GomeChas
commented
3 months ago This would be a significant security vulnerability as peer verification is a primary means for the client to combat MITM attacks.
Closed mr-miles closed 1 month ago
GomeChas
commented
3 months ago This would be a significant security vulnerability as peer verification is a primary means for the client to combat MITM attacks.
denisenkom
commented
1 month ago Adding such option would create a footgun which I am not comfortable with. Instead you should be able to setup test database to be created with a fixed test certificate, which you can then mark as trusted in your application. That way you would not need to update it every time test environment is rebuilt.
Hi,
I am trying to connect to sql server with tls, but it is a test database with a dummy certificate that is refreshed whenever the environment is rebuilt (every few days) and mandates TLS encryption. It does not offer an unencrypted endpoint.
For connections not going via pytds, there is a "Trust Server Certificate" argument which accepts any certificate offered by the server. However pytds does not have this option - I have to supply a ca cert to turn on TLS, and can control whether the hostname within the certificate is validated or not.
Is there any interest in a PR to address this? The actual change is tiny - if tls.py:148 does VERIFY_NONE rather than VERIFY_PEER then it all goes smoothly.