0

I'm using the library Devart.Data.PostgreSql (https://www.nuget.org/packages/Devart.Data.PostgreSql/) to interact with PostgreSQL from a C# application, but I run into problems when I try to connect to a PostgreSQL instance hosted in Azure that enforces TLS 1.2. From what I understand there is a problem with ciphers not being able to match during the handshake as I end up with this exception:

Devart.Data.PostgreSql.PgSqlException (0x80004005): Authentication failed in ssl mode. --->
Devart.Data.PostgreSql.PgSqlException (0x80004005): FIPS cipher suites are enforced for this
server. Please specify FIPS complying cipher suites in your SSL/TLS settings.

How can I identify which ciphers are available to me, and how can I control which ciphers to use? I see Microsoft has a list of ciphers it supports for this type of connections so I assume I need to match one of these, but I'm at a loss as to how to control this in my application:

https://learn.microsoft.com/en-us/azure/postgresql/concepts-ssl-connection-security#cipher-support-by-azure-database-for-postgresql-single-server

Øystein Kolsrud
  • 359
  • 2
  • 16
  • It's not Devart, nor is TLS1.2 a new requirement. Major services started requiring TLS1.2 at least 5 years ago. Are you using an old version of Windows or .NET Framework? – Panagiotis Kanavos May 20 '21 at 08:46
  • I'm using .NET 4.8. But it works fine on other machines where I am enforcing TLS 1.2, so there seems to be something special about what Azure enforces on it's PostgreSQL instances. – Øystein Kolsrud May 20 '21 at 08:48
  • What OS are you using? Have you tried connecting using Npgsql? This may be a Devart issue - either missing functionality or missing docs. Devart is a commercial product so if it lacks this functionality, or requires specific settings, it's the vendor that needs to fix this. [The Npgsql example in the docs](https://learn.microsoft.com/en-us/azure/postgresql/connect-csharp) doesn't use any special settings – Panagiotis Kanavos May 20 '21 at 08:57
  • Besides, the server and client negotiate to use the best available settings. If connection fails it's because they don't support the same settings at all. In this case it means the provider doesn't support or *doesn't allow the use* of those cipher suites. Which is ... interesting. Providers don't need to implement their own TLS, they can just use `SslStream` and use the built-in OS and .NET support – Panagiotis Kanavos May 20 '21 at 09:00
  • Npgsql for example [simply uses an SslStream](https://github.com/npgsql/npgsql/blob/main/src/Npgsql/Internal/NpgsqlConnector.cs#L775) without extra configuration. This means the OS's settings will be used. Certificates etc are used and configured for authentication, not establishing the actual connection – Panagiotis Kanavos May 20 '21 at 09:03
  • I can connect without any problems using Npgsql. – Øystein Kolsrud May 20 '21 at 10:16
  • This sounds like a deliberate product restriction. Devart produces commercial products and the NuGet page makes it clear this is only the runtime part of a larger product, dotConnect for PostgreSQL. [The Editions page](https://www.devart.com/dotconnect/postgresql/editions.html) makes it clear that the free Express edition doesn't support SSL/SSH. Have you bought a Devart license or are you trying to use the product "for free"? – Panagiotis Kanavos May 20 '21 at 10:35
  • We have licenses, and we are using the professional version. – Øystein Kolsrud May 20 '21 at 10:39
  • You can see the database server ciphers that are allowed with `SHOW ssl_ciphers;`. – Laurenz Albe May 20 '21 at 10:52
  • @LaurenzAlbe the ciphers are documented. It's the client that fails – Panagiotis Kanavos May 20 '21 at 11:11
  • Thanks for all the input! I've filed a support ticket with Devart, so let's see what they say. – Øystein Kolsrud May 20 '21 at 11:58
  • Looks like it works just fine with the latest version of the Devart drivers (7.20.1866) when I compile using .NET Core 3.1, but not when I use .NET Framework 4.8. – Øystein Kolsrud May 24 '21 at 07:07

1 Answers1

1

  1. Full support of TLS 1.2 in SSL connections for .NET Standard (.NET Core) Projects was implemented in dotConnect for PostgreSQL v7.20.1860 01-Apr-21.

  2. With .NET Framework projects, use assemblies compiled for .NET Framework 4.7:

  • "C:\Program Files (x86)\Devart\dotConnect\PostgreSQL\NET4\Devart.Data.dll"
  • "C:\Program Files (x86)\Devart\dotConnect\PostgreSQL\NET4\Devart.Data.PostgreSql.dll"

Please select the "Do not install assemblies in the GAC" option in Setup Wizard. Otherwise, the runtime will use assemblies compiled for .NET Framework 2.0 from GAC.

Devart
  • 119,203
  • 23
  • 166
  • 186