Login/Register
.Net SqlConnection, Server Authentication, and Certificate Pinning
Asked Answered
c#sql-serversslsqlconnection
D

1

7

How does one pin a certificate when using s SqlConnection? From SqlConnection Connection String Parameter Keywords & Values, I know I can set Encrypted to true to force (encourage?) use of SSL/TLS.

However, to pin a certificate, I believe we need to use ServerCertificateValidationCallback from ServicePointManager (sample code below was offered by Arne Vajhøj for HTTP/HTTPS). I'm not clear how to wire in PinCertificate (from ServicePointManager) to SqlConnection.

UPDATE: Talking with Arne Vajhøj on microsoft.public.dotnet.languages.csharp, it appears its not possible to have the desired control over the connection. Vajhøj offered a link to Encrypting Connections to SQL Server.

public static void Main(string[] args)
{
  ServicePointManager.ServerCertificateValidationCallback = PinCertificate;
  WebRequest wr = WebRequest.Create("https://www.google.com/");

  wr.GetResponse();
}

public static bool PinCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
  byte[] chash = certificate.GetCertHash();

  StringBuilder sb = new StringBuilder(chash.Length * 2);
  foreach (byte b in chash)
    sb.AppendFormat("{0:X2}", b);

  // Verify against known SHA1 thumb print of the certificate
  String hash = sb.ToString();
  if (hash != "C1956DC8A7DFB2A5A56934DA09778E3A11023358")
    return false;

  return true;
}
Davita answered 1/1, 2012 at 5:20 Comment(5)
An example of certificate validation in VB.NET: social.msdn.microsoft.com/forums/en-US/netfxnetcom/thread/…. Should be easy enough to convert.Glynda
The MSDN example uses ServicePointManager and ServerCertificateValidationCallback (calling MyCertValidationCb). Its no different than the sample I posted. I'm still not clear on how one wires ServerCertificateValidationCallback into a SqlConnection.Davita
support.microsoft.com/default.aspx?scid=276553 does this help ?Histogen
I dont know this so clearly but I think when you establish a connection which uses encrypted connection(SSL), it actually access local cert hash store for the intended certificate which can be resolved when the service point manager has link to it.Histogen
"The TrustServerCertificate keyword is new in ADO.NET 2.0 and valid only when connecting to a SQL Server 2005 instance with a valid certificate. When TrustServerCertificate is set to true, the transport layer will use SSL to encrypt the channel and bypass walking the certificate chain to validate trust." from msdn.microsoft.com/en-us/library/ms254500.aspxHistogen
A
-1

how about something like:

System.Net.ServicePointManager.ServerCertificateValidationCallback = New RemoteCertificateValidationCallback(AddressOf ValidateCertificate)

Private Function ValidateCertificate(ByVal sender As Object, ByVal certificate As X509Certificate, ByVal chain As X509Chain, ByVal sslPolicyErrors As SslPolicyErrors) As Boolean
    'Return True to force the certificate to be accepted.
    Return True
End Function
Alderman answered 7/1, 2012 at 20:17 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.