Add hostname override for MSSQL TLS verification

cyberark · Apr 15, 2020 · c446521 · c446521
1 parent 30c8dfc
commit c446521
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 6 deletions.
diff --git a/internal/plugin/connectors/tcp/mssql/connection_details.go b/internal/plugin/connectors/tcp/mssql/connection_details.go
@@ -36,9 +36,9 @@ var sslModeToBaseParams = map[string]map[string]string{
 }
 
 const (
-	sslModeDisable  = "disable"
-	sslModeRequire  = "require"
-	sslModeVerifyCA = "verify-ca"
+	sslModeDisable    = "disable"
+	sslModeRequire    = "require"
+	sslModeVerifyCA   = "verify-ca"
 	sslModeVerifyFull = "verify-full"
 )
 
@@ -84,12 +84,17 @@ func newSSLParams(credentials map[string][]byte) map[string]string {
 		return newSSLParams(credentials)
 	}
 
-	if sslMode == sslModeVerifyCA  {
+	if sslMode == sslModeVerifyCA {
 		params["rawcertificate"] = string(credentials["sslrootcert"])
 	}
 
-	if sslMode == sslModeVerifyFull  {
+	if sslMode == sslModeVerifyFull {
 		params["rawcertificate"] = string(credentials["sslrootcert"])
+
+		// Ability to override hostname for verification
+		if len(credentials["sslhost"]) > 0 {
+			params["hostnameincertificate"] = string(credentials["sslhost"])
+		}
 	}
 
 	return params

diff --git a/internal/plugin/connectors/tcp/mssql/connection_details_test.go b/internal/plugin/connectors/tcp/mssql/connection_details_test.go
@@ -177,6 +177,23 @@ func TestConnectionDetails_NewSSLOptions(t *testing.T) {
 				"rawcertificate":         "foo",
 			},
 		},
+		{
+			description: "sslmode:verify-full with sslhost",
+			args: args{
+				credentials: map[string][]byte{
+					"sslmode":     []byte("verify-full"),
+					"sslhost":     []byte("foo.bar"),
+					"sslrootcert": []byte("foo"),
+				},
+			},
+			expected: map[string]string{
+				"encrypt":                "true",
+				"trustservercertificate": "false",
+				"disableverifyhostname":  "false",
+				"rawcertificate":         "foo",
+				"hostnameincertificate":  "foo.bar",
+			},
+		},
 	}
 
 	for _, tc := range testCases {

diff --git a/third_party/go-mssqldb b/third_party/go-mssqldb