与 RDS MySQL/Aurora 无服务器集群的 SSL 连接失败并显示 Node.js
SSL connections to RDS MySQL/Aurora serverless cluster fail with Node.js
我使用 Node.js LTS 和 RDS MySQL 数据库已有一段时间了。我最近启动了一个 RDS 无服务器 Aurora MySQL 5.6 集群。与我的其他 RDS 数据库不同,我无法 Node.js 使用节点 mysql 或 mysql2 适配器通过 SSL 连接到新的无服务器集群。
来自具有单个 Node.js 应用程序的单个 Ubuntu 实例:
我可以使用 SSL 将 Node 应用程序成功连接到我的任何旧 RDS 数据库 (MySQL 5.6.40):
// works with other RDS databases:
const fs = require('fs');
const mysql = require('mysql2');
const config = require('../config');
var connectionArgs = {
host: config.old_rds_host,
database: config.old_rds_database,
user: config.old_rds_user,
password: config.old_rds_password,
port: config.rds.port,
ssl: {
ca: fs.readFileSync(__dirname + '/../rds-combined-ca-bundle.pem')
}
}
var connection = mysql.createConnection(connectionArgs);
在同一台机器上,我可以使用 MySQL 客户端通过 SSL 连接到新的 RDS 集群,没有问题:
// Works with new RDS serverless cluster:
mysql -u rds_serverless_user -p -h new-rds-serverless-cluster.us-west-2.rds.amazonaws.com -P 3306 --ssl --ssl-ca=./rds-combined-ca-bundle.pem
我可以成功地将 Node 应用程序连接到新的无服务器集群 没有 SSL:
// Works with new RDS serverless cluster:
const fs = require('fs');
const mysql = require('mysql2');
const config = require('../config');
var connectionArgs = {
host: config.rds_host,
database: config.rds_serverless_database,
user: config.rds_serverless_user,
password: config.rds_serverless_password,
port: config.rds.port
}
var connection = mysql.createConnection(connectionArgs);
但是当我尝试使用 SSL 证书连接到新的无服务器集群时,出现服务器不支持安全连接的错误消息:
// Fails with new RDS serverless cluster:
const fs = require('fs');
const mysql = require('mysql2');
const config = require('../config');
var connectionArgs = {
host: config.rds_host,
database: config.rds_serverless_database,
user: config.rds_serverless_user,
password: config.rds_serverless_password,
port: config.rds.port,
ssl: {
ca: fs.readFileSync(__dirname + '/../rds-combined-ca-bundle.pem')
}
}
var connection = mysql.createConnection(connectionArgs);
Debug: internal, implementation, error
Error: Server does not support secure connnection
at ClientHandshake.handshakeInit (/home/deploy_user/my-node-rds-app/node_modules/mysql2/lib/commands/client_handshake.js:120:17)
at ClientHandshake.Command.execute (/home/deploy_user/my-node-rds-app/node_modules/mysql2/lib/commands/command.js:40:20)
at Connection.handlePacket (/home/deploy_user/my-node-rds-app/node_modules/mysql2/lib/connection.js:513:28)
at PacketParser.onPacket (/home/deploy_user/my-node-rds-app/node_modules/mysql2/lib/connection.js:81:16)
at PacketParser.executeStart (/home/deploy_user/my-node-rds-app/node_modules/mysql2/lib/packet_parser.js:76:14)
at Socket.<anonymous> (/home/deploy_user/my-node-rds-app/node_modules/mysql2/lib/connection.js:89:29)
at emitOne (events.js:116:13)
at Socket.emit (events.js:211:7)
at addChunk (_stream_readable.js:263:12)
at readableAddChunk (_stream_readable.js:250:11)
at Socket.Readable.push (_stream_readable.js:208:10)
at TCP.onread (net.js:601:20)
那么有什么不同呢?旧的 RDS 数据库和新的无服务器集群之间唯一明显的区别是旧的实例是 MySQL 5.6.40,而新的 RDS 集群是 Aurora MySQL 5.6.10a。此外,较旧的 RDS 实例主机名解析为单个私有 IP,而新集群主机名解析为多个私有 IP。
我使用 mysql 适配器得到相同的结果。我还在 mysql 适配器中尝试了 "Amazon RDS" SSL 配置文件并获得了相同的结果。
我无法使用 IAM 数据库身份验证,因为此服务需要处理超过 20 个新的 connections/second。
如有任何建议,我们将不胜感激。
截至 2018 年 10 月,Aurora Serverless 不支持 SSL。 [1].在你的实验中,你的连接大多被降级为不安全的连接。您应该能够查询状态表来确认这一点。
[1] https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-serverless.html
Aurora Serverless doesn't support the following features:
Loading data from an Amazon S3 bucket
Invoking an AWS Lambda function with an Aurora MySQL native function
Advanced auditing
Aurora Replicas
Backtrack
Database cloning
IAM database authentication
Cross-region read replicas
Restoring a snapshot from a MySQL DB instance
Migrating backup files from Amazon S3
Connecting to a DB cluster with Secure Socket Layer (SSL)
我可以确认 RDS Aurora MySQL(无服务器)最终支持 SSL/TLS 到集群的连接。但是,需要一个 MySQL 8.0 兼容的客户端(即使底层数据库只有 MySQL 5.6.10a,集群代理需要一个 8.0 客户端来支持 SSL)。
https://aws.amazon.com/premiumsupport/knowledge-center/rds-error-2026-ssl-connection/
(来自页面:)
ERROR 2026 (HY000): SSL connection error: SSL_CTX_set_default_verify_paths failed or
ERROR 2026 (HY000): SSL connection error: ASN: bad other signature confirmation
You can receive this error if the certificate identifier (certificate file name) isn't
correct. You can also receive this error if the certificate identifier isn't supported
by the MySQL client, for example with Aurora Serverless. If you use Aurora Serverless
clusters and you use the MySQL client to connect to Aurora Serverless, then you must
use the MySQL 8.0-compatible MySQL commands.
我使用 Node.js LTS 和 RDS MySQL 数据库已有一段时间了。我最近启动了一个 RDS 无服务器 Aurora MySQL 5.6 集群。与我的其他 RDS 数据库不同,我无法 Node.js 使用节点 mysql 或 mysql2 适配器通过 SSL 连接到新的无服务器集群。
来自具有单个 Node.js 应用程序的单个 Ubuntu 实例:
我可以使用 SSL 将 Node 应用程序成功连接到我的任何旧 RDS 数据库 (MySQL 5.6.40):
// works with other RDS databases:
const fs = require('fs');
const mysql = require('mysql2');
const config = require('../config');
var connectionArgs = {
host: config.old_rds_host,
database: config.old_rds_database,
user: config.old_rds_user,
password: config.old_rds_password,
port: config.rds.port,
ssl: {
ca: fs.readFileSync(__dirname + '/../rds-combined-ca-bundle.pem')
}
}
var connection = mysql.createConnection(connectionArgs);
在同一台机器上,我可以使用 MySQL 客户端通过 SSL 连接到新的 RDS 集群,没有问题:
// Works with new RDS serverless cluster:
mysql -u rds_serverless_user -p -h new-rds-serverless-cluster.us-west-2.rds.amazonaws.com -P 3306 --ssl --ssl-ca=./rds-combined-ca-bundle.pem
我可以成功地将 Node 应用程序连接到新的无服务器集群 没有 SSL:
// Works with new RDS serverless cluster:
const fs = require('fs');
const mysql = require('mysql2');
const config = require('../config');
var connectionArgs = {
host: config.rds_host,
database: config.rds_serverless_database,
user: config.rds_serverless_user,
password: config.rds_serverless_password,
port: config.rds.port
}
var connection = mysql.createConnection(connectionArgs);
但是当我尝试使用 SSL 证书连接到新的无服务器集群时,出现服务器不支持安全连接的错误消息:
// Fails with new RDS serverless cluster:
const fs = require('fs');
const mysql = require('mysql2');
const config = require('../config');
var connectionArgs = {
host: config.rds_host,
database: config.rds_serverless_database,
user: config.rds_serverless_user,
password: config.rds_serverless_password,
port: config.rds.port,
ssl: {
ca: fs.readFileSync(__dirname + '/../rds-combined-ca-bundle.pem')
}
}
var connection = mysql.createConnection(connectionArgs);
Debug: internal, implementation, error
Error: Server does not support secure connnection
at ClientHandshake.handshakeInit (/home/deploy_user/my-node-rds-app/node_modules/mysql2/lib/commands/client_handshake.js:120:17)
at ClientHandshake.Command.execute (/home/deploy_user/my-node-rds-app/node_modules/mysql2/lib/commands/command.js:40:20)
at Connection.handlePacket (/home/deploy_user/my-node-rds-app/node_modules/mysql2/lib/connection.js:513:28)
at PacketParser.onPacket (/home/deploy_user/my-node-rds-app/node_modules/mysql2/lib/connection.js:81:16)
at PacketParser.executeStart (/home/deploy_user/my-node-rds-app/node_modules/mysql2/lib/packet_parser.js:76:14)
at Socket.<anonymous> (/home/deploy_user/my-node-rds-app/node_modules/mysql2/lib/connection.js:89:29)
at emitOne (events.js:116:13)
at Socket.emit (events.js:211:7)
at addChunk (_stream_readable.js:263:12)
at readableAddChunk (_stream_readable.js:250:11)
at Socket.Readable.push (_stream_readable.js:208:10)
at TCP.onread (net.js:601:20)
那么有什么不同呢?旧的 RDS 数据库和新的无服务器集群之间唯一明显的区别是旧的实例是 MySQL 5.6.40,而新的 RDS 集群是 Aurora MySQL 5.6.10a。此外,较旧的 RDS 实例主机名解析为单个私有 IP,而新集群主机名解析为多个私有 IP。
我使用 mysql 适配器得到相同的结果。我还在 mysql 适配器中尝试了 "Amazon RDS" SSL 配置文件并获得了相同的结果。
我无法使用 IAM 数据库身份验证,因为此服务需要处理超过 20 个新的 connections/second。
如有任何建议,我们将不胜感激。
截至 2018 年 10 月,Aurora Serverless 不支持 SSL。 [1].在你的实验中,你的连接大多被降级为不安全的连接。您应该能够查询状态表来确认这一点。
[1] https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-serverless.html
Aurora Serverless doesn't support the following features:
Loading data from an Amazon S3 bucket
Invoking an AWS Lambda function with an Aurora MySQL native function
Advanced auditing
Aurora Replicas
Backtrack
Database cloning
IAM database authentication
Cross-region read replicas
Restoring a snapshot from a MySQL DB instance
Migrating backup files from Amazon S3
Connecting to a DB cluster with Secure Socket Layer (SSL)
我可以确认 RDS Aurora MySQL(无服务器)最终支持 SSL/TLS 到集群的连接。但是,需要一个 MySQL 8.0 兼容的客户端(即使底层数据库只有 MySQL 5.6.10a,集群代理需要一个 8.0 客户端来支持 SSL)。
https://aws.amazon.com/premiumsupport/knowledge-center/rds-error-2026-ssl-connection/
(来自页面:)
ERROR 2026 (HY000): SSL connection error: SSL_CTX_set_default_verify_paths failed or ERROR 2026 (HY000): SSL connection error: ASN: bad other signature confirmation
You can receive this error if the certificate identifier (certificate file name) isn't correct. You can also receive this error if the certificate identifier isn't supported by the MySQL client, for example with Aurora Serverless. If you use Aurora Serverless clusters and you use the MySQL client to connect to Aurora Serverless, then you must use the MySQL 8.0-compatible MySQL commands.