Post reply

Certificate on database servers

  • February 27, 2023 at 7:10 pm

    Go to Answer

    #4154715

    We have about 40 SQL database servers in our organization.  They are all behind firewall, and most of them for our intranet applications.    And a couple of them as a database backend for our public websites.

    We don't configure these SQL servers to use certificate.

    Recently our developers upgraded frontend application's .net framework from .net 5.0 to .net 7.0. And they started getting the error: << Microsoft.Data.SqlClient.SqlException: 'A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - The target principal name is incorrect.)' >>

    We do find workaround that is TrustServerCertificate=True;

    I also read this article https://learn.microsoft.com/en-us/ef/core/what-is-new/ef-core-7.0/breaking-changes#encrypt-true

    Quote:

    1.Install a valid certificate on the server. Note that this is an involved process and requires obtaining a certificate and ensuring it is signed by an authority trusted by the client.

    2. If the server has a certificate, but it is not trusted by the client, then TrustServerCertificate=True to allow bypassing the normal trust mechanism.

    3.Explicitly add Encrypt=False to the connection string.

    Warning: Options 2 and 3 both leave the server in a potentially insecure state.

    We did go with option

    But do we really need to do No 1, and how can we configure that?

    Thanks

     

  • February 28, 2023 at 7:47 am

    This was removed by the editor as SPAM

  • February 28, 2023 at 11:25 am

    #4154986

    What is the TLS version, is it upgrade in SQL windows servers?

    https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls

     

    Regards
    Durai Nagarajan

  • February 28, 2023 at 6:52 pm

    #4155173

    Thanks,

    But I found this seems more a certificate issue related with SQLdataclient version, see the link in the article

    https://github.com/dotnet/SqlClient/issues/1836

  • February 28, 2023 at 9:31 pm

    Answer

    #4155209

    This is not an issue but merely a nudge to developers to consider multi layer security. (What happens if someone can get through your firewall?)

    You have three options:

    1. Continue as you are by explicitly setting Encrypt=False in the connection string.
    2. Leave Encrypt at the new default of True and set TrustServerCertificate=True in the connection string. This will use the self-signed certificate created when SQL Server was installed. The connection to the server is now encrypted, a security improvement, but could still be subject to a man in the middle attack.
    3. Leave Encrypt at the default of True, TrustServerCertificate at the default of False and install and manage CA certificates on the server. This is the most secure option but involves more administration.

  • March 3, 2023 at 10:32 am

    #4156406

    If you have to set anything like encrypt=false or TrustServerCertificate=True to get you app working, your sql server is definitly configured to use a certificate. Maybe it's not set to force encryption but it's configured to have the choice between a secure or insecure connection.

Viewing 6 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic. Login to reply