Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow non-standard Common Name (CN) for SSL verification of connections with provided certificates. #704

Closed
jsimonweb opened this issue Dec 9, 2021 · 3 comments · Fixed by #705
Closed

Allow non-standard Common Name (CN) for SSL verification of connections with provided certificates. #704

jsimonweb opened this issue Dec 9, 2021 · 3 comments · Fixed by #705

Comments

@jsimonweb
Copy link
Contributor

Issue:
Google Cloud SQL for SQL Server generated SSL server certificates include a Common Name (CN) formatted as: project-id:instance-id

Example snippet from a generated SSL server certificate:
CN = my-project:test-sqlserver

The : character in the CN currently causes a connection formatted as the following snippet to fail:
dbURI += fmt.Sprintf("encrypt=true;hostnameincertificate=my-project:test-sqlserver;certificate=%s;", dbRootCert)

Feature request:
Provide an option to allow verification of SSL certificates that include a custom non-standard Common Name (CN).

For more information on this issue see:
golang/go#40748
@jsimonweb jsimonweb mentioned this issue Dec 9, 2021
Merged
@kardianos
Copy link
Collaborator

@jsimonweb I appreciate the PR. I think you would need to replace the : with %3A, because it is URL encoded. Can you tell me exactly where it errors, and what it says? Does it fail with a connection error cert match error?

I don't think I would want to do exactly as you have it, but let's discuss what would work.

@jsimonweb
Copy link
Contributor Author

The error happens upon calling sql.Open() as in the following code snippet:

dbURI := fmt.Sprintf("server=%s;user id=%s;password=%s;port=%s;database=%s;", dbTCPHost, dbUser, dbPwd, dbPort, dbName) 
dbURI += fmt.Sprintf("encrypt=true;hostnameincertificate=my-project:test-sqlserver;certificate=%s;", dbRootCert)
sql.Open("mssql", dbURI)

The error message is:
TLS Handshake failed: x509: certificate is valid for [IP Address], not my-project:test-sqlserver

Using go-mssqldb updated with the code in PR #705, the following code snippet works as expected:

dbURI := fmt.Sprintf("server=%s;user id=%s;password=%s;port=%s;database=%s;", dbTCPHost, dbUser, dbPwd, dbPort, dbName) 
dbURI += fmt.Sprintf("encrypt=true;hostnameincertificate=my-project:test-sqlserver;nonstandardcertcommonname=true;certificate=%s;", dbRootCert) 
sql.Open("mssql", dbURI)

I don't think I would want to do exactly as you have it, but let's discuss what would work.

My PR is the approach I found to resolve this issue while still ensuring a verified certificate based encrypted connection. Feel free to treat it as a proof of concept and re-implement it in a way that's best for the go-mssqldb driver.

Let me know if you need any more details or have any follow-up questions. Thank you!

@kardianos
Copy link
Collaborator

Proposal approved. I left comments on PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@kardianos @jsimonweb