I, like a lot of people, received an email saying to update my RDS instance to use the new rds-ca-2019 certificate for SSL connections (previous being rds-ca-2015 which expires March 5, 2020). Their documentation about the process is a little sparse and says things like "Update your database applications to use the new SSL/TLS certificate." and "Import the certificate into your operating system." with no further details on changes required on the client side.
When I initially set things up, I didn't install any certificates and used a vanilla Ubuntu 18.04 EC2 image. The RDS instance was set to use rds-ca-2015 and when I connected to RDS with psql it reported that it was properly using TLSv1.2. If I look at root certificates installed in the OS I find 4 "Amazon Root CA" certs numbered 1 through 4. Those don't expire until 2038 and 2040.
So, my question has 2 parts:
- How did the SSL/TLS properly work initially if I had never installed the RDS certs and intermediary certs provided by Amazon?
- If I've changed the RDS database instance to use rds-ca-2019 and it seems to "just work" is there anything more I need to do?
Best Answer
The default
sslmodefor PostgreSQL ispreferwhich means it will encrypt the connection with the certificate provided by the server but will not verify it. If I were to change thesslmodesetting toverify-caorverify-fullthen I would need to install the intermediate certs in a particular directory and then it would do proper verification.As I'm not concerned about a MITM attack on my VPC, I don't think I'll bother switching to the 'verify' modes.