Closed jsimonweb closed 2 years ago
@jsimonweb I appreciate the PR. I think you would need to replace the :
with %3A
, because it is URL encoded. Can you tell me exactly where it errors, and what it says? Does it fail with a connection error cert match error?
I don't think I would want to do exactly as you have it, but let's discuss what would work.
The error happens upon calling sql.Open() as in the following code snippet:
dbURI := fmt.Sprintf("server=%s;user id=%s;password=%s;port=%s;database=%s;", dbTCPHost, dbUser, dbPwd, dbPort, dbName)
dbURI += fmt.Sprintf("encrypt=true;hostnameincertificate=my-project:test-sqlserver;certificate=%s;", dbRootCert)
sql.Open("mssql", dbURI)
The error message is:
TLS Handshake failed: x509: certificate is valid for [IP Address], not my-project:test-sqlserver
Using go-mssqldb
updated with the code in PR #705, the following code snippet works as expected:
dbURI := fmt.Sprintf("server=%s;user id=%s;password=%s;port=%s;database=%s;", dbTCPHost, dbUser, dbPwd, dbPort, dbName)
dbURI += fmt.Sprintf("encrypt=true;hostnameincertificate=my-project:test-sqlserver;nonstandardcertcommonname=true;certificate=%s;", dbRootCert)
sql.Open("mssql", dbURI)
I don't think I would want to do exactly as you have it, but let's discuss what would work.
My PR is the approach I found to resolve this issue while still ensuring a verified certificate based encrypted connection. Feel free to treat it as a proof of concept and re-implement it in a way that's best for the go-mssqldb
driver.
Let me know if you need any more details or have any follow-up questions. Thank you!
Proposal approved. I left comments on PR.
Issue: Google Cloud SQL for SQL Server generated SSL server certificates include a Common Name (CN) formatted as:
project-id:instance-id
Example snippet from a generated SSL server certificate:
CN = my-project:test-sqlserver
The
:
character in the CN currently causes a connection formatted as the following snippet to fail:dbURI += fmt.Sprintf("encrypt=true;hostnameincertificate=my-project:test-sqlserver;certificate=%s;", dbRootCert)
Feature request: Provide an option to allow verification of SSL certificates that include a custom non-standard Common Name (CN).
For more information on this issue see: https://github.com/golang/go/issues/40748