Fix | Fix certificate validation #2439
Conversation
… CN in certificate.
…, use hostname as CN in certificate instead.
src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/SNI/SNICommon.cs
Outdated
Show resolved
Hide resolved
src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/SNI/SNICommon.cs
Outdated
Show resolved
Hide resolved
src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/SNI/SNINpHandle.cs
Show resolved
Hide resolved
src/Microsoft.Data.SqlClient/netfx/src/Microsoft.Data.SqlClient.csproj
Outdated
Show resolved
Hide resolved
|
I had an internal conversation and it is proven that I am wrong. Ignore my comment here. |
src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/SNI/SNICommon.cs
Outdated
Show resolved
Hide resolved
| <PropertyGroup> | ||
| <ProjectGuid>{407890AC-9876-4FEF-A6F1-F36A876BAADE}</ProjectGuid> | ||
| <RootNamespace>Microsoft.Data.SqlClient</RootNamespace> | ||
| <TargetFrameworkVersion>v4.6.2</TargetFrameworkVersion> | ||
| <TargetFramework>net462</TargetFramework> |
There was a problem hiding this comment.
why is this change added here? another PR has added that change and it is merged. Try to pull changes from main branch
There was a problem hiding this comment.
I'm not sure where that came from but it is already net462
src/Microsoft.Data.SqlClient/netfx/src/Microsoft.Data.SqlClient.csproj
Outdated
Show resolved
Hide resolved
| } | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
why this change is added here? another PR has merged to address this.
There was a problem hiding this comment.
Because I could not get it merged in for some reason and I could not build without it.
src/Microsoft.Data.SqlClient/tests/ManualTests/DataCommon/ConnectionTestParametersData.cs
Outdated
Show resolved
Hide resolved
src/Microsoft.Data.SqlClient/tests/ManualTests/DataCommon/ConnectionTestParametersData.cs
Outdated
Show resolved
Hide resolved
src/Microsoft.Data.SqlClient/tests/ManualTests/DataCommon/ConnectionTestParametersData.cs
Outdated
Show resolved
Hide resolved
src/Microsoft.Data.SqlClient/tests/ManualTests/DataCommon/ConnectionTestParametersData.cs
Outdated
Show resolved
Hide resolved
src/Microsoft.Data.SqlClient/tests/ManualTests/DataCommon/ConnectionTestParametersData.cs
Outdated
Show resolved
Hide resolved
| @@ -347,9 +350,18 @@ | |||
| <PackageReference Condition="'$(TargetGroup)'!='netfx'" Include="System.ServiceProcess.ServiceController" Version="$(SystemServiceProcessServiceControllerVersion)" /> | |||
| </ItemGroup> | |||
| <ItemGroup> | |||
| <None Condition="'$(TargetGroup)'=='netfx' AND $(ReferenceType)=='Project'" Include="$(BinFolder)$(Configuration).AnyCPU\Microsoft.Data.SqlClient\netfx\**\*SNI*.dll" CopyToOutputDirectory="PreserveNewest" /> | |||
| <ContentWithTargetPath Condition="'$(TargetGroup)'=='netfx' AND $(ReferenceType)=='Project'" Include="$(BinFolder)$(Configuration).AnyCPU\Microsoft.Data.SqlClient\netfx\$(TargetFramework)\*SNI*.dll"> | |||
There was a problem hiding this comment.
this change is addressed in another PR why is that added here.
|
Also, can you address pipeline failures? |
src/Microsoft.Data.SqlClient/tests/ManualTests/DataCommon/ConnectionTestParametersData.cs
Show resolved
Hide resolved
|
|
||
| # Update the certificates store | ||
| Write-Output "Updating the certificates store..." | ||
| update-ca-certificates -v |
There was a problem hiding this comment.
There are couple of things here, generally it is better to use bash on ubuntu, you will have a better control over the commands.
- Enabling as system CA certificate is missing here. It could be done by dpkg-reconfigure command
- Remember since the server and client are on the same machine you need to configure them for both.
- Removing '!' at the beginning of certificate inside ca-certificate is missed. You can test with
sudo cat /etc/ca-certificates.confcommand to ensure '!' is removed from the certificate name. If '!' shows up Infront of the certificate name it wont be included inupdate-ca-certificatecommand. - It is better to provide chmod 755/777 to ensure sql server has access to those files.
| KeyAlgorithm = "RSA" | ||
| KeyLength = 2048 | ||
| HashAlgorithm = "SHA256" | ||
| TextExtension = "2.5.29.37={text}1.3.6.1.5.5.7.3.1", "2.5.29.17={text}DNS=$fqdn&DNS=$localhost&IPAddress=$LoopBackIPV4&DNS=$sqlAliasName&IPAddress=$LoopBackIPV6" |
There was a problem hiding this comment.
This could be simplified by adding DNSName to paramters.
| Type = "SSLServerAuthentication" | ||
| Subject = "CN=$fqdn" | ||
| KeyAlgorithm = "RSA" | ||
| KeyLength = 2048 |
There was a problem hiding this comment.
Why on Unix you have chosen 4096 and on windows 2048 for key length?
Enable Linux certificate as CA certificate.
… certificate for negative test.
| @@ -106,13 +106,15 @@ public void OpenningConnectionWithGoodCertificateTest() | |||
|
|
|||
| // Test with Mandatory encryption | |||
| builder.Encrypt = SqlConnectionEncryptOption.Mandatory; | |||
| builder.TrustServerCertificate = true; | |||
There was a problem hiding this comment.
Wouldn't this just mask if the test doesn't set up the server certificate correctly? (Same for line 117.)
There was a problem hiding this comment.
This was addressed in PR #2487.
| string userId = string.Empty; | ||
| string password = string.Empty; | ||
| SqlConnectionStringBuilder builder = new(DataTestUtility.TCPConnectionString); | ||
| userId = builder.UserID; | ||
| password = builder.Password; | ||
|
|
||
| using TestTdsServer server = TestTdsServer.StartTestServer(enableFedAuth: false, enableLog: false, connectionTimeout: 15, | ||
| methodName: "", new X509Certificate2(s_fullPathToPfx, "nopassword", X509KeyStorageFlags.UserKeySet), | ||
| encryptionType: connectionTestParameters.TdsEncryptionType); | ||
|
|
||
| if (userId != string.Empty) | ||
| { | ||
| builder = new(server.ConnectionString) | ||
| { | ||
| UserID = userId, | ||
| Password = password, | ||
| TrustServerCertificate = connectionTestParameters.TrustServerCertificate, | ||
| Encrypt = connectionTestParameters.Encrypt, | ||
| }; | ||
| } | ||
| else | ||
| { | ||
| builder = new(server.ConnectionString) | ||
| { | ||
| IntegratedSecurity = true, | ||
| TrustServerCertificate = connectionTestParameters.TrustServerCertificate, | ||
| Encrypt = connectionTestParameters.Encrypt, | ||
| }; | ||
| } | ||
|
|
||
| if (!RuntimeInformation.IsOSPlatform(OSPlatform.Windows) && userId == string.Empty) | ||
| { | ||
| builder.IntegratedSecurity = false; | ||
| builder.UserID = "user"; | ||
| builder.Password = "password"; | ||
| } |
There was a problem hiding this comment.
This seems strange. Why do we switch between integrated and un/pw here? And why use the un/pw from the config? Doesn't the auth not matter since TestTdsServer doesn't care about auth here? Seems like this could be simplified to just a few lines... No?
| string userId = string.Empty; | |
| string password = string.Empty; | |
| SqlConnectionStringBuilder builder = new(DataTestUtility.TCPConnectionString); | |
| userId = builder.UserID; | |
| password = builder.Password; | |
| using TestTdsServer server = TestTdsServer.StartTestServer(enableFedAuth: false, enableLog: false, connectionTimeout: 15, | |
| methodName: "", new X509Certificate2(s_fullPathToPfx, "nopassword", X509KeyStorageFlags.UserKeySet), | |
| encryptionType: connectionTestParameters.TdsEncryptionType); | |
| if (userId != string.Empty) | |
| { | |
| builder = new(server.ConnectionString) | |
| { | |
| UserID = userId, | |
| Password = password, | |
| TrustServerCertificate = connectionTestParameters.TrustServerCertificate, | |
| Encrypt = connectionTestParameters.Encrypt, | |
| }; | |
| } | |
| else | |
| { | |
| builder = new(server.ConnectionString) | |
| { | |
| IntegratedSecurity = true, | |
| TrustServerCertificate = connectionTestParameters.TrustServerCertificate, | |
| Encrypt = connectionTestParameters.Encrypt, | |
| }; | |
| } | |
| if (!RuntimeInformation.IsOSPlatform(OSPlatform.Windows) && userId == string.Empty) | |
| { | |
| builder.IntegratedSecurity = false; | |
| builder.UserID = "user"; | |
| builder.Password = "password"; | |
| } | |
| using TestTdsServer server = TestTdsServer.StartTestServer(enableFedAuth: false, enableLog: false, connectionTimeout: 15, | |
| methodName: "", new X509Certificate2(s_fullPathToPfx, "nopassword", X509KeyStorageFlags.UserKeySet), | |
| encryptionType: connectionTestParameters.TdsEncryptionType); | |
| SqlConnectionStringBuilder builder = new(server.ConnectionString) | |
| { | |
| TrustServerCertificate = connectionTestParameters.TrustServerCertificate, | |
| Encrypt = connectionTestParameters.Encrypt, | |
| }; |
There was a problem hiding this comment.
This was addressed in PR #2487.
This PR fixes issue #2178.
Problem was with Certificate Chain Link error, which is now resolved by comparing the binary raw data of the client certificate against the server certificate. If both certificates match, we allow it to continue. Prior to this, any certificate policy error, we stopped operations and threw an exception.