From 3b2e82e5b62fcb35aff0bdc0100d92f5d10fc368 Mon Sep 17 00:00:00 2001 From: Hanan-Akeyless Date: Thu, 2 Jul 2026 14:58:14 +0300 Subject: [PATCH] MSSQL: encrypt-in-transit default for msodbcsql18 compatibility MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The SRA bastion is moving its Adminer stack from msodbcsql17 to msodbcsql18 (required for arm64 — v17 has no arm64 packages). msodbcsql18 flips the default for an unset Encrypt from "no" (plaintext) to "yes" with mandatory server-cert validation, which would break every MSSQL connection on the default no-SSL path to a server without a CA-trusted certificate. Set the MSSQL connection to always encrypt in transit, and validate the server certificate only when the user opts into SSL mode. On the default path this keeps existing connections reachable (TrustServerCertificate=true skips validation) while still upgrading them from plaintext to encrypted — a net security gain over the previous msodbcsql17 behavior. The explicit SSL opt-in remains strict (TrustServerCertificate=false). Consumed by zero-trust-bastion via the pinned adminer tag; requires a new tag and a matching Dockerfile bump there. Co-Authored-By: Claude Fable 5 --- plugins/login-akeyless-ssl.php | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/plugins/login-akeyless-ssl.php b/plugins/login-akeyless-ssl.php index 56fbe24f9..895329980 100644 --- a/plugins/login-akeyless-ssl.php +++ b/plugins/login-akeyless-ssl.php @@ -4,11 +4,23 @@ class AdminerAkeylessLoginSsl extends Adminer\Plugin { function connectSsl() { $auth = (isset($_POST["auth"]) && is_array($_POST["auth"]) ? $_POST["auth"] : array()); $sslMode = (isset($auth["ssl_mode"]) ? trim((string) $auth["ssl_mode"]) : ""); + $driver = $this->currentDriver($auth); + + // msodbcsql18 defaults an unset Encrypt to mandatory TLS with certificate + // validation, which breaks the default (no-SSL) path that connected plaintext + // under msodbcsql17. Always encrypt in transit; validate the server certificate + // only when the user opts into SSL mode, so existing connections stay reachable. + if ($driver == "mssql") { + return array( + "Encrypt" => true, + "TrustServerCertificate" => ($sslMode == ""), + ); + } + if ($sslMode == "") { return null; } - $driver = $this->currentDriver($auth); switch ($driver) { case "pgsql": case "postgres": @@ -28,11 +40,6 @@ function connectSsl() { "ca" => $ca, "verify" => true, ); - case "mssql": - return array( - "Encrypt" => true, - "TrustServerCertificate" => false, - ); } return null;