Force SSL on AWS RDS Postgres

Question

I've got a brand new Postgres 11 RDS instance that I can connect to with or without an SSL cert. However, I would like to ensure that we never connect to this database without SSL. So I have taken the following steps to attempt to enforce this:

1. Create a new parameter group because the default ones are not editable.
2. Change the value of rds.force_ssl to 1.
3. Change my database parameter group to the new one, selecting "Apply immediately"
4. Wait for the parameter group to apply, once the status changes from "(applying)" to "(pending-reboot)"
5. Once this group has been applied, I reboot the instance.
6. Then when I connect using the cli: psql -h aws_hostname -p 5432 "dbname=mydbname user=dbuser" I would expect the connection to fail because I have not specified the SSL certificate.

The output is:

Password for user postgres:
psql (11.5)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help.

mydbname=>

So I can see that the connection is over TLSv1.2. However, I don't understand why AWS appears to allow you to enforce SSL, and provides a way to download a certificate to do this, but does not use it. I was expecting to be forced to provide the certificate when connecting like this:

psql -h aws_hostname -p 5432 "dbname=mydbname user=dbuser sslrootcert=rds-combined-ca-bundle.pem sslmode=verify-full"

Answer 1

但是，我不明白为什么 AWS 似乎允许您强制执行 SSL，并提供了一种下载证书的方法来执行此操作，但不使用它。我期望像这样连接时被迫提供证书

服务器可以强制客户端使用ssl建立连接，但不能强制客户端验证服务器的证书。

如果您的客户端是基于 libpq 的，那么当且仅当它可以找到根证书文件（通常位于 ~/.postgresql/root.crt，如果没有指定为其他文件）时，它将验证证书。如果您在客户端上指定 PGSSLMODE=verify-ca 或以上，则如果找不到根证书文件，客户端将抛出错误。如果 sslmode 低于该级别并且客户端找不到根证书文件，那么它将使用服务器的证书来协商加密，但不会使用它来验证服务器的身份。因此，您可以免受被动窃听，但无法免受主动 MITM 攻击。