[Azure] Failed to validate the server name in a certificate during Secure Sockets Layer (SSL) initialization #623
Comments
|
Hi @dspereira004, the processEnvChange method from SQLServerConnection is called when the server has detected an environment change (database context, language setting, etc) as part of the login response. Specifically, the ENVCHANGE_ROUTING token is sent from the server to the driver if the server wants to route the client to an alternate server. I believe the JDBC Driver is changing the "hostNameInCertificate" property because the server has requested to change it, and we need to find out why. (I ran some basic queries against SQL database on azure for a while, but I was not able to reproduce the issue). Do you have some ideas as to why this might be happening? If you could let me know what the server is trying to set the new host name to, that would help too. (by enabling the logger and setting it to level "finer" or higher in your application). |
|
Hi, unfortunately, I don't have any idea as I haven't taken a deeper look on this. I forgot to mention, but this is happening when we are executing batches. I don't have the logs yet, but I took a screenshot when I was debugging to understand what was happening. There you can see the actual (current) hostname and the new one, before crashing on the validateServerNameInCertificate method. In the meantime, I will try to get those logs. |
|
We're experiencing a similar issue. Also intermittently. |
|
Hi @dspereira004, @jschrap, I've made a fix in this branch, and the PR #644 is currently in review. In the meantime, you can test the changes by forking that branch. |
|
Hi @dspereira004, @jschrap, have you had a chance to test out my fixes for this issue? Thanks! |
|
Hi,
Not yet. We’ve got a workaround pointing to the CN.
And strangely enough, we recently reverted the workaround to gather more logging and the error hasn’t occurred since. I wonder if there was something else in the CN routing that was fixed?
Sent from Mail for Windows 10
From: Peter Bae
Sent: 13 March 2018 22:16
To: Microsoft/mssql-jdbc
Cc: jschrap; Mention
Subject: Re: [Microsoft/mssql-jdbc] [Azure] Failed to validate the server namein a certificate during Secure Sockets Layer (SSL) initialization (#623)
Hi @dspereira004, @jschrap, have you had a chance to test out my fixes for this issue? Thanks!
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
…--
DISCLAIMER:
*The information contained in this message may be confidential or
privileged and is only intended for the use of the addressee. If you are
not the intended recipient, you are requested by Qualogy to report this to
the sender and to delete the message and you are notified that the use or
distribution of the information contained in this message is strictly
prohibited and unlawful.*
|
|
@peterbae I haven't tried with your branch yet. However, I did try to reproduce the problem that I reported to get those logs but didn't succeed anymore. I'm not sure why, but perhaps something changed on the routing side? |
|
@peterbae I am having a similar issue and have just compiled your branch. I am still getting the same issue with 'failed to validate the server name in certificate' with your branch. This was working three days ago using mssql-jdbc-6.4.0.jre9 on jdk 9 then stopped for no reason or change to codebase / libs. INER: TDSChannel (ConnectionID:1) Starting SSL handshake |
|
Hi @rangala, thanks for the detailed information. The response from multiple customers over the past week and their inability to reproduce the issue all of a sudden leads me to believe that this problem might've been coming from the server's (Azure) end. That said, I can see that your SSL certificate has the entry *.database.secure.windows, instead of *.database.windows.net. this page as well as other resources suggest to me that your server might have security/auditing features on, in which case could try putting *.database.secure.windows in your hostNameInCertificate connecting string. Could you let me know if this solves your problem? |
|
Thanks @peterbae you are correct that auditing was enabled. I have provided another driver trace below. it actually makes two SSL handshakes. First SSL handshake is successful, then the second is with *.database.secure.windows.net as per the trace. Turning off auditing solves the problem and connects. I can't find reference on inserting multiple hostNameCertificates entries into the connection properties, so the only work around is to set trustServerCertificate = true. FINER: TDSChannel (ConnectionID:1) Starting SSL handshake |
|
Hi @rangala, thanks for the detailed information. Did you produce the most recent log with mssql-jdbc-6.4.0.jre9 or with my own branch? (I don't think my branch should be used if the problem was solved on Azure's end) If you haven't already, could you try using hostNameInCertificate=*.database.secure.windows with mssql-jdbc-6.4.0.jre9 driver, and see if the error still persists? Thanks in advance. |
|
Hi @rangala, were you able to try out my previous suggestion, or has the problem been solved on your end? |
|
I believe the underlying issue (coming from Azure) has been solved, and there's no action due on the driver's end. Closing due to inactivity & problem solved - but please feel free to open this issue if more assistance is required. |
|
Looks like the problem is still here. Opening the issue again. |
|
Merged #644, closing issue. |
Driver version or jar name
6.3.6
SQL Server version
Microsoft SQL Azure (RTM) - 12.0.2000.8
Client operating system
Ubuntu 16.04
Java/JVM version
java version "1.8.0_161"
Table schema
N/A
Problem description
Using the mentioned version of the mssql-jdbc, and connecting to SQL Server on
Azure with a jdbc string provided by Azure, which includes the following
properties:
We are getting sometimes the following stacktrace:
This problem happens when the "hostNameInCertificate" property is changed by the driver on the SQLServerConnection class (because of a ENVCHANGE_ROUTING).
In that case, the original "hostNameInCertificate" (which comes from the jdbc string provided by Azure) is replaced by the routing server name.
This will trigger an exception on the method validateServerNameInCertificate since the routing server name does not exist on the certificate.
Expected behavior and actual behavior
Probably, the "hostNameInCertificate" property shouldn't be changed the way it is currently being done, because there are no guarantees that afterward, we will validate the server name in the certificate successfully.
The expected behavior is that this error shouldn't happen since we are providing a correct "hostNameInCertificate" (and which works fine until we have that ENVCHANGE_ROUTING event).
Repro code
Setup on an Azure account both a SQL Server/Database and a VM with a client that uses the mssql-jdbc lib and perform operations with it.
As said previously, this happens from time to time so it may take a little bit to reproduce this behavior.
The text was updated successfully, but these errors were encountered: