Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The remote certificate was rejected #665

Closed
dallasbeek opened this issue Nov 30, 2022 · 2 comments
Closed

The remote certificate was rejected #665

dallasbeek opened this issue Nov 30, 2022 · 2 comments

Comments

@dallasbeek
Copy link

Upgraded from 4.6.0 to 5.0.8 and am getting The remote certificate was rejected by the provided RemoteCertificateValidationCallback. Reverting correct the issue.


        IDbConnection dbConnection = new StringConnectionService<SqlConnection>("Data Source=*****;Initial Catalog=*****;User ID=*****;Password=*****;MultipleActiveResultSets=true;Integrated Security=False;Persist Security Info=False;")
            .GetConnection();
      
        dbConnection.Execute(
            "; IF SCHEMA_ID(N'App') IS NULL EXEC sp_executesql N'CREATE SCHEMA [App] AUTHORIZATION [dbo]'");

        var dbUpgrade = DeployChanges
            .To
            .SqlDatabase(appSettings.FlexDatabase.ConnectionString)
            .WithVariable("Environment", Environment.GetEnvironmentVariable("ASPNETCORE_ENVIRONMENT"))
            .WithScriptsFromFileSystem(@"./DbScripts/")
            .WithTransactionPerScript()
            .WithExecutionTimeout(TimeSpan.FromMinutes(3))
            .JournalToSqlTable("App", "DatabaseMigration")
            .LogToConsole()
            .Build();

        var result = dbUpgrade.PerformUpgrade().Successful;

Console Output

Applying Database Migration
Upgrade failed due to an unexpected exception:
Microsoft.Data.SqlClient.SqlException (0x80131904): A connection was successfully established with the server, but then an error occurred during the pre-login handshake. (provider: TCP Provider, error: 35 - An internal exception was caught)
---> System.Security.Authentication.AuthenticationException: The remote certificate was rejected by the provided RemoteCertificateValidationCallback.
at System.Net.Security.SslStream.SendAuthResetSignal(ProtocolToken message, ExceptionDispatchInfo exception)
at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions)
at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
at System.Net.Security.SslStream.AuthenticateAsClient(SslClientAuthenticationOptions sslClientAuthenticationOptions)
at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)
at Microsoft.Data.SqlClient.SNI.SNITCPHandle.EnableSsl(UInt32 options)
at Microsoft.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection, Action1 wrapCloseInAction) at Microsoft.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose) at Microsoft.Data.SqlClient.TdsParser.EnableSsl(UInt32 info, SqlConnectionEncryptOption encrypt, Boolean integratedSecurity) at Microsoft.Data.SqlClient.TdsParser.ConsumePreLoginHandshake(SqlConnectionEncryptOption encrypt, Boolean trustServerCert, Boolean integratedSecurity, Boolean& marsCapable, Boolean& fedAuthRequired, Boolean tlsFirst) at Microsoft.Data.SqlClient.TdsParser.Connect(ServerInfo serverInfo, SqlInternalConnectionTds connHandler, Boolean ignoreSniOpenTimeout, Int64 timerExpire, SqlConnectionString connectionOptions, Boolean withFailover) at Microsoft.Data.SqlClient.SqlInternalConnectionTds.AttemptOneLogin(ServerInfo serverInfo, String newPassword, SecureString newSecurePassword, Boolean ignoreSniOpenTimeout, TimeoutTimer timeout, Boolean withFailover) �� crosoft.Data.SqlClient.SqlInternalConnectionTds.LoginNoFailover(ServerInfo serverInfo, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance, SqlConnectionString connectionOptions, SqlCredential credential, TimeoutTimer timeout) at Microsoft.Data.SqlClient.SqlInternalConnectionTds.OpenLoginEnlist(TimeoutTimer timeout, SqlConnectionString connectionOptions, SqlCredential credential, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance) at Microsoft.Data.SqlClient.SqlInternalConnectionTds..ctor(DbConnectionPoolIdentity identity, SqlConnectionString connectionOptions, SqlCredential credential, Object providerInfo, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance, SqlConnectionString userConnectionOptions, SessionData reconnectSessionData, Boolean applyTransientFaultHandling, String accessToken, DbConnectionPool pool) at Microsoft.Data.SqlClient.SqlConnectionFactory.CreateConnection(DbConnectionOptions options, DbConnectionPoolKey poolKey, Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection owningConnection, DbConnectionOptions userOptions) at Microsoft.Data.ProviderBase.DbConnectionFactory.CreatePooledConnection(DbConnectionPool pool, DbConnection owningObject, DbConnectionOptions options, DbConnectionPoolKey poolKey, DbConnectionOptions userOptions) at Microsoft.Data.ProviderBase.DbConnectionPool.CreateObject(DbConnection owningObject, DbConnectionOptions userOptions, DbConnectionInternal oldConnection) at Microsoft.Data.ProviderBase.DbConnectionPool.UserCreateRequest(DbConnection owningObject, DbConnectionOptions userOptions, DbConnectionInternal oldConnection) at Microsoft.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, UInt32 waitForMultipleObjectsTimeout, Boolean allowCreate, Boolean onlyOneCheckConnection, DbConnectionOptions userOptions, DbConnectionInternal& connection) at Microsoft.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, TaskCompletionSource1 retry, DbConnectionOptions userOptions, DbConnectionInternal& connection)
at Microsoft.Data.ProviderBase.DbConnectionFactory.TryGetConnection(DbConnection owningConnection, TaskCompletionSource1 retry, DbConnectionOptions userOptions, DbConnectionInternal oldConnection, DbConnectionInternal& connection) at Microsoft.Data.ProviderBase.DbConnectionInternal.TryOpenConnectionInternal(DbConnection outerConnection, DbConnectionFactory connectionFactory, TaskCompletionSource1 retry, DbConnectionOptions userOptions)
at Microsoft.Data.ProviderBase.DbConnectionClosed.TryOpenConnection(DbConnection outerConnection, DbConnectionFactory connectionFactory, TaskCompletionSource1 retry, DbConnectionOptions userOptions) at Microsoft.Data.SqlClient.SqlConnection.TryOpen(TaskCompletionSource1 retry, SqlConnectionOverrides overrides)
at Microsoft.Data.SqlClient.SqlConnection.Open(SqlConnectionOverrides overrides)
at Microsoft.Data.SqlClient.SqlConnection.Open()
at DbUp.Engine.Transactions.DatabaseConnectionManager.OperationStarting(IUpgradeLog upgradeLog, List`1 executedScripts) in //src/dbup-core/Engine/Transactions/DatabaseConnectionManager.cs:line 49
at DbUp.Engine.UpgradeEngine.PerformUpgrade() in //src/dbup-core/Engine/UpgradeEngine.cs:line 61
ClientConnectionId:db9a318e-f084-4e8f-ab0a-a1a09c0b649d
Error Number:-2146893019,State:0,Class:20
Database Migration Complete
@dallasbeek dallasbeek added the bug Something isn't working label Nov 30, 2022
@AdrianJSClark
Copy link
Member

Part of the upgrade from dbup-sqlserver version 4.x to version 5.x was that the previous dependency on the .NET Framework library System.Data.Client was replaced by a reference to the newer Microsoft.Data.Client when compiling against .NET 6.0.

The issues you see here are part of the updated security within Microsoft.Data.Client. You can see the discussion about the change in this PR: Update Encrypt property default value to true (#1210 in dotnet/SqlClient

From here you have several options:

  1. Ensure that you have a certificate configured in SQL Server that is trusted by your client machines. (Most secure option)
  2. Set Encrypt=false manually in your connection string. (Reverts to old and insecure behaviour which allows man-in-the-middle attacks)
  3. Set TrustServerCertificate=true manually in your connection string. (Blindly accepts any certificate, trusted or not, which allows man-in-the-middle attacks)
  4. Revert to using dbup-sqlserver version 4.6. (Essentially the same as option 2 above)

Unfortunately as this is a change in the underlying SQL Server client libraries there isn't much we can do in DbUp to assist. Making the decision to go into any of the insecure states needs to be a decision you make based on your own application & environment's risk profile.

@AdrianJSClark AdrianJSClark removed the bug Something isn't working label Dec 7, 2022
@dallasbeek
Copy link
Author

Thank you

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@AdrianJSClark @dallasbeek