linux – Avoiding TLS hostname mismatch error with SSH tunnel to database

I want to connect to a database from my local computer through a bastion (jump box) running Linux. The connection to the bastion has to be over ssh (in my particular case, actually ssh over AWS’s SSM), and the connection from the bastion to the database is over TLS (1.2, I believe).

I can make this work by creating a tunnel through the bastion to the DB–something like ssh -L $BASTION_HOSTNAME $LOCAL_PORT:$DB_HOSTNAME:$DB_PORT–but I have to update my /etc/hosts file to avoid errors in my DB client–not ideal. An alternative that seems like it could work much better would be to encrypt/decrypt the TLS traffic going to/coming from the DB on the bastion, rather than my local computer. I’ve sort of gotten this to work by hacking together gnutls-cli, netcat and some unix sockets and pipes, but haven’t been able to connect through the same ssh tunnel more than once.

Is there an easy way of setting this up using (relatively) standard Unix/Linux tools, and/or docker containers? It sounds like one might be able to set something up using SOCKS, but I don’t know if that’ll work with my DB client (I happen to be using DataGrip), and I’m not sure I want to go down that rabbit hole.