Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[QUESTION] #1535

Open
eugenestepanyuk opened this issue Apr 8, 2023 · 2 comments
Open

[QUESTION] #1535

eugenestepanyuk opened this issue Apr 8, 2023 · 2 comments
Labels
Q&A For non-issues. General Q&A

Comments

@eugenestepanyuk
Copy link

I have an api on nodejs and when I try to connect to the database I get an error: "(node:14320) [DEP0123] DeprecationWarning: Setting the TLS ServerName to an IP address is not permitted by RFC 6066. This will be ignored in a future version.
(Use node --trace-deprecation ... to show where the warning was created)
Failed to connect to ip:port - F8510000:error:0A00014D:SSL routines:tls_process_key_exchange:legacy sigalg disallowed or unsupported:c:\ws\deps\openssl\openssl\ssl\statem\statem_clnt.c:2263:"
My connection:

export default new Sequelize({
  dialect: "mssql",
  database: environment.database.database,
  host: environment.database.host,
  port: environment.database.port,
  username: environment.database.username,
  password: environment.database.password,
  logging: !environment.production ? console.log : false,
  dialectOptions: {
    options: {
      // encrypt: false,
      enableArithAbort: true,
      cryptoCredentialsDetails: {
        minVersion: "TLSv1",
      },
    },
  },
  define: {
    freezeTableName: true,
    timestamps: false,
  },
});

The connection was initially without encrypt in dialectOptions, I found information on the Internet if you make encrypt: false then the problem may disappear, if I uncomment this line the problem really disappears
The question is, how safe and generally normal is it to do so? Could you suggest other solutions to the error?

upd. this error started to occur after updating nodejs from version 16 to 19
@eugenestepanyuk eugenestepanyuk added the Q&A For non-issues. General Q&A label Apr 8, 2023
@arthurschreiber
Copy link
Collaborator

Hey @eugenestepanyuk,

DeprecationWarning: Setting the TLS ServerName to an IP address is not permitted by RFC 6066.

That is just a warning. We'll be working on fixing this, but I'm assuming you are connecting by specifying an IP address for the environment.database.host?

Failed to connect to ip:port - F8510000:error:0A00014D:SSL routines:tls_process_key_exchange:legacy sigalg disallowed or unsupported:c:\ws\deps\openssl\openssl\ssl\statem\statem_clnt.c:2263:"

This is the actual error you are encountering. Node.js has tightened the requirements around certificates and what it accepts as a valid certificate by default, and tedious just uses the Node.js defaults.

Have you set up a custom certificate on the SQL Server you're connecting to?

  • If yes, this error means the certificate you set up is not secure enough.
  • If not, the certificate generate by default by SQL Server is not secure enough.

When you install SQL Server, it generates a default certificate. If I remember correctly, this default certificate is using the SHA1 algorithm, which is no longer deemed secure enough. If you have replaced that certificate after SQL Server installation, most likely you also replaced it with a SHA1 based certificate, which again is no longer secure enough.

The recommended approach would be to work with your SQL Server administrator to set up a more secure certificate. You can check out https://github.com/tediousjs/tedious/blob/master/.github/workflows/nodejs.yml#L249-L275 to see how we do this in an automated fashion via PowerShell during the tedious CI builds, but there's also documentation online that describes how to set up either a proper or self signed certificate.

Other not-so-recommended approaches involve either lowering the Node.js security settings to allow these unsecure certificates (which means the encryption becomes more or less useless) or to disable encryption altogether. Both of these mean that a bad actor with access to your network can get access to the credentials you use to connect to your SQL Server instance. Whether that's an issue or not is for you to decide.

@eugenestepanyuk
Copy link
Author

eugenestepanyuk commented Apr 9, 2023
edited

That is just a warning. We'll be working on fixing this, but I'm assuming you are connecting by specifying an IP address for the environment.database.host?

yes, I use the IP address in environment.database.host to be able to connect to the database not only locally

Have you set up a custom certificate on the SQL Server you're connecting to?

to be honest, I don’t even know, I didn’t install certificates, most likely there is some kind of default
I understand that you need to install a secure certificate on the sql server itself?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Q&A For non-issues. General Q&A
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@arthurschreiber @eugenestepanyuk