在与Microsoft SQL Server一起使用TLS时,如何自定义服务器证书验证?
我正在尝试将.NET 6应用程序连接到使用自签名服务器证书的SQL Server 2016实例。使用默认的连接字符串设置,此导致错误在
A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted.)
技术上是正确的,因为证书是自签名的,而不是由受信任的当局发行的。因为这是一个内部的私人数据库,因此获得可信赖的授权来签署证书的权限不是一个选择。 编辑:我们也没有网络中已经信任的内部CA。
我知道encrypt = false设置,但是我们希望连接加密。我也知道trustservercertificate = true设置,但是如果攻击者还使用自签名的证书,那将使我们对中间攻击开放。理想情况下,我想自定义证书验证,并允许连接,如果证书拇指标准符合我期望的验证。
如果这是HTTP请求,我可以执行以下
var handler = new HttpClientHandler();
handler.ServerCertificateCustomValidationCallback = (sender, cert, chain, errors) => {
if (errors == SslPolicyErrors.None) return true;
if (errors == SslPolicyErrors.RemoteCertificateChainErrors)
return cert.Thumbprint == "MyTrustedThumbprint";
return false;
};
var client = new HttpClient(handler);
解决方案避免中间攻击(因为他们无法复制拇指丝),并且可以避免我们的团队必须在每台机器上安装一个自签名的证书在我们的网络中。
在microsoft.data.sqlclient生态系统中,是否有类似于ServerCertificatificatificatecustomValidationCallback?奖励点如果解决方案还可以与高级数据库访问(例如Entity Framework或Dapper)一起使用。
I am attempting to connect a .NET 6 application to a SQL Server 2016 instance that uses a self-signed server certificate. Using the default connection string settings, this results in an error
A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted.)
The error is technically correct, as the certificate is self-signed and not issued by a trusted authority. Because this is an internal, private database, getting a trusted authority to sign the certificate is not an option. Edit: We also don't have an internal CA that's already trusted in our network.
I am aware of the Encrypt=False setting, but we would like the connection to be encrypted. I am also aware of the TrustServerCertificate=True setting, but that leaves us open to man-in-the-middle attacks, if the attacker also uses a self-signed certificate. Ideally, I would like to customize certificate validation and allow the connection if the certificate thumbprint matches the one I'm expecting.
If this were an HTTP request, I could do the following
var handler = new HttpClientHandler();
handler.ServerCertificateCustomValidationCallback = (sender, cert, chain, errors) => {
if (errors == SslPolicyErrors.None) return true;
if (errors == SslPolicyErrors.RemoteCertificateChainErrors)
return cert.Thumbprint == "MyTrustedThumbprint";
return false;
};
var client = new HttpClient(handler);
This solution avoids man-in-the-middle attacks (because they can't replicate the thumbprint) and it avoids our team from having to install a self-signed certificate onto every machine in our network.
Is there anything similar to ServerCertificateCustomValidationCallback within the Microsoft.Data.SqlClient ecosystem? Bonus points if the solution also works with higher-level database access such as Entity Framework or Dapper.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
那不是真的。仍然有两条途径可以使证书由可信赖的权威签署:
让您的服务器连接到一个以您真正控制的公共域名命名的Active Directory域。在这种情况下,您可以从客户接受的信誉良好(值得信赖的)CA供应商那里购买证书。
请注意,这并不一定意味着让您的广告域使用与面向公共服务的服务相同的名称(当然,不建议您使用);只是将其设置为使用可以公开的域名,并且您可以证明您拥有此名称的值得信赖的CA。您通常可以通过将电话的组合通过您实际回答的WHOIS注册表中的一个数字和一组DNS TXT和CAA记录中的一个数字传递此支票,这意味着甚至没有使用此域的服务器可以从Internet上接触。<<<<<<<<<<<<<<<<<<<<<<<<< /p>
还要注意,无论如何您都应该以这种方式设置,但是我知道很多地方都没有按照应有的方式进行设置,或者广告环境预先应有此指南。如果是这样,我知道这是一件大事,要求您的组织改变。这把我带到了第二个道路...
运行您自己的CA,您的客户被设置为信任CA。在广告环境中,这是相当直接的。如果您在域中正确设置了广告证书服务,则您的域名客户将将其视为课程的标准。
与第一个选项不同,如果您还没有CA,并且无法遵循PATH 1,则 在某种程度上是合理的,可以期望组织获得此功能以支持安全的安全与数据库进行通信,因为还会有其他好处。
如果这些路径都不可行(即,客户端不会成为AD的一部分),那么您将必须向客户发布证书,因此可以将其添加到其证书存储中。
值得一提的是, 在客户端代码中没有工作可以使您绕过此。唯一的选择是未加密的与数据库服务器的通信。这是因为本机SQL客户端绝对会不是让您自定义证书检查,并且SQL Server已由.NET从第一天使用本机客户端支持,因此没人见过需要做出替代方案,无论是商业,开源还是介于两者之间的东西。
That is not true. There are still two paths to getting the cert signed by a trusted authority:
Have your server joined to an Active Directory domain named for a public domain you really do control. In this case, you can purchase a certificate from a reputable (trusted) CA vendor that will be accepted by your clients.
Note this does NOT necessarily mean having your AD domain use the same name as your public-facing services (which is, of course, not recommended); just that it's set to use a domain name that could be public, and that you can prove to the satisfaction of a trusted CA that you own this name. You can often pass this check via a combination of a phone call to a number in the WHOIS registry that you actually answer and a set of DNS TXT and CAA records, meaning no server using this domain even has to be reachable from the internet.
Also note that you're supposed to setup AD this way anyway, but I know lots of places did not do as they should, or the AD environment pre-dates this guidance. If that's the case I understand this is a big thing to ask your organization to change. Which brings me to the second path...
Run your own CA, where your clients are set to trust the CA. This is fairly straight-forward in AD environments. If you have AD Certificate Services setup properly with your domain, your domain-joined clients will trust it as par for the course.
Unlike the first option, if you don't already have a CA and you can't follow path 1, it is somewhat reasonable to expect an organization to get this working in order to support secure communication with the database, because there will be other benefits as well.
If neither of those paths is feasible (ie, the clients will not be part of AD), then you will have to publish the certificate to your clients, so it can be added to their certificate store.
It's worth mentioning that there is no work-around in client code that will allow you bypass this. The only alternative is unencrypted communication with the database server. This is because the native sql client absolutely will not let you customize the certificate check, and Sql Server has been supported by .Net from day one using the native client, such that no one has ever seen a need to make an alternative, whether commercial, open source, or something in between.