projectnami icon indicating copy to clipboard operation
projectnami copied to clipboard
verified publisher icon ProjectNami

Add setting to trust SQL Server's certificate

Open HannahVernon opened this issue 3 years ago • 3 comments

I had to modify the public function db_connect( $allow_bail = true ) function in wp-includes/wp-db.php to allow php to connect to my SQL Server using a non-CA-trusted certificate.

I changed the following lines:

if ( getenv('ProjectNami.UTF8') ) {
	$this->dbh = sqlsrv_connect( $this->dbhost, array( "Database"=> $this->dbname, "UID"=> $this->dbuser, "PWD"=> $this->dbpassword, 'ReturnDatesAsStrings'=>true, 'MultipleActiveResultSets'=> false, 'CharacterSet'=> 'UTF-8') );
} else {
	$this->dbh = sqlsrv_connect( $this->dbhost, array( "Database"=> $this->dbname, "UID"=> $this->dbuser, "PWD"=> $this->dbpassword, 'ReturnDatesAsStrings'=>true, 'MultipleActiveResultSets'=> false) );
}

to

if ( getenv('ProjectNami.UTF8') ) {
	$this->dbh = sqlsrv_connect( $this->dbhost, array( "Database"=> $this->dbname, "UID"=> $this->dbuser, "PWD"=> $this->dbpassword, 'ReturnDatesAsStrings'=>true, 'MultipleActiveResultSets'=> false, 'CharacterSet'=> 'UTF-8', 'TrustServerCertificate'=> true) );
} else {
	$this->dbh = sqlsrv_connect( $this->dbhost, array( "Database"=> $this->dbname, "UID"=> $this->dbuser, "PWD"=> $this->dbpassword, 'ReturnDatesAsStrings'=>true, 'MultipleActiveResultSets'=> false, 'TrustServerCertificate'=> true) );
}

I added the ODBC Connection parameter for TrustServerCertificate to be true, instead of the default false.

Problem now is, any new updates from the ProjectNami github project will reset the change. It would be great to have a setting for that in the wp-config.php file, or something along those lines to ensure that updates don't clobber the connection parameters.

HannahVernon avatar Feb 23 '22 00:02 HannahVernon

I don't have strong enough php skills to be of any help in suggesting a code change via a PR, otherwise I'd do that 🙂

HannahVernon avatar Feb 23 '22 00:02 HannahVernon

What would be the downside of just adding this parameter without any settings for control?

patrickebates avatar Feb 23 '22 00:02 patrickebates

While it wouldn't prevent any non-encrypted connectivity, having the option to only connect via trusted certificates is probably important for some folks. For me, having the TrustServerCertificate setting defaulted to true would be fine.

HannahVernon avatar Feb 23 '22 01:02 HannahVernon