Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix | Disable encryption when connecting to SQL Local DB #1312

Merged
merged 1 commit into from
Oct 6, 2021
Merged

Fix | Disable encryption when connecting to SQL Local DB #1312

merged 1 commit into from
Oct 6, 2021

Conversation

cheenamalhotra
Copy link
Member

@cheenamalhotra cheenamalhotra commented Oct 4, 2021
edited

This change disables encryption when a connection to SQL Local DB is being made as SQL Local DB does not support encryption.

@cheenamalhotra cheenamalhotra added this to In progress in SqlClient v4.0 via automation Oct 4, 2021
@cheenamalhotra cheenamalhotra added this to the 4.0.0-preview3 milestone Oct 4, 2021
@JRahnama
Copy link
Member

JRahnama commented Oct 4, 2021

LGTM. Just a minor suggestion.

SqlClient v4.0 automation moved this from In progress to Reviewer approved Oct 6, 2021
@cheenamalhotra cheenamalhotra merged commit 08059dd into dotnet:main Oct 6, 2021
SqlClient v4.0 automation moved this from Reviewer approved to Done Oct 6, 2021
@sbwalker sbwalker mentioned this pull request Nov 2, 2021
Closed
@martincostello martincostello mentioned this pull request Nov 19, 2021
Closed
@Aniruddh25 Aniruddh25 mentioned this pull request Jan 30, 2023
Merged
1 task
Aniruddh25 added a commit to Azure/data-api-builder that referenced this pull request Jan 30, 2023
@Aniruddh25
Mandate encryption and validation of SQL server certificate when late…
ecdde87 
… configured (#1134)

## Why make this change?

- Close #1080 

## What is this change?

- Add a new property `IsLateConfigured` to `RuntimeConfigProvider` to identify late configuration. If configuration is NOT provided at startup, we mandate connections to SQL databases are encrypted and that the client verifies the server certificate. 
- This translates to `Encrypt=true, TrustServerCertificate=false` attributes of the connection string. Server name in the connection string should match the certificate name exactly.
- However, if configuration is provided at startup, we will rely on the connection string to provide the correct settings for encrypted connections/server certificate validations in order to suit local development preferences.
- Modify `SqlQueryExecutor` to store a `ConnectionStringBuilder` property instead of `ConnectionString` to easily set different attributes of the connection string.
- Even though the integration tests provide configuration at startup, we set `IsLateConfigured = true` so the tests run with encrypted connections always since that is the most secure way. 
- To enable encryption for SQL Server on Linux, we added a modified `start-mssql-server.bash` script. Referred [this doc.](https://learn.microsoft.com/en-us/sql/linux/sql-server-linux-docker-container-security?view=sql-server-ver16#encrypt-connections-to-sql-server-linux-containers)

## How was this tested?

- [X] Integration Tests
All test serve good regression since connections fail if the connection string properties aren't honored. 

## Sample Request(s)

```
# Example Connection string when self signed cert name = mssqlserver.cert.name
"Server=mssqlserver.cert.name,1433;Database=master;MultipleActiveResultSets=False;User=sa;Password=XXX;Encrypt=true;TrustServerCertificate=false"
```

## Note
For testing on SQL Server on windows, we use SQL LocalDB which doesn't support encryption. 
![image](https://user-images.githubusercontent.com/3513779/215607882-41e45828-9d2d-4092-92f4-538d0317cdca.png)
The SqlClient library would override and disable encryption for local db as per this change: dotnet/SqlClient#1312
Since encryption is disabled for SQLLocalDB on Windows, this change is only tested for SQL on Linux.

## References:
1. [TLS Considerations](
https://learn.microsoft.com/en-us/azure/azure-sql/database/connect-query-content-reference-guide?view=azuresql#tls-considerations-for-database-connectivity)
2. [Client Initiated Encryption](https://learn.microsoft.com/en-us/sql/linux/sql-server-linux-encrypted-connections?view=sql-server-ver16#client-initiated-encryption)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@johnnypham johnnypham johnnypham approved these changes

@JRahnama JRahnama JRahnama approved these changes

@Kaur-Parminder Kaur-Parminder Awaiting requested review from Kaur-Parminder

@DavoudEshtehari DavoudEshtehari Awaiting requested review from DavoudEshtehari

Assignees
No one assigned
Labels
None yet
Projects
No open projects
SqlClient v4.0
Done
Milestone
4.0.0-preview3
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@cheenamalhotra @JRahnama @johnnypham