Skip to content

Commit

Permalink
Suppress TLS security warning with Encrypt=false by new AppContext sw…
Browse files Browse the repository at this point in the history
…itch (dotnet#1457)

# Conflicts:
#	src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/TdsParser.cs
#	src/Microsoft.Data.SqlClient/netfx/src/Microsoft/Data/SqlClient/TdsParser.cs
  • Loading branch information
DavoudEshtehari committed Jan 13, 2022
1 parent 768b58b commit c6b56ef
Show file tree
Hide file tree
Showing 4 changed files with 44 additions and 8 deletions.
6 changes: 6 additions & 0 deletions BUILDGUIDE.md
Original file line number Diff line number Diff line change
Expand Up @@ -319,6 +319,12 @@ TLS 1.3 has been excluded due to the fact that the driver lacks full support. To

`Switch.Microsoft.Data.SqlClient.EnableSecureProtocolsByOS`

## Suppressing TLS security warning

When connecting to a server, if a protocol lower than TLS 1.2 is negotiated, a security warning is output to the console. This warning can be suppressed on SQL connections with `Encrypt = false` by enabling the following AppContext switch on application startup:

`Switch.Microsoft.Data.SqlClient.SuppressInsecureTLSWarning`

## Debugging SqlClient on Linux from Windows

For enhanced developer experience, we support debugging SqlClient on Linux from Windows, using the project "**Microsoft.Data.SqlClient.DockerLinuxTest**" that requires "Container Tools" to be enabled in Visual Studio. You may import configuration: [VS19Components.vsconfig](./tools/vsconfig/VS19Components.vsconfig) if not enabled already.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,6 @@
using System.Diagnostics;
using System.Globalization;
using System.IO;
using System.Reflection;
using System.Security.Authentication;
using System.Text;
using System.Threading;
Expand Down Expand Up @@ -962,8 +961,16 @@ private PreLoginHandshakeStatus ConsumePreLoginHandshake(bool encrypt, bool trus
string warningMessage = protocol.GetProtocolWarning();
if (!string.IsNullOrEmpty(warningMessage))
{
// This logs console warning of insecure protocol in use.
_logger.LogWarning(_typeName, MethodBase.GetCurrentMethod().Name, warningMessage);
if (!encrypt && LocalAppContextSwitches.SuppressInsecureTLSWarning)
{
// Skip console warning
SqlClientEventSource.Log.TryTraceEvent("<sc|{0}|{1}|{2}>{3}", nameof(TdsParser), nameof(ConsumePreLoginHandshake), SqlClientLogger.LogLevel.Warning, warningMessage);
}
else
{
// This logs console warning of insecure protocol in use.
_logger.LogWarning(nameof(TdsParser), nameof(ConsumePreLoginHandshake), warningMessage);
}
}

// create a new packet encryption changes the internal packet size
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,6 @@
using System.Diagnostics;
using System.Globalization;
using System.IO;
using System.Reflection;
using System.Runtime.CompilerServices;
using System.Runtime.InteropServices;
using System.Security.Cryptography.X509Certificates;
Expand Down Expand Up @@ -1340,8 +1339,16 @@ private PreLoginHandshakeStatus ConsumePreLoginHandshake(SqlAuthenticationMethod
string warningMessage = SslProtocolsHelper.GetProtocolWarning(protocolVersion);
if (!string.IsNullOrEmpty(warningMessage))
{
// This logs console warning of insecure protocol in use.
_logger.LogWarning(_typeName, MethodBase.GetCurrentMethod().Name, warningMessage);
if (!encrypt && LocalAppContextSwitches.SuppressInsecureTLSWarning)
{
// Skip console warning
SqlClientEventSource.Log.TryTraceEvent("<sc|{0}|{1}|{2}>{3}", nameof(TdsParser), nameof(ConsumePreLoginHandshake), SqlClientLogger.LogLevel.Warning, warningMessage);
}
else
{
// This logs console warning of insecure protocol in use.
_logger.LogWarning(nameof(TdsParser), nameof(ConsumePreLoginHandshake), warningMessage);
}
}

// Validate server certificate
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -14,10 +14,12 @@ internal static partial class LocalAppContextSwitches
internal const string MakeReadAsyncBlockingString = @"Switch.Microsoft.Data.SqlClient.MakeReadAsyncBlocking";
internal const string LegacyRowVersionNullString = @"Switch.Microsoft.Data.SqlClient.LegacyRowVersionNullBehavior";
internal const string UseSystemDefaultSecureProtocolsString = @"Switch.Microsoft.Data.SqlClient.UseSystemDefaultSecureProtocols";
internal const string SuppressInsecureTLSWarningString = @"Switch.Microsoft.Data.SqlClient.SuppressInsecureTLSWarning";

private static bool _makeReadAsyncBlocking;
private static bool s_makeReadAsyncBlocking;
private static bool? s_LegacyRowVersionNullBehavior;
private static bool? s_UseSystemDefaultSecureProtocols;
private static bool? s_SuppressInsecureTLSWarning;

#if !NETFRAMEWORK
static LocalAppContextSwitches()
Expand All @@ -35,12 +37,26 @@ static LocalAppContextSwitches()
}
#endif

public static bool SuppressInsecureTLSWarning
{
get
{
if (s_SuppressInsecureTLSWarning is null)
{
bool result;
result = AppContext.TryGetSwitch(SuppressInsecureTLSWarningString, out result) ? result : false;
s_SuppressInsecureTLSWarning = result;
}
return s_SuppressInsecureTLSWarning.Value;
}
}

public static bool MakeReadAsyncBlocking
{
[MethodImpl(MethodImplOptions.AggressiveInlining)]
get
{
return AppContext.TryGetSwitch(MakeReadAsyncBlockingString, out _makeReadAsyncBlocking) ? _makeReadAsyncBlocking : false;
return AppContext.TryGetSwitch(MakeReadAsyncBlockingString, out s_makeReadAsyncBlocking) ? s_makeReadAsyncBlocking : false;
}
}

Expand Down

0 comments on commit c6b56ef

Please sign in to comment.