Hi everybody,

 

Does anybody has already established a connection to AWS aurora postgreSQL with stunnel? I can’t establish a connection and it may be an issue with channel binding.

 

My config looks like this:

 

; Sample stunnel configuration file for Win64 by Michal Trojnara 1998-2025

; Some options used here may be inadequate for your particular configuration

; This sample file does *not* represent stunnel.conf defaults

; Please consult the manual for detailed description of available options

 

; **************************************************************************

; * Global options                                                         *

; **************************************************************************

 

; Debugging stuff (may be useful for troubleshooting)

debug = 7

output = stunnel.log

 

; Enable FIPS 140-2 mode if needed for compliance

fips = yes

 

; The CNG engine allows to integrate stunnel with the Windows Cryptography API:

; Next Generation (CNG) for authentication with private keys stored in the

; Windows certificate store. It serves as a drop-in replacement for the legacy

; OpenSSL Cryptography API (CAPI) engine.

; https://www.stunnel.org/cng-engine.html

; Each section using this feature also needs the "engineId = cng" option

engine = cng

 

; The pkcs11 engine allows for authentication with cryptographic

; keys isolated in a hardware or software token

; MODULE_PATH specifies the path to the pkcs11 module shared library,

; such as softhsm2-x64.dll or opensc-pkcs11.dll

; IMPORTANT: A 64-bit stunnel requires 64-bit PKCS#11 modules

; Each section using this feature also needs the "engineId = pkcs11" option

;engine = pkcs11

;engineCtrl = MODULE_PATH:softhsm2-x64.dll

;engineCtrl = PIN:1234

 

; **************************************************************************

; * Service defaults may also be specified in individual service sections  *

; **************************************************************************

 

; Enable support for the insecure SSLv3 protocol

;options = -NO_SSLv3

 

; These options provide additional security at some performance degradation

;options = SINGLE_ECDH_USE

;options = SINGLE_DH_USE

 

; **************************************************************************

; * Include all configuration file fragments from the specified folder     *

; **************************************************************************

 

;include = conf.d

 

; **************************************************************************

; * Service definitions (at least one service has to be defined)           *

; **************************************************************************

 

 

[postgreSQL_TLS]

client = yes

;engineId = cng

accept = 5433

connect = xxx.rds.amazonaws.com:5432

protocol = pgsql

CAfile = C:\cert\xxx-bundle.pem

verifyChain = yes

checkHost = xxx.rds.amazonaws.com

 

Thanks for any recommendations.

 

Best regards

 

 

Rolf Grube, MBA

Senior Manager

 

 

Oberender AG

Elsenheimerstraße 59 | 80687 München

t: +49 89 8207516-0 | m: +49 173 2035 133       

rolf.grube@oberender.com

www.oberender.com

 

Vorsitzender des Aufsichtsrats: Dipl.-Volkswirtin Irmtraut Gürkan

Vorstand: Jan Hacker (Vorsitzender), Jochen Baierlein

Handelsregister: Amtsgericht Bayreuth, HRB 4267

Sitz der Gesellschaft: Bayreuth

 

Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren, sowie die unbefugte Weitergabe dieser Mail sind nicht gestattet.