Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

DBeaver 5.3.3 EE SSL error connecting to an AWS Aurora database

See original GitHub issue

Linux, 64bit, Fedora 29 Java 8 and 11 (tried both) Database: AWS Aurora

NOTE: 5.2 works well.

Error:

Error connecting to datasource

Reason:
SSL error: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints

Details:

SSL error: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints
  java.security.cert.CertificateException: Certificates do not conform to algorithm constraints
  java.security.cert.CertificateException: Certificates do not conform to algorithm constraints
    Certificates do not conform to algorithm constraints
    Certificates do not conform to algorithm constraints
      Algorithm constraints check failed on keysize limits. RSA 1024bit key used with certificate: C=US, ST=Washington, L=Seattle, O=Amazon.com, OU=RDS, CN=**HIDDEN**.us-east-1.rds.amazonaws.com.  Usage was tls server
      Algorithm constraints check failed on keysize limits. RSA 1024bit key used with certificate: C=US, ST=Washington, L=Seattle, O=Amazon.com, OU=RDS, CN=**HIDDEN**.us-east-1.rds.amazonaws.com.  Usage was tls server

UPDATE: Works with Java 9 somehow… Which is weird.

Issue Analytics

State:
Created 5 years ago
Comments:5 (1 by maintainers)

Top GitHub Comments

7reactions

jamesvlcommented, Feb 18, 2019

This believe this bug is actually Fedora 28+ specific to RDS instances (whose server-side SSL mode is “prefer”). It’s not Aurora specific - it happens to with RDS Postgres as well.

I finally resolved with help from this StackOverflow where one of the answers pointed out that Fedora 28 introduced its own java security config file at /etc/crypto-policies/back-ends/java.config

jdk.tls.ephemeralDHKeySize=1024
jdk.certpath.disabledAlgorithms=MD2, MD5, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=DH keySize < 1024, SSLv2, SSLv3, <snipped>...

To resolve, change the restrictions on the RSA algorithm key size: jdk.certpath.disabledAlgorithms=MD2, MD5, DSA, RSA keySize < 1024

(More details about the settings are in the Oracle JDK Configure Crypto documentation page.)

And for Fedora users, this means that the fix done for Issue #4928 is insufficient if you do want encrypted connections - changing the mode to “allow” simply changes whether or not SSL is even tried. If a non-encrypted connection works, then it’s allowed through.

0reactions

yspolatcommented, Sep 19, 2019

I found following Stackoverflow thread, but it didn’t work. After @jamesvl suggestions, It works like charm for PostgreSQL. I had a connection problem. Thanks a lot.

Top Results From Across the Web

Connecting to AWS Aurora database using SQL client - OG

Connecting to AWS Aurora using a desktop SQL client Here're the steps for DBeaver: Go to “Database” Select “New database connection” Select SQL....

DBeaver user guide

File menu contains menu items for the creation of files, folders, projects, database connections, database projects, and ER.

Set Up SSL Connections to AWS Aurora PostgreSQL - LinkedIn

Aurora PostgreSQL server first checks if SSL connection enabled, if yes, it establishes SSL connection; otherwise it establishes non-SSL ...

DBeaver Community - RSSing.com

PostgreSQL: Use fully qualified data type names in DDL; View default values for procedure parameters; Enum/set values editor was fixed; Revoke all permissions ......

Create and Locally connect with PgAdmin, DBeaver - YouTube

How easily create AWS RDS PostgreSQL and locally connect in your laptop with PgAdmin or DBeaver.Then easily create table and insert data.