Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS handshake stalls #320

Open
reenigneEsrever92 opened this issue Nov 9, 2023 · 1 comment
Open

TLS handshake stalls #320

reenigneEsrever92 opened this issue Nov 9, 2023 · 1 comment

Comments

@reenigneEsrever92
Copy link

TLSHandshake is awaited even though encryption is advertised as being off - EncryptionLevel::Off

Here is the code:

#[tokio::main]
async fn main() -> Result<(), Error> {
    tracing_subscriber::fmt()
        .with_max_level(Level::TRACE)
        .init();

    let mut config = Config::from_ado_string(
        "server=tcp:localhost,1433;IntegratedSecurity=true;TrustServerCertificate=true",
    )?;

    config.authentication(AuthMethod::sql_server("sa", "PW"));
    // config.encryption(tiberius::EncryptionLevel::NotSupported);

    let tcp = TcpStream::connect(config.get_addr()).await?;
    tcp.set_nodelay(true)?;

    let mut client = Client::connect(config, tcp.compat_write()).await?;

    client.query("SELECT * FROM some_table", &[]).await?;

    Ok(())
}

Yet, still TLS handshake will be performed in this function:

#[cfg(any(
    feature = "rustls",
    feature = "native-tls",
    feature = "vendored-openssl"
))]
async fn tls_handshake(
    self,
    config: &Config,
    encryption: EncryptionLevel,
) -> crate::Result<Self> {
    if encryption != EncryptionLevel::NotSupported {
        event!(Level::INFO, "Performing a TLS handshake");

        let Self {
            transport, context, ..
        } = self;
        let mut stream = match transport.into_inner() {
            MaybeTlsStream::Raw(tcp) => {
                create_tls_stream(config, TlsPreloginWrapper::new(tcp)).await?
            }
            _ => unreachable!(),
        };

        stream.get_mut().handshake_complete();
        event!(Level::INFO, "TLS handshake successful");

        let transport = Framed::new(MaybeTlsStream::Tls(stream), PacketCodec);

        Ok(Self {
            transport,
            context,
            flushed: false,
            buf: BytesMut::new(),
        })
    } else {
        event!(
            Level::WARN,
            "TLS encryption is not enabled. All traffic including the login credentials are not encrypted."
        );

        Ok(self)
    }
}

I'm not sure if this is right!? At least in my case it stalls and never returns from calling create_tls_stream() function on line 450 in tiberius::client::connection.

Here you can see the pre-login message stated encryption level is off:
image
@burmecia
Copy link

burmecia commented Dec 23, 2023
edited

Using EncryptionLevel::Off will still need to do tls handshake, but only for that. If the server doesn't support tls, this will block. So to use EncryptionLevel::NotSupported might be better choice, it will fully disable tls including handshake.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@reenigneEsrever92 @burmecia