Suppress TLS security warning with Encrypt=false by new AppContext sw…

…itch (#1457)
dotnet · Jan 11, 2022 · 1ad4af3 · 1ad4af3
1 parent fe38d26
commit 1ad4af3
Show file tree

Hide file tree

Showing 4 changed files with 44 additions and 8 deletions.
diff --git a/BUILDGUIDE.md b/BUILDGUIDE.md
@@ -319,6 +319,12 @@ TLS 1.3 has been excluded due to the fact that the driver lacks full support. To
 
 `Switch.Microsoft.Data.SqlClient.EnableSecureProtocolsByOS`
 
+## Suppressing TLS security warning
+
+When connecting to a server, if a protocol lower than TLS 1.2 is negotiated, a security warning is output to the console. This warning can be suppressed on SQL connections with `Encrypt = false` by enabling the following AppContext switch on application startup:
+
+`Switch.Microsoft.Data.SqlClient.SuppressInsecureTLSWarning`
+
 ## Debugging SqlClient on Linux from Windows
 
 For enhanced developer experience, we support debugging SqlClient on Linux from Windows, using the project "**Microsoft.Data.SqlClient.DockerLinuxTest**" that requires "Container Tools" to be enabled in Visual Studio. You may import configuration: [VS19Components.vsconfig](./tools/vsconfig/VS19Components.vsconfig) if not enabled already.

diff --git a/src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/TdsParser.cs b/src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/TdsParser.cs
@@ -10,7 +10,6 @@
 using System.Diagnostics;
 using System.Globalization;
 using System.IO;
-using System.Reflection;
 using System.Security.Authentication;
 using System.Text;
 using System.Threading;
@@ -960,8 +959,16 @@ private PreLoginHandshakeStatus ConsumePreLoginHandshake(bool encrypt, bool trus
  string warningMessage = protocol.GetProtocolWarning();
  if (!string.IsNullOrEmpty(warningMessage))
  {
- // This logs console warning of insecure protocol in use.
- _logger.LogWarning(GetType().Name, MethodBase.GetCurrentMethod().Name, warningMessage);
+ if (!encrypt && LocalAppContextSwitches.SuppressInsecureTLSWarning)
+ {
+ // Skip console warning
+ SqlClientEventSource.Log.TryTraceEvent("<sc|{0}|{1}|{2}>{3}", nameof(TdsParser), nameof(ConsumePreLoginHandshake), SqlClientLogger.LogLevel.Warning, warningMessage);
+ }
+ else
+ {
+ // This logs console warning of insecure protocol in use.
+ _logger.LogWarning(nameof(TdsParser), nameof(ConsumePreLoginHandshake), warningMessage);
+ }
  }
 
  // create a new packet encryption changes the internal packet size

diff --git a/src/Microsoft.Data.SqlClient/netfx/src/Microsoft/Data/SqlClient/TdsParser.cs b/src/Microsoft.Data.SqlClient/netfx/src/Microsoft/Data/SqlClient/TdsParser.cs
@@ -9,7 +9,6 @@
 using System.Diagnostics;
 using System.Globalization;
 using System.IO;
-using System.Reflection;
 using System.Runtime.CompilerServices;
 using System.Runtime.InteropServices;
 using System.Security.Cryptography.X509Certificates;
@@ -1339,8 +1338,16 @@ private PreLoginHandshakeStatus ConsumePreLoginHandshake(SqlAuthenticationMethod
  string warningMessage = SslProtocolsHelper.GetProtocolWarning(protocolVersion);
  if (!string.IsNullOrEmpty(warningMessage))
  {
- // This logs console warning of insecure protocol in use.
- _logger.LogWarning(GetType().Name, MethodBase.GetCurrentMethod().Name, warningMessage);
+ if (!encrypt && LocalAppContextSwitches.SuppressInsecureTLSWarning)
+ {
+ // Skip console warning
+ SqlClientEventSource.Log.TryTraceEvent("<sc|{0}|{1}|{2}>{3}", nameof(TdsParser), nameof(ConsumePreLoginHandshake), SqlClientLogger.LogLevel.Warning, warningMessage);
+ }
+ else
+ {
+ // This logs console warning of insecure protocol in use.
+ _logger.LogWarning(nameof(TdsParser), nameof(ConsumePreLoginHandshake), warningMessage);
+ }
  }
 
  // Validate server certificate

diff --git a/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/LocalAppContextSwitches.cs b/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/LocalAppContextSwitches.cs
@@ -14,10 +14,12 @@ internal static partial class LocalAppContextSwitches
  internal const string MakeReadAsyncBlockingString = @"Switch.Microsoft.Data.SqlClient.MakeReadAsyncBlocking";
  internal const string LegacyRowVersionNullString = @"Switch.Microsoft.Data.SqlClient.LegacyRowVersionNullBehavior";
  internal const string UseSystemDefaultSecureProtocolsString = @"Switch.Microsoft.Data.SqlClient.UseSystemDefaultSecureProtocols";
+ internal const string SuppressInsecureTLSWarningString = @"Switch.Microsoft.Data.SqlClient.SuppressInsecureTLSWarning";
 
- private static bool _makeReadAsyncBlocking;
+ private static bool s_makeReadAsyncBlocking;
  private static bool? s_LegacyRowVersionNullBehavior;
  private static bool? s_UseSystemDefaultSecureProtocols;
+ private static bool? s_SuppressInsecureTLSWarning;
 
 #if !NETFRAMEWORK
  static LocalAppContextSwitches()
@@ -35,12 +37,26 @@ static LocalAppContextSwitches()
  }
 #endif
 
+ public static bool SuppressInsecureTLSWarning
+ {
+ get
+ {
+ if (s_SuppressInsecureTLSWarning is null)
+ {
+ bool result;
+ result = AppContext.TryGetSwitch(SuppressInsecureTLSWarningString, out result) ? result : false;
+ s_SuppressInsecureTLSWarning = result;
+ }
+ return s_SuppressInsecureTLSWarning.Value;
+ }
+ }
+
  public static bool MakeReadAsyncBlocking
  {
  [MethodImpl(MethodImplOptions.AggressiveInlining)]
  get
  {
- return AppContext.TryGetSwitch(MakeReadAsyncBlockingString, out _makeReadAsyncBlocking) ? _makeReadAsyncBlocking : false;
+ return AppContext.TryGetSwitch(MakeReadAsyncBlockingString, out s_makeReadAsyncBlocking) ? s_makeReadAsyncBlocking : false;
  }
  }