From 35d3721aadf46859d28e76f0c66e2a10e6a7890c Mon Sep 17 00:00:00 2001 From: Lawrence LCI Date: Mon, 31 Oct 2022 10:10:30 -0700 Subject: [PATCH 1/3] Enable tls1.3 ssl protocol on netcore --- .../src/Microsoft/Data/SqlClient/TdsParser.cs | 20 ++++++++++++++++--- .../SqlClient/TdsParserStateObjectNative.cs | 8 ++++++-- 2 files changed, 23 insertions(+), 5 deletions(-) diff --git a/src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/TdsParser.cs b/src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/TdsParser.cs index 36ecb2cd72..43dd245bfb 100644 --- a/src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/TdsParser.cs +++ b/src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/TdsParser.cs @@ -519,8 +519,20 @@ internal void Connect( // On Instance failure re-connect and flush SNI named instance cache. _physicalStateObj.SniContext = SniContext.Snix_Connect; - _physicalStateObj.CreatePhysicalSNIHandle(serverInfo.ExtendedServerName, ignoreSniOpenTimeout, timerExpire, out instanceName, ref _sniSpnBuffer, true, true, fParallel, - _connHandler.ConnectionOptions.IPAddressPreference, FQDNforDNSCache, ref _connHandler.pendingSQLDNSObject, serverInfo.ServerSPN, integratedSecurity); + _physicalStateObj.CreatePhysicalSNIHandle(serverInfo.ExtendedServerName, + ignoreSniOpenTimeout, + timerExpire, + out instanceName, + ref _sniSpnBuffer, + true, + true, fParallel, + _connHandler.ConnectionOptions.IPAddressPreference, + FQDNforDNSCache, + ref _connHandler.pendingSQLDNSObject, + serverInfo.ServerSPN, + integratedSecurity, + encrypt == SqlConnectionEncryptOption.Strict, + hostNameInCertificate); if (TdsEnums.SNI_SUCCESS != _physicalStateObj.Status) { @@ -552,6 +564,7 @@ internal void Connect( throw SQL.InstanceFailure(); } } + SqlClientEventSource.Log.TryTraceEvent(" Prelogin handshake successful"); if (_fMARS && marsCapable) { @@ -1010,7 +1023,8 @@ private PreLoginHandshakeStatus ConsumePreLoginHandshake( uint info = (shouldValidateServerCert ? TdsEnums.SNI_SSL_VALIDATE_CERTIFICATE : 0) | (is2005OrLater ? TdsEnums.SNI_SSL_USE_SCHANNEL_CACHE : 0); - EnableSsl(info, encrypt, integratedSecurity); + + EnableSsl(info, encrypt == SqlConnectionEncryptOption.Mandatory, integratedSecurity); } break; diff --git a/src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/TdsParserStateObjectNative.cs b/src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/TdsParserStateObjectNative.cs index 99bbc9bf53..1ef1441b07 100644 --- a/src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/TdsParserStateObjectNative.cs +++ b/src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/TdsParserStateObjectNative.cs @@ -425,12 +425,16 @@ internal override uint WaitForSSLHandShakeToComplete(out int protocolVersion) var nativeProtocol = (NativeProtocols)nativeProtocolVersion; /* The SslProtocols.Tls13 is supported by netcoreapp3.1 and later - * This driver does not support this version yet! + * This driver does not support this version yet! */ +#if NETCOREAPP3_1_OR_GREATER if (nativeProtocol.HasFlag(NativeProtocols.SP_PROT_TLS1_3_CLIENT) || nativeProtocol.HasFlag(NativeProtocols.SP_PROT_TLS1_3_SERVER)) { protocolVersion = (int)SslProtocols.Tls13; - }*/ + } + else if (nativeProtocol.HasFlag(NativeProtocols.SP_PROT_TLS1_2_CLIENT) || nativeProtocol.HasFlag(NativeProtocols.SP_PROT_TLS1_2_SERVER)) +#else if (nativeProtocol.HasFlag(NativeProtocols.SP_PROT_TLS1_2_CLIENT) || nativeProtocol.HasFlag(NativeProtocols.SP_PROT_TLS1_2_SERVER)) +#endif { protocolVersion = (int)SslProtocols.Tls12; } From 7d0d8687fd190b4afe0fab6a9802ac2c1446a45c Mon Sep 17 00:00:00 2001 From: Lawrence LCI Date: Mon, 31 Oct 2022 15:44:50 -0700 Subject: [PATCH 2/3] Address comments --- .../SqlClient/TdsParserStateObjectNative.cs | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/TdsParserStateObjectNative.cs b/src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/TdsParserStateObjectNative.cs index 1ef1441b07..32e364b7e7 100644 --- a/src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/TdsParserStateObjectNative.cs +++ b/src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/TdsParserStateObjectNative.cs @@ -424,20 +424,17 @@ internal override uint WaitForSSLHandShakeToComplete(out int protocolVersion) uint returnValue = SNINativeMethodWrapper.SNIWaitForSSLHandshakeToComplete(Handle, GetTimeoutRemaining(), out uint nativeProtocolVersion); var nativeProtocol = (NativeProtocols)nativeProtocolVersion; - /* The SslProtocols.Tls13 is supported by netcoreapp3.1 and later - * This driver does not support this version yet! */ -#if NETCOREAPP3_1_OR_GREATER - if (nativeProtocol.HasFlag(NativeProtocols.SP_PROT_TLS1_3_CLIENT) || nativeProtocol.HasFlag(NativeProtocols.SP_PROT_TLS1_3_SERVER)) - { - protocolVersion = (int)SslProtocols.Tls13; - } - else if (nativeProtocol.HasFlag(NativeProtocols.SP_PROT_TLS1_2_CLIENT) || nativeProtocol.HasFlag(NativeProtocols.SP_PROT_TLS1_2_SERVER)) -#else if (nativeProtocol.HasFlag(NativeProtocols.SP_PROT_TLS1_2_CLIENT) || nativeProtocol.HasFlag(NativeProtocols.SP_PROT_TLS1_2_SERVER)) -#endif { protocolVersion = (int)SslProtocols.Tls12; } +#if NETCOREAPP + else if (nativeProtocol.HasFlag(NativeProtocols.SP_PROT_TLS1_3_CLIENT) || nativeProtocol.HasFlag(NativeProtocols.SP_PROT_TLS1_3_SERVER)) + { + /* The SslProtocols.Tls13 is supported by netcoreapp3.1 and later */ + protocolVersion = (int)SslProtocols.Tls13; + } +#endif else if (nativeProtocol.HasFlag(NativeProtocols.SP_PROT_TLS1_1_CLIENT) || nativeProtocol.HasFlag(NativeProtocols.SP_PROT_TLS1_1_SERVER)) { protocolVersion = (int)SslProtocols.Tls11; From 32deb30937abd797fbbc8d2b8d9d2eb69e186654 Mon Sep 17 00:00:00 2001 From: Lawrence LCI Date: Tue, 1 Nov 2022 12:17:51 -0700 Subject: [PATCH 3/3] Revert changes EnableSsl --- .../netcore/src/Microsoft/Data/SqlClient/TdsParser.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/TdsParser.cs b/src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/TdsParser.cs index 43dd245bfb..ae6e6995cb 100644 --- a/src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/TdsParser.cs +++ b/src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/TdsParser.cs @@ -1024,7 +1024,7 @@ private PreLoginHandshakeStatus ConsumePreLoginHandshake( | (is2005OrLater ? TdsEnums.SNI_SSL_USE_SCHANNEL_CACHE : 0); - EnableSsl(info, encrypt == SqlConnectionEncryptOption.Mandatory, integratedSecurity); + EnableSsl(info, encrypt, integratedSecurity); } break;