From b512486f8031eb7a62619b4f03789e025bd4fc59 Mon Sep 17 00:00:00 2001 From: Cheena Malhotra Date: Mon, 23 Mar 2020 12:58:56 -0700 Subject: [PATCH] Perform Certificate Validation when Force Encryption enabled on Server (NetFx) --- .../netfx/src/Microsoft/Data/SqlClient/TdsParser.cs | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/src/Microsoft.Data.SqlClient/netfx/src/Microsoft/Data/SqlClient/TdsParser.cs b/src/Microsoft.Data.SqlClient/netfx/src/Microsoft/Data/SqlClient/TdsParser.cs index c4b835c2e7..3237d32a8d 100644 --- a/src/Microsoft.Data.SqlClient/netfx/src/Microsoft/Data/SqlClient/TdsParser.cs +++ b/src/Microsoft.Data.SqlClient/netfx/src/Microsoft/Data/SqlClient/TdsParser.cs @@ -1134,10 +1134,8 @@ private PreLoginHandshakeStatus ConsumePreLoginHandshake(SqlAuthenticationMethod UInt32 error = 0; - // If we're using legacy server certificate validation behavior (Authentication keyword not provided and not using access token), then validate if - // Encrypt=true and Trust Sever Certificate = false. - // If using Authentication keyword or access token, validate if Trust Server Certificate=false. - bool shouldValidateServerCert = (encrypt && !trustServerCert) || ((authType != SqlAuthenticationMethod.NotSpecified || _connHandler._accessTokenInBytes != null) && !trustServerCert); + // Validate Certificate if Trust Server Certificate=false and Encryption forced (EncryptionOptions.ON) from Server. + bool shouldValidateServerCert = (_encryptionOption == EncryptionOptions.ON && !trustServerCert) || ((authType != SqlAuthenticationMethod.NotSpecified || _connHandler._accessTokenInBytes != null) && !trustServerCert); UInt32 info = (shouldValidateServerCert ? TdsEnums.SNI_SSL_VALIDATE_CERTIFICATE : 0) | (isYukonOrLater && (_encryptionOption & EncryptionOptions.CLIENT_CERT) == 0 ? TdsEnums.SNI_SSL_USE_SCHANNEL_CACHE : 0);