From 6402ca30a73fb73e814dabbd465710b3967727a7 Mon Sep 17 00:00:00 2001 From: DavoudEshtehari <61173489+DavoudEshtehari@users.noreply.github.com> Date: Tue, 5 Apr 2022 15:58:24 -0700 Subject: [PATCH] Fix | Skip the CRL check during authenticaiton (#1559) Co-authored-by: Davoud Eshtehari --- .../Data/SqlClient/SNI/SNINpHandle.cs | 2 +- .../Data/SqlClient/SNI/SNITcpHandle.cs | 40 ++++++++++--------- 2 files changed, 22 insertions(+), 20 deletions(-) diff --git a/src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/SNI/SNINpHandle.cs b/src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/SNI/SNINpHandle.cs index 2b93f4e752..c4ba4640f6 100644 --- a/src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/SNI/SNINpHandle.cs +++ b/src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/SNI/SNINpHandle.cs @@ -312,7 +312,7 @@ public override uint EnableSsl(uint options) _validateCert = (options & TdsEnums.SNI_SSL_VALIDATE_CERTIFICATE) != 0; try { - _sslStream.AuthenticateAsClient(_targetServer, null, SupportedProtocols, true); + _sslStream.AuthenticateAsClient(_targetServer, null, SupportedProtocols, false); _sslOverTdsStream.FinishHandshake(); } catch (AuthenticationException aue) diff --git a/src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/SNI/SNITcpHandle.cs b/src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/SNI/SNITcpHandle.cs index d37ba9d35c..12f6370ecc 100644 --- a/src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/SNI/SNITcpHandle.cs +++ b/src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/SNI/SNITcpHandle.cs @@ -578,27 +578,29 @@ private static async void ParallelConnectHelper( /// public override uint EnableSsl(uint options) { - _validateCert = (options & TdsEnums.SNI_SSL_VALIDATE_CERTIFICATE) != 0; - - try - { - _sslStream.AuthenticateAsClient(_targetServer, null, SupportedProtocols, true); - _sslOverTdsStream.FinishHandshake(); - } - catch (AuthenticationException aue) + using (TrySNIEventScope.Create(nameof(SNIHandle))) { - SqlClientEventSource.Log.TrySNITraceEvent(nameof(SNITCPHandle), EventType.ERR, "Connection Id {0}, Authentication exception occurred: {1}", args0: _connectionId, args1: aue?.Message); - return ReportTcpSNIError(aue, SNIError.CertificateValidationErrorCode); - } - catch (InvalidOperationException ioe) - { - SqlClientEventSource.Log.TrySNITraceEvent(nameof(SNITCPHandle), EventType.ERR, "Connection Id {0}, Invalid Operation Exception occurred: {1}", args0: _connectionId, args1: ioe?.Message); - return ReportTcpSNIError(ioe); - } + _validateCert = (options & TdsEnums.SNI_SSL_VALIDATE_CERTIFICATE) != 0; + try + { + _sslStream.AuthenticateAsClient(_targetServer, null, SupportedProtocols, false); + _sslOverTdsStream.FinishHandshake(); + } + catch (AuthenticationException aue) + { + SqlClientEventSource.Log.TrySNITraceEvent(nameof(SNITCPHandle), EventType.ERR, "Connection Id {0}, Authentication exception occurred: {1}", args0: _connectionId, args1: aue?.Message); + return ReportTcpSNIError(aue, SNIError.CertificateValidationErrorCode); + } + catch (InvalidOperationException ioe) + { + SqlClientEventSource.Log.TrySNITraceEvent(nameof(SNITCPHandle), EventType.ERR, "Connection Id {0}, Invalid Operation Exception occurred: {1}", args0: _connectionId, args1: ioe?.Message); + return ReportTcpSNIError(ioe); + } - _stream = _sslStream; - SqlClientEventSource.Log.TrySNITraceEvent(nameof(SNITCPHandle), EventType.INFO, "Connection Id {0}, SSL enabled successfully.", args0: _connectionId); - return TdsEnums.SNI_SUCCESS; + _stream = _sslStream; + SqlClientEventSource.Log.TrySNITraceEvent(nameof(SNITCPHandle), EventType.INFO, "Connection Id {0}, SSL enabled successfully.", args0: _connectionId); + return TdsEnums.SNI_SUCCESS; + } } ///