Fix | Fix certificate validation #2439
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… CN in certificate.
…, use hostname as CN in certificate instead.
David-Engel
reviewed
Apr 2, 2024
src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/SNI/SNICommon.cs
Outdated
Show resolved
Hide resolved
src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/SNI/SNICommon.cs
Outdated
Show resolved
Hide resolved
JRahnama
reviewed
Apr 2, 2024
src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/SNI/SNINpHandle.cs
Show resolved
Hide resolved
JRahnama
reviewed
Apr 2, 2024
src/Microsoft.Data.SqlClient/netfx/src/Microsoft.Data.SqlClient.csproj
Outdated
Show resolved
Hide resolved
|
I had an internal conversation and it is proven that I am wrong. Ignore my comment here. |
|
Also, can you address pipeline failures? |
JRahnama
reviewed
Apr 19, 2024
src/Microsoft.Data.SqlClient/tests/ManualTests/DataCommon/ConnectionTestParametersData.cs
Show resolved
Hide resolved
JRahnama
reviewed
Apr 30, 2024
|
|
||
| # Update the certificates store | ||
| Write-Output "Updating the certificates store..." | ||
| update-ca-certificates -v |
There was a problem hiding this comment.
There are couple of things here, generally it is better to use bash on ubuntu, you will have a better control over the commands.
- Enabling as system CA certificate is missing here. It could be done by dpkg-reconfigure command
- Remember since the server and client are on the same machine you need to configure them for both.
- Removing '!' at the beginning of certificate inside ca-certificate is missed. You can test with
sudo cat /etc/ca-certificates.confcommand to ensure '!' is removed from the certificate name. If '!' shows up Infront of the certificate name it wont be included inupdate-ca-certificatecommand. - It is better to provide chmod 755/777 to ensure sql server has access to those files.
| KeyAlgorithm = "RSA" | ||
| KeyLength = 2048 | ||
| HashAlgorithm = "SHA256" | ||
| TextExtension = "2.5.29.37={text}1.3.6.1.5.5.7.3.1", "2.5.29.17={text}DNS=$fqdn&DNS=$localhost&IPAddress=$LoopBackIPV4&DNS=$sqlAliasName&IPAddress=$LoopBackIPV6" |
There was a problem hiding this comment.
This could be simplified by adding DNSName to paramters.
| Type = "SSLServerAuthentication" | ||
| Subject = "CN=$fqdn" | ||
| KeyAlgorithm = "RSA" | ||
| KeyLength = 2048 |
There was a problem hiding this comment.
Why on Unix you have chosen 4096 and on windows 2048 for key length?
Enable Linux certificate as CA certificate.
… certificate for negative test.
David-Engel
reviewed
May 3, 2024
| @@ -106,13 +106,15 @@ public void OpenningConnectionWithGoodCertificateTest() | |||
|
|
|||
| // Test with Mandatory encryption | |||
| builder.Encrypt = SqlConnectionEncryptOption.Mandatory; | |||
| builder.TrustServerCertificate = true; | |||
There was a problem hiding this comment.
Wouldn't this just mask if the test doesn't set up the server certificate correctly? (Same for line 117.)
There was a problem hiding this comment.
This was addressed in PR #2487.
Comment on lines
+45
to
+80
| string userId = string.Empty; | ||
| string password = string.Empty; | ||
| SqlConnectionStringBuilder builder = new(DataTestUtility.TCPConnectionString); | ||
| userId = builder.UserID; | ||
| password = builder.Password; | ||
|
|
||
| using TestTdsServer server = TestTdsServer.StartTestServer(enableFedAuth: false, enableLog: false, connectionTimeout: 15, | ||
| methodName: "", new X509Certificate2(s_fullPathToPfx, "nopassword", X509KeyStorageFlags.UserKeySet), | ||
| encryptionType: connectionTestParameters.TdsEncryptionType); | ||
|
|
||
| if (userId != string.Empty) | ||
| { | ||
| builder = new(server.ConnectionString) | ||
| { | ||
| UserID = userId, | ||
| Password = password, | ||
| TrustServerCertificate = connectionTestParameters.TrustServerCertificate, | ||
| Encrypt = connectionTestParameters.Encrypt, | ||
| }; | ||
| } | ||
| else | ||
| { | ||
| builder = new(server.ConnectionString) | ||
| { | ||
| IntegratedSecurity = true, | ||
| TrustServerCertificate = connectionTestParameters.TrustServerCertificate, | ||
| Encrypt = connectionTestParameters.Encrypt, | ||
| }; | ||
| } | ||
|
|
||
| if (!RuntimeInformation.IsOSPlatform(OSPlatform.Windows) && userId == string.Empty) | ||
| { | ||
| builder.IntegratedSecurity = false; | ||
| builder.UserID = "user"; | ||
| builder.Password = "password"; | ||
| } |
There was a problem hiding this comment.
This seems strange. Why do we switch between integrated and un/pw here? And why use the un/pw from the config? Doesn't the auth not matter since TestTdsServer doesn't care about auth here? Seems like this could be simplified to just a few lines... No?
Suggested change
| string userId = string.Empty; | |
| string password = string.Empty; | |
| SqlConnectionStringBuilder builder = new(DataTestUtility.TCPConnectionString); | |
| userId = builder.UserID; | |
| password = builder.Password; | |
| using TestTdsServer server = TestTdsServer.StartTestServer(enableFedAuth: false, enableLog: false, connectionTimeout: 15, | |
| methodName: "", new X509Certificate2(s_fullPathToPfx, "nopassword", X509KeyStorageFlags.UserKeySet), | |
| encryptionType: connectionTestParameters.TdsEncryptionType); | |
| if (userId != string.Empty) | |
| { | |
| builder = new(server.ConnectionString) | |
| { | |
| UserID = userId, | |
| Password = password, | |
| TrustServerCertificate = connectionTestParameters.TrustServerCertificate, | |
| Encrypt = connectionTestParameters.Encrypt, | |
| }; | |
| } | |
| else | |
| { | |
| builder = new(server.ConnectionString) | |
| { | |
| IntegratedSecurity = true, | |
| TrustServerCertificate = connectionTestParameters.TrustServerCertificate, | |
| Encrypt = connectionTestParameters.Encrypt, | |
| }; | |
| } | |
| if (!RuntimeInformation.IsOSPlatform(OSPlatform.Windows) && userId == string.Empty) | |
| { | |
| builder.IntegratedSecurity = false; | |
| builder.UserID = "user"; | |
| builder.Password = "password"; | |
| } | |
| using TestTdsServer server = TestTdsServer.StartTestServer(enableFedAuth: false, enableLog: false, connectionTimeout: 15, | |
| methodName: "", new X509Certificate2(s_fullPathToPfx, "nopassword", X509KeyStorageFlags.UserKeySet), | |
| encryptionType: connectionTestParameters.TdsEncryptionType); | |
| SqlConnectionStringBuilder builder = new(server.ConnectionString) | |
| { | |
| TrustServerCertificate = connectionTestParameters.TrustServerCertificate, | |
| Encrypt = connectionTestParameters.Encrypt, | |
| }; |
There was a problem hiding this comment.
This was addressed in PR #2487.
|
Closing as the rework has been merged with #2487. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR fixes issue #2178.
Problem was with Certificate Chain Link error, which is now resolved by comparing the binary raw data of the client certificate against the server certificate. If both certificates match, we allow it to continue. Prior to this, any certificate policy error, we stopped operations and threw an exception.