Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SNOW-960386: RevocationStatusUnknown even with InsecureMode #806

Closed
TimoVink opened this issue Nov 4, 2023 · 5 comments
Closed

SNOW-960386: RevocationStatusUnknown even with InsecureMode #806

TimoVink opened this issue Nov 4, 2023 · 5 comments
Assignees
@sfc-gh-knozderko @sfc-gh-triage-snowpark-ecosystem-dl
Labels
bug

Comments

@TimoVink
Copy link

TimoVink commented Nov 4, 2023

Issue

Hi all. I'm seeing this odd behaviour with v2.1.2 of the library:

If I set insecuremode=true my requests fail due to RevocationStatusUnknown.
If I set insecuremode=false my requests succeed.

My expectation would be that insecuremode disables revocation status checking, so my observations are the exact inverse of what I would expect.

Debugging

I did some digging and what looks suspicious to me is the following line, where the HttpClientConfig is being constructed:

snowflake-connector-net/Snowflake.Data/Core/Session/SFSessionHttpClientProperties.cs

Lines 45 to 47 in eb2e0ab

return new HttpClientConfig(
insecureMode,
proxyProperties.proxyHost,

Note that the first parameter being passed is insecureMode, but the first argument of that ctor is called crlCheckEnabled:

snowflake-connector-net/Snowflake.Data/Core/HttpUtil.cs

Lines 21 to 23 in eb2e0ab

public HttpClientConfig(
bool crlCheckEnabled,
string proxyHost,

My expectation would be that insecuremode would disable CRL checks, so it sounds to me like this boolean should be negated.

That being said, this is my first time looking at the code base so perhaps I'm simply fundamentally misunderstanding something here. Much appreciated if someone could take a look, thanks!

Please answer these questions before submitting your issue.
In order to accurately debug the issue this information is required. Thanks!

1. What version of .NET driver are you using?
Snowflake.Data v2.1.2

2. What operating system and processor architecture are you using?
Windows 10 x64

3. What version of .NET framework are you using?
E.g. .net framework 4.5.2 or .net standard 2.0
.NET 7.0

4. What did you do?
Tried connecting to Snowflake, had some issues with our coporate firewall so I set InsecureMode to true but no luck. After enabling debug logs and doing some step-through debugging I see that insecuremode is definitely set to true, but the connection still fails due to revocation status checking.

5. What did you expect to see?
Successful connection

6. Can you set logging to DEBUG and collect the logs?
Relevant snippet of logs. Note the error is listed as RevocationStatusUnknown.

2023-11-03 18:40:37,647 [4] DEBUG Snowflake.Data.Client.SnowflakeDbConnection - Open Connection Async.
2023-11-03 18:40:37,654 [4] DEBUG Snowflake.Data.Client.SnowflakeDbConnectionPool - SnowflakeDbConnectionPool::GetSession
2023-11-03 18:40:37,655 [4] DEBUG Snowflake.Data.Core.Session.SessionPoolSingleton - SessionPool::GetSession
2023-11-03 18:40:37,663 [4] INFO Snowflake.Data.Core.SFSessionProperties - Start parsing connection string.
2023-11-03 18:40:37,674 [4] DEBUG Snowflake.Data.Core.SFSessionProperties - Sesssion property PORT set to default value: 443
2023-11-03 18:40:37,675 [4] DEBUG Snowflake.Data.Core.SFSessionProperties - Sesssion property SCHEME set to default value: https
2023-11-03 18:40:37,676 [4] DEBUG Snowflake.Data.Core.SFSessionProperties - Sesssion property CONNECTION_TIMEOUT set to default value: 120
2023-11-03 18:40:37,676 [4] DEBUG Snowflake.Data.Core.SFSessionProperties - Sesssion property AUTHENTICATOR set to default value: snowflake
2023-11-03 18:40:37,676 [4] DEBUG Snowflake.Data.Core.SFSessionProperties - Sesssion property VALIDATE_DEFAULT_PARAMETERS set to default value: true
2023-11-03 18:40:37,677 [4] DEBUG Snowflake.Data.Core.SFSessionProperties - Sesssion property USEPROXY set to default value: false
2023-11-03 18:40:37,677 [4] DEBUG Snowflake.Data.Core.SFSessionProperties - Sesssion property DISABLERETRY set to default value: false
2023-11-03 18:40:37,677 [4] DEBUG Snowflake.Data.Core.SFSessionProperties - Sesssion property FORCERETRYON404 set to default value: false
2023-11-03 18:40:37,677 [4] DEBUG Snowflake.Data.Core.SFSessionProperties - Sesssion property CLIENT_SESSION_KEEP_ALIVE set to default value: false
2023-11-03 18:40:37,677 [4] DEBUG Snowflake.Data.Core.SFSessionProperties - Sesssion property FORCEPARSEERROR set to default value: false
2023-11-03 18:40:37,677 [4] DEBUG Snowflake.Data.Core.SFSessionProperties - Sesssion property BROWSER_RESPONSE_TIMEOUT set to default value: 120
2023-11-03 18:40:37,677 [4] DEBUG Snowflake.Data.Core.SFSessionProperties - Sesssion property MAXHTTPRETRIES set to default value: 7
2023-11-03 18:40:37,678 [4] DEBUG Snowflake.Data.Core.SFSessionProperties - Sesssion property INCLUDERETRYREASON set to default value: true
2023-11-03 18:40:37,678 [4] DEBUG Snowflake.Data.Core.SFSessionProperties - Sesssion property DISABLEQUERYCONTEXTCACHE set to default value: false
2023-11-03 18:40:37,681 [4] DEBUG Snowflake.Data.Core.HttpUtil - Http client not registered. Adding.
2023-11-03 18:40:37,696 [4] DEBUG Snowflake.Data.Core.SFSession - Open Session
2023-11-03 18:40:37,839 [4] DEBUG Snowflake.Data.Core.RestRequester - Executing:  POST https://np54715.eu-west-1.snowflakecomputing.com/session/v1/login-request?warehouse=&databaseName=warehouse_local&schemaName=tvink_ims_data&roleName=&requestId=511107bd-29e1-4dd9-9fed-2eb01e8e5de8&request_guid=ef6e8a69-ca06-48b1-802f-54a7a8df78dd HTTP/1.1
2023-11-03 18:40:37,844 [4] DEBUG Snowflake.Data.Core.HttpUtil+RetryHandler - Http request timeout : 00:00:16
2023-11-03 18:40:37,845 [4] DEBUG Snowflake.Data.Core.HttpUtil+RetryHandler - Rest request timeout : 00:02:00
2023-11-03 18:40:38,412 [6] WARN Snowflake.Data.Core.HttpUtil+RetryHandler - Error occurred during request, retrying...
System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
 ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: RevocationStatusUnknown

7. What is your Snowflake account identifier, if any? (Optional)
N/A
@TimoVink TimoVink added the bug label Nov 4, 2023
@github-actions github-actions bot changed the title RevocationStatusUnknown even with InsecureMode SNOW-960386: RevocationStatusUnknown even with InsecureMode Nov 4, 2023
@TimoVink
Copy link
Author

TimoVink commented Nov 4, 2023
edited
Loading

Doing some more digging, it looks like this may have been accidentally introduced as part of a refactor.

In the following commit you can see the first argument to the HttpClientConfig used to be !InsecureMode, which matches my expectations.

4cf73d4#diff-c36410e4608c5d3a815bdfa7327569a75af2ead26f4e5e67ab0f5f421120f6bdL171-L175

@sfc-gh-dszmolka sfc-gh-dszmolka self-assigned this Nov 6, 2023
@sfc-gh-dszmolka sfc-gh-dszmolka added the status-triage Issue is under initial triage label Nov 6, 2023
@sfc-gh-dszmolka
Copy link
Contributor

hi and thank you for drawing our attention to this behaviour, it is indeed unexpected and should be the other way around; insecuremode=true disabling the certificate revocation status checking. we'll take a look.

@sfc-gh-dszmolka sfc-gh-dszmolka added status-in_progress Issue is worked on by the driver team and removed status-triage Issue is under initial triage labels Nov 6, 2023
@sfc-gh-dszmolka
Copy link
Contributor

PR under review #832

@sfc-gh-dszmolka sfc-gh-dszmolka added status-pr_pending_merge A PR is made and is under review and removed status-in_progress Issue is worked on by the driver team labels Dec 13, 2023
@sfc-gh-mhofman sfc-gh-mhofman added the status-in_progress Issue is worked on by the driver team label Dec 15, 2023
@sfc-gh-dszmolka
Copy link
Contributor

fix merged and will be available with the next release; on which i'll keep this thread updated

@sfc-gh-dszmolka sfc-gh-dszmolka added status-fixed_awaiting_release The issue has been fixed, its PR merged, and now awaiting the next release cycle of the connector. and removed status-pr_pending_merge A PR is made and is under review labels Dec 15, 2023
@sfc-gh-dszmolka
Copy link
Contributor

hotfix version 2.1.5 has been just released with the fix. Thank you again so much for drawing our attention to this issue !

@sfc-gh-dszmolka sfc-gh-dszmolka removed status-in_progress Issue is worked on by the driver team status-fixed_awaiting_release The issue has been fixed, its PR merged, and now awaiting the next release cycle of the connector. labels Dec 18, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sfc-gh-knozderko sfc-gh-knozderko

@sfc-gh-triage-snowpark-ecosystem-dl sfc-gh-triage-snowpark-ecosystem-dl

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@TimoVink @sfc-gh-dszmolka @sfc-gh-knozderko @sfc-gh-mhofman @sfc-gh-triage-snowpark-ecosystem-dl