-
Notifications
You must be signed in to change notification settings - Fork 280
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix | Enhance certificate validation #2487
Fix | Enhance certificate validation #2487
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #2487 +/- ##
==========================================
- Coverage 72.80% 72.74% -0.07%
==========================================
Files 311 311
Lines 61709 61692 -17
==========================================
- Hits 44928 44877 -51
- Misses 16781 16815 +34
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
Would it not make more sense to validate the hostname in cert, rather than comparing a binary file? In fact, validating hostname is likely more usable, since this prevents the overhead of copying over the cert binaries to the client. Also, I am a bit skeptical about comparing binaries for certificates. such solutions end up finding their way into some security problems down the line. @David-Engel @cheenamalhotra @JRahnama thoughts ? |
ServerCertificate was added as a better option to TrustServerCertificate=true. If the certificate of a server is known (self-signed, for example), the client can specify that they trust a specific certificate. When we added TDS 8 / Strict encryption, we also started ignoring TrustServerCertificate when Strict is enabled. So a better dev/test option was needed for self-signed certificate scenarios. |
src/Microsoft.Data.SqlClient/tests/tools/TDS/TDS.EndPoint/TDSServerParser.cs
Outdated
Show resolved
Hide resolved
src/Microsoft.Data.SqlClient/tests/ManualTests/DataCommon/ConnectionTestParametersData.cs
Outdated
Show resolved
Hide resolved
src/Microsoft.Data.SqlClient/tests/ManualTests/DataCommon/ConnectionTestParametersData.cs
Show resolved
Hide resolved
src/Microsoft.Data.SqlClient/tests/ManualTests/DataCommon/ConnectionTestParameters.cs
Show resolved
Hide resolved
src/Microsoft.Data.SqlClient/tests/ManualTests/DataCommon/ConnectionTestParametersData.cs
Show resolved
Hide resolved
...crosoft.Data.SqlClient/tests/ManualTests/Microsoft.Data.SqlClient.ManualTesting.Tests.csproj
Outdated
Show resolved
Hide resolved
...crosoft.Data.SqlClient/tests/ManualTests/Microsoft.Data.SqlClient.ManualTesting.Tests.csproj
Outdated
Show resolved
Hide resolved
...ta.SqlClient/tests/ManualTests/SQL/ConnectionTestWithSSLCert/CertificateTestWithTdsServer.cs
Show resolved
Hide resolved
...ta.SqlClient/tests/ManualTests/SQL/ConnectionTestWithSSLCert/CertificateTestWithTdsServer.cs
Outdated
Show resolved
Hide resolved
...ta.SqlClient/tests/ManualTests/SQL/ConnectionTestWithSSLCert/CertificateTestWithTdsServer.cs
Outdated
Show resolved
Hide resolved
...ta.SqlClient/tests/ManualTests/SQL/ConnectionTestWithSSLCert/CertificateTestWithTdsServer.cs
Outdated
Show resolved
Hide resolved
Thanks @arellegue. Overall looks good and tests are passing. My recent comments are regarding improvements on the tests readability and some enhancements, otherwise the PR looks good as it is. |
…on that gets the SqlServer version to handle non-existent SqlServer specially in ARM virtual machines.
…on ARM64 and Azure servers.
* Updating Azure.Identity version to 1.11.3 (dotnet#2526) * Fix | Clone of SqlConnection should include AccessTokenCallback (dotnet#2525) * Enhancement | Add trace logs for packet size (dotnet#2522) * Merged PR 4583: eng | Fix policheck errors. Fix policheck errors. Sample pipeline run which did not have policheck errors: https://sqlclientdrivers.visualstudio.com/ADO.Net/_build/results?buildId=88114&view=sariftools.scans.build-tab Related work items: #30279 * Doc | Fix SNI dependencies of 5.1 and 5.2 release notes (dotnet#2537) * Change | Separate tests for NetFx and NetCore - NetFx-Only Connection String Properties (dotnet#2466) * Adding TransparentNetworkIpResolution to list of unsupported on platform connection string error messages Splitting unit test for netfx-only connection string properties such that test does not fail on netcore * Remove DeprecatedSynonymCount since referencing the unsupported array is not possible * Fix | Enhance certificate validation (dotnet#2487) * Hotfix v5.2.1 Release notes (dotnet#2534) * Improve AccessTokenCallback sample code (dotnet#2543) * Merged PR 4621: eng | Fix policheck * Fix | Adjust path for .AssemblyAttributes in obj folder (dotnet#2550) * Fix | Fixed GenerateSspiClientContext to retry negotiation with default port (dotnet#2559) * Strong typed diagnostics (dotnet#2226) * Fix | Replaced System.Runtime.Caching with Microsoft.Extensions.Caching.Memory (dotnet#2493) * Add | Add SourceLink translation (dotnet#2552) * Add | Cache TokenCredential objects to take advantage of token caching (dotnet#2380) * Merged common code base for SqlUtil.cs (dotnet#2533) * Add scope trace for GenerateSspiClientContext (dotnet#2497) * Address conflicts (dotnet#2562) * Addressing conflict (dotnet#2560) * Merge SqlColumnEncryptionCertificateStoreProvider (dotnet#2521) * Add | No-op if engineedition is 6 or 11 due to lack of support for ASSEMBLYPROPERTY function (dotnet#2593) * Change | Remove some unneeded references and update Azure.Identity (dotnet#2577) * Add test for issue 2456 (dotnet#2457) * Merged common code base for AlwaysEncryptedKeyConverter (dotnet#2538) * Merged AlwaysEncryptedKeyConverter.CrossPlatform and AlwaysEncryptedKeyConverter.Cng. * 3 Small Changes (dotnet#2594) * * Port sqlclientx datasource changes * Remove link to missing nuget.config file * Remove root namespaces from sqlclient csproj files * Test to see if namespace changes are breaking the pr build * Reinstate removing the root namespace and fix resource filename generation * Test fixes to accommodate recent infra changes (dotnet#2646) * Test fixes to accomodate recent infra changes * Fix - Don't error when using infinte connect timeout and Entra auth (dotnet#2651) * eng | Add delay signed to official builds (dotnet#2653) * eng | Initial YAML CI pipeline (dotnet#2575) * Fix | Fix decrypt failure to drain data (dotnet#2618) * [Scheduled Run] Localized resource files from OneLocBuild * eng | Add Delay sign to ref csprojs (dotnet#2684) * [Scheduled Run] Localized resource files from OneLocBuild * [Scheduled Run] Localized resource files from OneLocBuild --------- Co-authored-by: Javad Rahnama <[email protected]> Co-authored-by: David Engel <[email protected]> Co-authored-by: Aris Rellegue <[email protected]> Co-authored-by: DavoudEshtehari <[email protected]> Co-authored-by: Benjamin Russell <[email protected]> Co-authored-by: Aris Rellegue <[email protected]> Co-authored-by: dauinsight <[email protected]> Co-authored-by: Scott Addie <[email protected]> Co-authored-by: Daniel Au <[email protected]> Co-authored-by: Wraith <[email protected]> Co-authored-by: SqlClient Azure DevOps <[email protected]> Co-authored-by: Edward Neal <[email protected]> Co-authored-by: Erik Ejlskov Jensen <[email protected]> Co-authored-by: David Engel <[email protected]>
This PR fixes issue #2178. This PR replaces #2439.
The issue was with Certificate Chain Link error, which is now resolved by comparing the binary raw data of the client certificate against the server certificate. If both certificates match, we allow it to continue. Prior to this, any certificate policy error, we stopped operations and threw an exception.
Unit tests were added using TestTdsServer as the SqlServer. Also, different combinations of client connection strings are used for the unit tests. The unit tests only run on Windows and Linux environment.