TLS 1.2 + encrypt + prDirect + pooling

Discussion of open issues, suggestions and bugs regarding UniDAC (Universal Data Access Components) for Delphi, C++Builder, Lazarus (and FPC)
Post Reply
tonymeadors
Posts: 33
Joined: Wed 28 Feb 2007 17:56

TLS 1.2 + encrypt + prDirect + pooling

Post by tonymeadors » Tue 31 Mar 2020 14:48

We are trying to make all our applications support TLS 1.2
encrypted communication - most clients seem to suddenly
be requiring it.

When connecting to SQL server DBS we set:
provider to prDirect
Encrypt to TRUE
TrustServerCertificate to TRUE

This seems to do the job - BUT if pooling is turned on
(which we normally are indeed using)
we get an exception on connection:

"The certificate is not trusted by the trust provider."

Is this to be expected? Is there a trick to keep pooling
action with those other values set in this way?

thanks,
tonyM

Stellar
Devart Team
Posts: 359
Joined: Tue 03 Oct 2017 11:00

Re: TLS 1.2 + encrypt + prDirect + pooling

Post by Stellar » Mon 06 Apr 2020 14:06

It might be that the TrustServerCertificate connection option isn't set to True in some of the TMSConnection instances.

FredS
Posts: 208
Joined: Mon 10 Nov 2014 17:52

Re: TLS 1.2 + encrypt + prDirect + pooling

Post by FredS » Tue 07 Apr 2020 19:23

Stellar wrote:
Mon 06 Apr 2020 14:06
It might be that the TrustServerCertificate connection option isn't set to True in some of the TMSConnection instances.
With 'Sql Server Management Console' I can check 'Encrypt' add 'TrustServerCertificate=True' to the connection string and connect. This Query returns true:

Code: Select all

SELECT encrypt_option FROM sys.dm_exec_connections WHERE session_id = @@SPID
With UniDac v8.1.3, after making these changes:

Code: Select all

        Con.SpecificOptions.Values['SQL Server.Provider'] := 'prNativeClient';
        Con.SpecificOptions.Values['SQL Server.TrustServerCertificate'] := True.ToString;
        Con.SpecificOptions.Values['SQL Server.Encrypt'] := True.ToString;
I still get:

Code: Select all

EMSError with message 'SSL Provider: The certificate chain was issued by an authority that is not trusted.
If I change the code to:

Code: Select all

        Con.SpecificOptions.Values['SQL Server.Provider'] := 'prNativeClient';
        Con.SpecificOptions.Values['SQL Server.TrustServerCertificate'] := True.ToString;
        Con.SpecificOptions.Values['SQL Server.Encrypt'] := True.ToString;
        Con.Pooling := False;
I can connect and this Query returns true:

Code: Select all

SELECT encrypt_option FROM sys.dm_exec_connections WHERE session_id = @@SPID

Stellar
Devart Team
Posts: 359
Joined: Tue 03 Oct 2017 11:00

Re: TLS 1.2 + encrypt + prDirect + pooling

Post by Stellar » Wed 08 Apr 2020 08:22

Thank you for the information. We have fixed the issue, and the fix will be included in the next UniDAC build.

Post Reply