tediousjs/tedious

[QUESTION]

eugenestepanyuk opened this issue · 2 comments

I have an api on nodejs and when I try to connect to the database I get an error: "(node:14320) [DEP0123] DeprecationWarning: Setting the TLS ServerName to an IP address is not permitted by RFC 6066. This will be ignored in a future version.
(Use node --trace-deprecation ... to show where the warning was created)
Failed to connect to ip:port - F8510000:error:0A00014D:SSL routines:tls_process_key_exchange:legacy sigalg disallowed or unsupported:c:\ws\deps\openssl\openssl\ssl\statem\statem_clnt.c:2263:"

My connection:

export default new Sequelize({
  dialect: "mssql",
  database: environment.database.database,
  host: environment.database.host,
  port: environment.database.port,
  username: environment.database.username,
  password: environment.database.password,
  logging: !environment.production ? console.log : false,
  dialectOptions: {
    options: {
      // encrypt: false,
      enableArithAbort: true,
      cryptoCredentialsDetails: {
        minVersion: "TLSv1",
      },
    },
  },
  define: {
    freezeTableName: true,
    timestamps: false,
  },
});

The connection was initially without encrypt in dialectOptions, I found information on the Internet if you make encrypt: false then the problem may disappear, if I uncomment this line the problem really disappears
The question is, how safe and generally normal is it to do so? Could you suggest other solutions to the error?

upd. this error started to occur after updating nodejs from version 16 to 19

Hey @eugenestepanyuk,

DeprecationWarning: Setting the TLS ServerName to an IP address is not permitted by RFC 6066.

That is just a warning. We'll be working on fixing this, but I'm assuming you are connecting by specifying an IP address for the environment.database.host?

Failed to connect to ip:port - F8510000:error:0A00014D:SSL routines:tls_process_key_exchange:legacy sigalg disallowed or unsupported:c:\ws\deps\openssl\openssl\ssl\statem\statem_clnt.c:2263:"

This is the actual error you are encountering. Node.js has tightened the requirements around certificates and what it accepts as a valid certificate by default, and tedious just uses the Node.js defaults.

Have you set up a custom certificate on the SQL Server you're connecting to?

  • If yes, this error means the certificate you set up is not secure enough.
  • If not, the certificate generate by default by SQL Server is not secure enough.

When you install SQL Server, it generates a default certificate. If I remember correctly, this default certificate is using the SHA1 algorithm, which is no longer deemed secure enough. If you have replaced that certificate after SQL Server installation, most likely you also replaced it with a SHA1 based certificate, which again is no longer secure enough.

The recommended approach would be to work with your SQL Server administrator to set up a more secure certificate. You can check out https://github.com/tediousjs/tedious/blob/master/.github/workflows/nodejs.yml#L249-L275 to see how we do this in an automated fashion via PowerShell during the tedious CI builds, but there's also documentation online that describes how to set up either a proper or self signed certificate.

Other not-so-recommended approaches involve either lowering the Node.js security settings to allow these unsecure certificates (which means the encryption becomes more or less useless) or to disable encryption altogether. Both of these mean that a bad actor with access to your network can get access to the credentials you use to connect to your SQL Server instance. Whether that's an issue or not is for you to decide.

That is just a warning. We'll be working on fixing this, but I'm assuming you are connecting by specifying an IP address for the environment.database.host?

yes, I use the IP address in environment.database.host to be able to connect to the database not only locally

Have you set up a custom certificate on the SQL Server you're connecting to?

to be honest, I don’t even know, I didn’t install certificates, most likely there is some kind of default
I understand that you need to install a secure certificate on the sql server itself?