where Next?

Popular in Announcing Top

OvermindDL1
I created a new library (rather I pulled out a couple files from my big project), it manages an operating system PID file for the BEAM. ...
New
tmbb
PhoenixWS - Websockets over Phoenix Channels Source code on Github here: GitHub - tmbb/phoenix_ws: Websockets implemented over Phoenix Ch...
New
brainlid
LangChain is short for Language Chain. An LLM, or Large Language Model, is the “Language” part. This library makes it easier for Elixir a...
New
kip
ex_cldr provides localisation and internationalisation support based upon the data from the Unicode CLDR project. Unicode released CLDR ...
407 13014 120
New
Crowdhailer
Experimenting with this code. OK.try do user <- fetch_user(1) cart <- fetch_cart(1) order = checkout(cart, user) save_orde...
New
Flo0807
Hello everyone! I am excited to share our heart project Backpex with you. After building several Phoenix applications, we realized that...
New
Jskalc
Hi! Today, after a couple weeks of development I’ve released v0.1 of LiveVue. It’s a seamless integration of Vue and Phoenix LiveView, i...
New
archan937
It is a well-know topic within the Elixir community: “To mock or not to mock? :)” Every alchemist probably has his / her own opinion con...
New
scohen
Lexical Lexical is a next-generation language server for the Elixir programming language. Features Context aware code completion As-you...
New
zoltanszogyenyi
Hey everyone :waving_hand: Excited to join this forum - I am one of the founders and current project maintainers of a popular and open-s...
New

Other popular topics Top

axelson
This post is a wiki (feel free to hit the edit button near the bottom right of this post to add your own changes!) This post collects co...
239 48342 226
New
hariharasudhan94
lets say i have a sample like a = 20; b = 10; if (a > b) do {:ok, "a"} end if (a < b) do {:ok, b} end if (a == b) do {:ok, "equa...
New
chrismccord
This release brings a number of exciting features, including integration with the new Phoenix LiveDashboard and Phoenix LiveView. There h...
New
stefanchrobot
What’s the safe way to decode a JSON string into a struct? I want to avoid calling String.to_atom. Jason.decode can give me a map with st...
New
grych
Hi folks, Few months ago I have announced the proof-of-concept of the library to manipulate the browsers DOM objects directly from Elixi...
639 52673 488
New
nobody
Hi! In PHP: $_SERVER[‘SERVER_ADDR’] - in Elixir? Searched the docs for ip address and the web, no good results. Thanks!
New
ashish173
I am using Ecto timestamps with postgres, I can see the timestamps() use the :naive_dateime but for my use case I wanted to store the ti...
New
nsuchy
Hi. I’ve noticed that Windows Powershell has it’s own IEX command and you cannot access Elixir’s IEX due to the conflict. This isn’t a cr...
New
hariharasudhan94
Lets say I have map like this fetching from my database %{"_id" => #BSON.ObjectId<58eb1a7a9ad169198c3dXXXX>, "email" => ...
New
vegabook
I’m brand new to Phoenix and I have stripped one of the demo applications to the bone. I just want to get an svg up on the screen. Here i...
New

Latest on Elixir Forum

Elixir Forum

We're in Beta

About us Mission Statement