-
Notifications
You must be signed in to change notification settings - Fork 140
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SNOW-1018279: After Version 2.1.5 Snowflake.Data makes a new Network Egress call which can be blocked in networking #855
Comments
hello and thank you for submitting this issue ! this looks like something which works as expected. Please note that all Snowflake drivers (by default) perform certificate validation against certain hosts , which hosts are defined in the certificates itselves.
both of those work on port 80. For .NET its unfortunately not that straightforward, but what I would do if I would only need to allow only the specific CRL hosts on port 80:
export hostname="sfc-eu-ds1-22-customer-stage.s3.amazonaws.com"
echo | openssl s_client -showcerts -connect "$hostname":443 -servername "$hostname" 2>/dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/){a++}; out="cert"a".pem"; print >out}'; for cert in cert*.pem; do echo "--> $cert"; openssl x509 -noout -text -subject -issuer -startdate -enddate -in $cert | grep -i crl; echo; done I'm certain there are more sophisticated methods as well, but this would output
so does the job.
Some notes:
Hope this helps. Closing this issue as it is not an issue with the .NET driver and is an expected behaviour. |
On this one: we fixed an important security hole with 2.1.5 (was there between 2.0.25 - 2.1.4) where on the affected versions the driver would not contact the CRL hosts for certificate verification. This was unexpected behaviour and result of a bug. Starting from 2.1.5 the driver again behaves as expected -> contacts the CRL hosts on port 80. This is likely the explanation to the behaviour you're seeing. |
What version of .NET driver are you using?
2.1.5 and 2.2.0
What operating system and processor architecture are you using?
AWS Lambda running .NET 6.0
What version of .NET framework are you using?
.NET 6.0
What did you do?
We have a lambda in a VPC that makes a Snowflake DB connection. After upgrading from 2.1.3 to 2.2.0 we started getting timeouts opening the Snowflake connection. No code changes were made outside of the update, and our logs showed specifically that a
connection.open()
line was the last action take by the lambda before a timeout. This only occurred in the code deployed to the lambda but not from my local machine, which continued to work as expected.What did you expect to see?
Ideally we expected that the lambda Snowflake connectivity would continue to work instead of timing out. After some investigation we found that our VPC security group needed an extra egress port added on an additional port(we opened up everything, and have not narrowed down the actual port being used). We had 443 already open, but after the update to 2.1.5 and 2.2.0 we needed another port open. This lambda makes a simple Snowflake query formats the data and returns it so no other processes would have required this extra port.
We have mitigated the error by opening egress traffic to all ports. Please let us know what port we need traffic opened to so we can secure our lambda a bit more
Also note, we tried every version from 2.13, 2.1.4, 2.15, and 2.2.0. Our connectivity started breaking on version 2.1.5
The text was updated successfully, but these errors were encountered: