TLS EncryptedSocket timeout error

Question

TLS EncryptedSocket timeout error

radyz opened this issue 7 years ago · comments

Ernesto Chavez Sanchez commented 7 years ago

I'm been trying to get TLS to work with SQL in Azure. I ran into this issue when I pass in:

cafile = '/etc/ssl/certs/ca-certicates.crt'
validate_host = False

Then the following error rises:

  File "/home/vagrant/.virtualenvs/project/lib/python2.7/site-packages/pytds/tds.py", line 1209, in commit
    prev_timeout = self._tds.sock.gettimeout()
AttributeError: 'EncryptedSocket' object has no attribute 'gettimeout'

I tracked it down and it looks like all references to gettimeout and settimeout are being done against the EncryptedSocket object rather than the transport property. I added pass through methods to avoid breaking further code but that seemed to correct the errors and could connect successfully to Azure.

eydelrivero · Answer 1 · Fri Jan 26 2018 18:46:11 GMT+0800 (China Standard Time)

Hi @radyz , I'm trying to connect to an Azure SQL database too using pytds. Where can I get the certificate to pass on the cafile parameter? I've been using a certificate I downloaded using openssl s_client -showcerts -connect <host>:443 </dev/null 2>/dev/null|openssl x509 -outform PEM >dbcertfile.pem but no luck so far. It fails saying Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')]

Ernesto Chavez Sanchez · Answer 2 · Fri Jan 26 2018 22:53:46 GMT+0800 (China Standard Time)

I managed to connect with

cafile = '/etc/ssl/certs/ca-certicates.crt'
validate_host = False

eydelrivero · Answer 3 · Sat Jan 27 2018 00:01:51 GMT+0800 (China Standard Time)

Thanks @radyz for your response! I was able to find that the specific certificate needed is Baltimore CyberTrust Root. Don't know if it is specific for this case or can be applied in other situations.

denisenkom · Answer 4 · Sat Jan 27 2018 23:13:17 GMT+0800 (China Standard Time)

By setting validate_host=False you make yourself vulnerable to MitM attack. Anyone can generate valid certificate using Let's Encrypt or similar service. Such certificate would pass validation if host validation is disabled.
So why have you disabled host validation?

eydelrivero · Answer 5 · Mon Jan 29 2018 00:16:06 GMT+0800 (China Standard Time)

Hi @denisenkom ! If I use validate_host=True, the same certificate no longer works. It throws
Exception: Certificate does not match host name 'redacted_host_name.database.windows.net'
when trying to connect. Any thoughts on how to make it work with validate_host=True?

Ahmed Popal · Answer 6 · Thu Feb 08 2018 02:03:36 GMT+0800 (China Standard Time)

I can't get it to work with validate_host=False either... I get an error with an empty error stack in line 349 of init (using Baltimore with validate_host=False)

[]
Traceback (most recent call last):
File "", line 83, in main
File "/mnt/resource/hadoop/yarn/local/usercache/livy/appcache/application_1517595982363_0023/spark-83135427-a696-4ceb-b5c8-7e0a9bd3380b/userFiles-93bfbaa9-1b52-4ed7-8a1d-bdea6a1f01db/pytds.zip/pytds/init.py", line 1196, in connect
conn._open()
File "/mnt/resource/hadoop/yarn/local/usercache/livy/appcache/application_1517595982363_0023/spark-83135427-a696-4ceb-b5c8-7e0a9bd3380b/userFiles-93bfbaa9-1b52-4ed7-8a1d-bdea6a1f01db/pytds.zip/pytds/init.py", line 349, in _open
raise last_error
Error: []

eydelrivero · Answer 7 · Thu Feb 08 2018 19:51:41 GMT+0800 (China Standard Time)

Hi @ahmedpopal456 , have you tried installing pytds package from the master branch instead of using the latest release 1.9.0? In my case I had to do so because of the bug in this thread.

Ahmed Popal · Answer 8 · Thu Feb 08 2018 23:21:52 GMT+0800 (China Standard Time)

Will try to do that now ! @eydelrivero will let you know what the results are ! Kudos

denisenkom · Answer 9 · Sat Feb 10 2018 10:27:41 GMT+0800 (China Standard Time)

New version is uploaded to pypi - 1.9.1 with a fix, kudos to @radyz