Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot use Connector with SQL Server if SSL is enforced #230

Open
edosrecki opened this issue Oct 7, 2023 · 3 comments
Open

Cannot use Connector with SQL Server if SSL is enforced #230

edosrecki opened this issue Oct 7, 2023 · 3 comments
Assignees
@jackwotherspoon
Labels
priority: p2 Moderately-important priority. Fix may not be included in next release. type: cleanup An internal cleanup or hygiene concern. type: docs Improvement to the documentation for an API.

Comments

@edosrecki
Copy link
Contributor

edosrecki commented Oct 7, 2023
edited
Loading

Bug Description

I guess this should be considered a bug. I know that we do not need to enforce SSL when using a Connector, since it handles secure connection for us. However, on the other hand, with PostgreSQL and MySQL, we can use Connector even when SSL is enforced, so this makes SQL Server an exception where it doesn't work.

I know that Connector returns tedious options with encrypt: false so that connection is not double-encrypted. But perhaps there should be a way for tedious to know that we are already passing secure connection.

Example code

import { AuthTypes, Connector, IpAddressTypes } from '@google-cloud/cloud-sql-connector'
import knex from 'knex'

const clientOpts = await connector.getTediousOptions({
  instanceConnectionName: 'my-project.my-region.my-instance',
  ipType: IpAddressTypes.PUBLIC,
  authType: AuthTypes.PASSWORD,
})

const database = knex({
  client: 'mssql',
  connection: {
    server: '0.0.0.0', # dummy value due to a bug
    user: 'user',
    password: 'password',
    database: 'database',
    options: {
      ...clientOpts,
    },
  }
})

const result = await database.first(database.raw(`'True' AS connected`))

Stacktrace

ConnectionError: Server requires encryption, set 'encrypt' config option to true.
    at /project/node_modules/tedious/src/connection.ts:3251:34
    at processTicksAndRejections (node:internal/process/task_queues:95:5) {
  code: 'EENCRYPT',
  isTransient: undefined
}

How to reproduce

  1. Create Cloud SQL Server instance.
  2. Check "Allow only SSL connections" checkbox.
  3. Connect using above example.

Environment details

  • OS: MacOS 11.6
  • Node.js version: v18.18.0
  • npm version: v9.8.1
  • connector version: 1.0.0
  • tedious version: 16.4.0
@edosrecki edosrecki added the type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns. label Oct 7, 2023
@enocom enocom added the priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. label Oct 9, 2023
@enocom
Copy link
Member

enocom commented Oct 9, 2023
edited
Loading

@edosrecki Have you tried with the following?

const clientOpts = await connector.getTediousOptions({
  instanceConnectionName: 'my-project.my-region.my-instance',
  ipType: IpAddressTypes.PUBLIC,
  authType: AuthTypes.PASSWORD,
  // adding these two options
  encrypt: true,
  trustServerCertificate: true 
})

This is likely a known issue where SQL Server requires double encryption with the Connectors, but only when "Allow only SSL connections" is enabled.

@enocom enocom added priority: p2 Moderately-important priority. Fix may not be included in next release. and removed priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. labels Oct 9, 2023
@edosrecki
Copy link
Contributor Author

@enocom Yes that definitely works, I just wanted to point out that it is not possible without double encryption, but I wasn't aware that it is a known issue.

Thanks!

@enocom
Copy link
Member

enocom commented Oct 9, 2023

This is related to how SQL Server doesn't have support for Unix sockets -- which is how Postgres and MySQL avoid the problem. They accept unencrypted connections through a Unix socket that's backed by the Proxy server.

In the meantime, I'll make this a documentation issue since we don't own the backend and the change is currently below other higher priority items.

@enocom enocom added type: docs Improvement to the documentation for an API. type: cleanup An internal cleanup or hygiene concern. and removed type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns. labels Oct 9, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jackwotherspoon jackwotherspoon

Labels
priority: p2 Moderately-important priority. Fix may not be included in next release. type: cleanup An internal cleanup or hygiene concern. type: docs Improvement to the documentation for an API.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ruyadorno @enocom @edosrecki @jackwotherspoon