Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for sql server certificate chain validation #44

Open
rgl opened this issue Aug 13, 2020 · 6 comments
Open

Add support for sql server certificate chain validation #44

rgl opened this issue Aug 13, 2020 · 6 comments

Comments

@rgl
Copy link
Contributor

rgl commented Aug 13, 2020

SQL Server does not use a raw TLS connection, instead it uses something similar to STARTTLS/Opportunistic_TLS, where you first need to do a clear text handshake to tell it to switch to TLS.

It would be pretty nice to have support for this in ssl_exporter. I already have rgl/dump-sql-server-certificate-chain that dumps the certificates, with some modification I believe it can be integrated here (e.g. by handling tds:// schemed urls).

What do you think?
@ribbybibby
Copy link
Owner

Interesting. What does the required handshake look like? Do you think it could be integrated in the same way that I've integrated other starttls protocols: https://github.com/ribbybibby/ssl_exporter/blob/master/prober/tcp.go#L75-L124?

I'd rather not import client specific libraries for every protocol here.

@rgl
Copy link
Contributor Author

rgl commented Aug 13, 2020

I do not really know the details nor do I known how complex it is to go that route. In theory we should be able to extract that part from the mssql client.

@rgl
Copy link
Contributor Author

rgl commented Aug 17, 2020

After looking more closely at the code, I think its way too complex to handle this without using the mssql library.

Have a look at https://github.com/denisenkom/go-mssqldb/blob/0f454e2ecd6ad8fb4691cdbf10e399e05ca03784/tds.go#L833-L949.

Can I prepare a patch using that library?

@ribbybibby
Copy link
Owner

It's possible that we could simplify what that library is doing down to the bare essentials and reduce a lot of the complexity. I'd be interested in looking into it myself as I think a generalised approach could then apply to other protocols.

@rgl
Copy link
Contributor Author

rgl commented Aug 20, 2020
edited

Wouldn't that complexity be almost eliminated by the compiler?

Wouldn't the complexity of implementing/maintaining the protocol shifted here?

In the meantime, I have a working tds prober at https://github.com/rgl/ssl_exporter/tree/add-tds-prober, can you have a look at it?

BTW, do you known about https://github.com/square/certigo/tree/master/starttls? It contains other protocols that would be useful to adopt here, like PostgreSQL.

@ribbybibby
Copy link
Owner

ribbybibby commented Aug 23, 2021
edited

Support for postgresql was added here: #77. I wonder if it would be possible to use the same approach for mssql.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rgl @ribbybibby