Open d-richter-qdt opened 1 week ago
hi @d-richter-qdt
I'm not sure what the question is, did the hostNameInCertificate
property work for you? That is what this property is used for, it can be used to specify the host name in situations where the name, or names, used in the certificate doesn't match the name passed in to the serverName property. For more information on descriptions of connection properties for the driver, please see the doc Setting the connection properties.
Hello @lilgreenbird,
thank you for your response. It is not question but bug report. I believe that driver should be able to connect without using that property in this case, as the certificate contains IP address of DB server in subjAltName extension (Even tho I agree it is kind of an edge case). As to your question yes the property works.
To be exact: Here: https://github.com/microsoft/mssql-jdbc/blob/ffa5e1fa9cc1a490ed10d86b39a7c8b887488d89/src/main/java/com/microsoft/sqlserver/jdbc/SQLServerCertificateUtils.java#L224 is missing handling of key == 7 https://docs.oracle.com/javase/6/docs/api/java/security/cert/X509Certificate.html#getSubjectAlternativeNames()
Driver version
JDBC driver version (e.g. 12.8.1).
SQL Server version
Microsoft SQL Server 2022 (RTM-CU15-GDR) (KB5046059) - 16.0.4150.1 (X64) Sep 25 2024 17:34:41 Copyright (C) 2022 Microsoft Corporation Developer Edition (64-bit) on Linux (Ubuntu 22.04.5 LTS)
JAVA/JVM version
21.0.4
Problem description
Server certificate subject alternative name of type iPAddress is not taken into account in server name verification.
Expected behavior
If server address is entered as IP address and server certificate contain subject alternative name extension with that IP address defined connection attempt will be successful.
Actual behavior
Server name check fails.
Error message/stack trace
Any other details that can be helpful
com.microsoft.sqlserver.jdbc.SQLServerCertificateUtils.validateServerNameInCertificate takes only constant 2 (DNS name) into account
JDBC URL:
jdbc:sqlserver://<IP_ADDRESS>:<PORT>;databaseName=<DB_NAME>;socketTimeout=60000;encrypt=true;trustServerCertificate=false;trustStore=<PATH_TO_TRUSTSTORE>;trustStorePassword=<TRUSTSTORE_PWD>
possible work around using parameter hostNameInCertificate with DNS name used in certificate