Hello 👋
With the introduction of TDS 8.0, a new Encrypt-option is introduced: "Strict". This option forces encryption to take place directly after opening the TCP socket, ie before Connection::<S>::prelogin(..). After this, no encryption should be negotiated.
What needs to be done:
- Add
tds80 feature
- Add compile error if tds80-feature is enabled without any of the supported TLS features also enabled
- Add
Strict option to EncryptionLevel
- Negotiate TLS before
prelogin
- Update connection string parser to allow
strict instead of just true/false
- (opt) Max TLS version should probably be set to Tls12 in the
create_tls_stream implementations when tds80 is not enabled as TDS 7.x explicitly states that TLS1.2 is the highest version supported.
https://winprotocoldoc.z19.web.core.windows.net/MS-TDS/%5bMS-TDS%5d-260223.pdf
Additional ref: https://learn.microsoft.com/en-us/sql/relational-databases/security/networking/tds-8?view=sql-server-ver16
Hello 👋
With the introduction of TDS 8.0, a new Encrypt-option is introduced: "Strict". This option forces encryption to take place directly after opening the TCP socket, ie before
Connection::<S>::prelogin(..). After this, no encryption should be negotiated.What needs to be done:
tds80featureStrictoption toEncryptionLevelpreloginstrictinstead of just true/falsecreate_tls_streamimplementations when tds80 is not enabled as TDS 7.x explicitly states that TLS1.2 is the highest version supported.https://winprotocoldoc.z19.web.core.windows.net/MS-TDS/%5bMS-TDS%5d-260223.pdf
Additional ref: https://learn.microsoft.com/en-us/sql/relational-databases/security/networking/tds-8?view=sql-server-ver16