We are using v6.9.9 of the .Net MySql Connector to access MySql using this connection string, specifying that SSL is required.
Server=myServerAddress;Database=myDataBase;Uid=myUsername;Pwd=myPassword;
SSL Mode=Required
Our DBA has turned on support for SSL, but during my testing, I am able to connect to the server regardless of whether I have certificates installed on my machine, and also regardless of whether I have "SSL Mode=Required" or not.
However, when my DBA disabled SSL, if I use the above connection string, I got an error that SSL was not enabled.
Therefore, I really just don't know if my network traffic is being encrypted or not. How can I verify?
--
My question is a bit of a duplicate to this one with no accepted answer.
How to check whether a MySQL connection is SSL encrypted?
Some recommend using WireShark to test. Does anyone have step-by-step instructions on how to use this tool to verify my SSL connections?
--
This link talks about calling "status" from the MySql client.
https://dba.stackexchange.com/questions/36776/how-can-i-verify-im-using-ssl-to-connect-to-mysql
I asked my DBA to try it - but he isn't able to call that method against my connection, only against his local connection. Is there anyway to call this, for example, within my c# code?
I tried this, but I don't think the returned values tell me if the connection is SSL or not.
SHOW SESSION STATUS LIKE '%Ssl%';
Anyone with detailed information on how to verify my SSL connections would be greatly appreciated! Thank you!
Didn't work a lot with databases, but network/wireshark expertise is enough for you task. So what should you do:
Prepare capture setup using this tutorial
Start sniffing network with wireshark and perform some queries to your database
Filter traffic by database IP-address and/or port using display filter, so irrelevant packets aren't shown
Examine displayed packets. Compare them to sample of MySQL over TCP and to sample of MySQL over SSL. Hint: you can see queries as a plain text in unprotected connection, while SSL makes packet payload look like bunch of random garbage.
Related
I have a winforms C# application which will have to send and receive information securely from a remote SQL Server. At the moment I've just tested it with the database on my machine using the inbuilt classes e.g. SqlConnection.
I need to connecting my program to a remote SQL Server, execute queries against it. Both computers are under my organisation's control, although the remote workers are off-site and may be using a 3G connection.
One option is to connect the two computers using a VPN, and then presumably the other computer is visible as if it was on the same network, then I can use my connection string as I have been doing so far, perhaps putting in the IP address. However the IT support people are grumbling about setting up VPNs.
I have heard of TLS/SSL but never used this before. Can i use it to send sql queries to a SQL Server directly?
The SSL connectivity for SQL Server is encrypting the server socket connection. With SQL Server, a temp certificate is created each time you start the SQL Server. On the client side, you let the client accept any certificate, and this ensures your socket is encrypted (still open to Man in the Middle attack). You can also use your own signed certificate on both sides for the SSL connection. The DBA's set this up, and there's nothing special to do on your end, other than possibly setting up your own certificate and changing the connection string.
MSDN Using SSL Encryption
Typically, the datacenters (or host-host) are connected via private lan / VPN tunneling, which is also encrypted, and in this case, it would be a second layer of protection. If you have a VPN, you could probably get away with the Servers built in SSL certificate. That saves you the work of having to maintain the certificates each year.
Our C# Web application connects to a remote oracle database using the Oracle.DataAccess.Client
I would like to know if the query results are encrypted in transit. I don't see anything the connection string that would indicate that it is an option. Perhaps it is standard, but I don't know.
I need to prepare a document that includes the security considerations of all communications in and out of the system, but am unsure about this one. I appreciate any help with this.
Thanks
By default, database connection and results are not encrypted and secured . You need to turn on SSL (and add other mechanism like access control and monitoring) to keep the connection secure.
Here is how you turn on SSL on Oracle and apply other settings - http://docs.oracle.com/cd/B28359_01/server.111/b28337/tdpsg_network_secure.htm#i1009371
here is a nice discussion on the same topic -
https://security.stackexchange.com/questions/14334/when-is-it-appropriate-to-ssl-encrypt-database-connections
I've noticed that if I don't supply a port when I build a connection string I can still connect to SQL Server via a named instance that looks like [SERVER][INSTANCE_NAME].
Is sqlclient automatically gathering the port number for me? Do I have to concern myself with port number even if the instance is the default instance?
I'm sorry if this question seems novice. Google just hasn't turned anything up for me.
Thank you!
One thing to keep in mind though is that if you have multiple instances of SQL Server installed on the same computer, then each instance will use a different, random port number (although, a specific port number can be specified using the SQL Server Configuration Manager, right-click on the service & select Properties).
If you're connecting via the instance name though, and the SQL Server Browser service is running, it will redirect all requests to the appropriate ports automatically.
Another thing to keep in mind, is that the Express Edition (i.e. the free version) of SQL Server doesn't enable the TCP/IP protocol by default. I know this is the behaviour with older versions of SQL Server, but this may have changed in newer versions.
Well usually the default port that SQL Server listens on is 1433 so you dont need to specify the port number in the connection string.
There is a nice article that gives some more info on the subject:
http://benchmarkitconsulting.com/colin-stasiuk/2009/02/02/what-tcp-port-is-sql-server-running-under/
What is the simplest way to create a client application(in c++/c#) to communicate with the SQL Server?
Since Iam a new-bie and very eager to know how this Database server is managing its connections, requests and responses. I have tried TELNET with the following command assuming that, I can open the connection and write to it.
TELNET <server> <port>
But the command ends up with a black screen only.
Please provide your comments as well as any helpful links.
Playing with HTTP connections was fun, since there was web-browser inspectors(like firebug) to help me:), but here I think things are much difficult & different, (Or if such a tool exists to log TCP connections?)
TDS, the protocol used by SQL Server, is not similar to HTTP or SMTP in that the commands are not sent via text, making it not terribly amenable to usage over TELNET. There's not any easy equivalent to:
GET / HTTP/1.1
There's some documentation on TDS here (from Microsoft), here (from JTDS, a JDBC driver for Sybase and SQL Server), and here (from FreeTDS) if you want to dig into it. If you want to observe the raw packet data, just use some sort client as Jirka Hanika recommended and use Wireshark or another packet-capture tool to observe the data.
Ultimately, if you want to learn something about network protocols, then maybe this worth playing with, but if you want to learn about SQL Server and relational database internals, there are much better places to start than with the network transfer layer, which are incidental to the actual function of databases.
For C#, look here. For C++, look here.
Make sure that you are freeing the database connection after use.
I have developed a software for a company. For some kind of licensing purpose i am using a remote database to allow/disallow usage of the software. This task is applied every time the user logs into the software. If the internet connection does not exist or the query to the remote database fails, the user gets an error and he can not log into the software and shows the remote database http address (which i dont want him to see, if he carefully read the error)
What i want to know is any way of doing the same procedure, but if the remote database query fails or internet connection is not available, it should bypass the check for the time being, and upon next login try, same procedure is followed. So that my client should not know about this licensing stuff.
How to check the internet connectivity (LAN, WiFi, Dialup or whatever the user is using) before creating a query to the remote database.
Proposed methods:
Ping my remote database server IP.
This Question by Michel
Regarding results what i achieved from Michel' question is no stable solution.
Why not just try to perform a very cheap query on the database? Indeed, you could create a stored procedure for exactly this purpose - it might even give some version information back, etc.
After all, the important thing isn't whether a ping works, or whether the client can go to other machines: the important thing is whether you can talk to the database or not. So test exactly that.
As for what error message is presented to the user - surely that's under your control, so make sure you give appropriate information.
try this:
Check Internet Connection
I'm not sure whether trying to open a connection to your server and catching an exception without visible feedback will work or not in C#, but are you sure you want to use this method to deal with licensing? It strikes me that not only is it very easy to discover (for example a personal firewall will flag the connection) it's also very easy to defeat.
Additionally, what happens if the user's computer isn't connected to the internet? Unlikely, I know, but it can happen, and your licensing scheme is defeated with no conscious effort on the user's part.
you can also try this
C# - Check internet connection