[prev in list] [next in list] [prev in thread] [next in thread]
List: freetds
Subject: Re: [freetds] How to have a better control on how the tds use the openssl?
From: Rick Qing Xu via FreeTDS <freetds () lists ! ibiblio ! org>
Date: 2019-01-09 17:44:48
Message-ID: DM5PR21MB07649CC1323ED3B05D1FB98ECF8B0 () DM5PR21MB0764 ! namprd21 ! prod ! outlook ! com
[Download RAW message or body]
Sounds good!
When do you think it can be added? I am available for helping too.
Sent from Outlook
________________________________
From: Frediano Ziglio <freddy77@gmail.com>
Sent: Wednesday, January 9, 2019 7:54:29 AM
To: Rick Qing Xu
Cc: FreeTDS Development Group
Subject: Re: [freetds] How to have a better control on how the tds use the openssl?
Hi,
now I got the intention. It's a very specific case. libTDS is more
focused on working clients, not security tools. I would add a callback
for OpenSSL specifically for this purpose, maybe after tds_ssl_init
all in src/tds/login.c.
If you are using directly libTDS you can access to whatever field in
TDSSOCKET structure, probably you'll need to change/tune
conn->tls_session and conn->tls_ctx.
Frediano
Il giorno lun 7 gen 2019 alle ore 19:16 Rick Qing Xu
<qinx@microsoft.com> ha scritto:
>
> Yes. We want to detect which one supports bad protocols so we can ask people to \
> stop using them. So we want to specify which protocol to use instead of having the \
> system to choose for us.
> I am not actually using dblib, ctlib and odbc. I am using libtds directly.
>
> Do you think we can add some TLS protocol parameter somewhere?
>
> -----Original Message-----
> Hi Rick,
> SSL 3.0 ?? I think was declared insecure time ago, some people are
> disabling TLSv1.0 already.
> New OpenSSL provide a "MinProtocol" setting. Similar property would be
> good to have in libTDS too.
> About callback can be done. I would add a parameter to specify the SSL
> library kind (currently OpenSSL or GnuTLS). Which library are you
> using? dblib, ctlib or odbc?
>
> Frediano
> -----Original Message-----
> From: FreeTDS <freetds-bounces@lists.ibiblio.org> On Behalf Of Rick Qing Xu via \
> FreeTDS
> Sent: Tuesday, December 18, 2018 10:35 AM
> To: Frediano Ziglio <freddy77@gmail.com>; FreeTDS Development Group \
> <freetds@lists.ibiblio.org>
> Cc: Rick Qing Xu <qinx@microsoft.com>
> Subject: Re: [freetds] How to have a better control on how the tds use the openssl?
>
> The actual issue is:
>
> 1. I'd like to set the TLS version to SSL 3.0 or TLS 1.2 before the handshake, \
> instead of let the system choose for me. Disabling TLS 1 will end up with two \
> possibilities, TLS 1.1 and TLS 1.2. In my case, it has to be very specific, my \
> client only wants to negotiate on TLS 1.1 or even SSLv3. It would be better if we \
> can have a TLS version parameter in TDSLOGIN structure. 2. The tds lib doesn't give \
> me chance to call SSL_set_tlsext_host_name and SSL_set_tlsext_status_type before \
> the TLS handshake happens. If it can provide a call back mechanism, e.g., call just \
> before it start the handshake, it would be helpful.
> -----Original Message-----
> From: Frediano Ziglio <freddy77@gmail.com>
> Sent: Tuesday, December 18, 2018 10:19 AM
> To: FreeTDS Development Group <freetds@lists.ibiblio.org>
> Cc: Rick Qing Xu <qinx@microsoft.com>
> Subject: Re: [freetds] How to have a better control on how the tds use the openssl?
>
> Il giorno sab 15 dic 2018 alle ore 09:36 Rick Qing Xu via FreeTDS \
> <freetds@lists.ibiblio.org> ha scritto:
> >
> > Hi FreeTDS team,
> >
> > I am new to the TDS community and hi to everyone. I am working on a project doing \
> > in-depth detection on encryption characteristics on SQL TDS protocol. For \
> > example, by only talking to the server thru network on TDS protocol, I want to \
> > detect which TLS versions the server supports, what cipher suites are supported \
> > and what the order of it. In that case, I need to have more fine control of which \
> > TLS version is going to be used.
> > Usually I need to call SSL_CTX_set_verify before the handshake starts to trust \
> > all kinds of server certificate. In addition, I'd like to use \
> > SSL_set_tlsext_host_name to control whether to use Server Name Indication \
> > extension in the handshake. Another example is I want to call \
> > SSL_set_tlsext_status_type before the handshake to ask server to send back an \
> > OCSP status response to me.
> > After reading the tls.c in tds project, the tds_init_openssl() \
> > function<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub. \
> > com%2FFreeTDS%2Ffreetds%2Fblob%2F513ed1a7dd5ed3be866407a2ef50d8dea3664943%2Fsrc%2F \
> > tds%2Ftls.c%23L729&data=02%7C01%7Cqinx%40microsoft.com%7Cd8ca7101d7414124439d0 \
> > 8d6764ac525%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636826460844255366&sdata=HzmVxxmPP72TpK3EAZRpjqdOIybLCP1ve0bShojXtB4%3D&reserved=0> \
> > actually hardcoded the TLS method to be TLS_client_method, which is the \
> > general-purpose version-flexible SSL/TLS methods. The actual protocol version \
> > used will be negotiated to the highest version mutually supported by the client \
> > and the server. The supported protocols are TLSv1, TLSv1.1 and TLSv1.2.
> > I can see that now I can control what cipher get used by setting the \
> > tds->login->openssl_ciphers to whatever I need to achieve the cipher suite ask.
> > Can you give me advice on how to do it in existing code? If not in existing code, \
> > I am very happy to write some code to implement that in tds project.
> > Thanks!
> >
> > Rick Qing Xu
> >
> > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith
> > ub.com%2Fqinxgit&data=02%7C01%7Cqinx%40microsoft.com%7C1d5c081f274
> > 643a3870708d665155aea%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636
> > 807539737754130&sdata=EXWK4pfPIZMEa3tw8vQUiwPirpvAjxOGq8m0qG45gwg%
> > 3D&reserved=0
> >
>
> Hi,
> I think you got everything right. You can set openssl_ciphers through the "openssl \
> ciphers" settings. In master there's an option to disable TLSv1 (which for \
> compatibility by default is enabled). It would be great to have same settings for \
> GnuTLS/OpenSSL (the "openssl ciphers" is only available with OpenSSL).
> Frediano
> _______________________________________________
> FreeTDS mailing list
> FreeTDS@lists.ibiblio.org
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.ibiblio.org% \
> 2Fmailman%2Flistinfo%2Ffreetds&data=02%7C01%7Cqinx%40microsoft.com%7Cd8ca7101d74 \
> 14124439d08d6764ac525%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636826460844255366&sdata=Oy%2BUSTM6OmeHVWjLqSvXj%2BobdOdTJqsmvR5Rpd%2FTa0I%3D&reserved=0
>
_______________________________________________
FreeTDS mailing list
FreeTDS@lists.ibiblio.org
https://lists.ibiblio.org/mailman/listinfo/freetds
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic