-
Notifications
You must be signed in to change notification settings - Fork 292
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix | Skip the CRL check during authenticaiton #1559
Fix | Skip the CRL check during authenticaiton #1559
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd note in the description that passing false
instead of true
to that API changes the behavior of the call back to the way it was prior to the changes in #1168.
It may be worth adding a connection string parameter to allow opting into the CRL check, for users which do want it (CRLs can be a very important security thing). |
@roji |
A CRL check on every (physical) connection can be critical for security, otherwise an application may accept certificates that have been revoked. In the common case, I don't expect the performance of physical connection opening to be critical - that's why pooling is there, and SSL/TLS already typically involved multiple round trips between the client and server. Note that I'm not advocating CRL necessarily be enabled by default - just to allow users to opt into it if they so wish, for added security (FWIW this is what Npgsql does, see docs. After all, SslStream does expose this bool flag, so it's just a matter of allowing users to determine what SqlClient passes into it. If that makes sense, I can open a new issue for that. |
Co-authored-by: Davoud Eshtehari <[email protected]>
…1706) Skip the CRL check during authentication.
Co-authored-by: Davoud Eshtehari <[email protected]>
Passing the
true
as the last parameter in AuthenticateAsClient(String, X509CertificateCollection, SslProtocols, Boolean) method enables the Certificate Revocation List (CRL) check during authentication. If the CRL wasn't accessible from where the request was sent, it will fail to send the request to the SQL Server.