mssqlclient : 'SSL routines', 'state_machine', 'internal error'

[MA24th]

I have this issue,

termx:~$ mssqlclient.py sql_svc@10.10.10.27 -windows-auth 
Impacket v0.9.22.dev1+20200513.101403.9a4b3f52 - Copyright 2020 SecureAuth Corporation

Password:
[*] Encryption required, switching to TLS
[-] [('SSL routines', 'state_machine', 'internal error')]

Impacket version == "Impacket v0.9.22.dev1+20200513.101403.9a4b3f52 - Copyright 2020 SecureAuth Corporation"

with debug

termx:~$ mssqlclient.py sql_svc@10.10.10.27 -windows-auth -debug
Impacket v0.9.22.dev1+20200513.101403.9a4b3f52 - Copyright 2020 SecureAuth Corporation

[+] Impacket Library Installation Path: /usr/local/lib/python3.8/dist-packages/impacket-0.9.22.dev1+20200513.101403.9a4b3f52-py3.8.egg/impacket
Password:
[*] Encryption required, switching to TLS
[+] Exception:
Traceback (most recent call last):
  File "/usr/local/lib/python3.8/dist-packages/impacket-0.9.22.dev1+20200513.101403.9a4b3f52-py3.8.egg/EGG-INFO/scripts/mssqlclient.py", line 179, in <module>
    res = ms_sql.login(options.db, username, password, domain, options.hashes, options.windows_auth)
  File "/usr/local/lib/python3.8/dist-packages/impacket-0.9.22.dev1+20200513.101403.9a4b3f52-py3.8.egg/impacket/tds.py", line 917, in login
    tls.do_handshake()
  File "/usr/lib/python3/dist-packages/OpenSSL/SSL.py", line 1915, in do_handshake
    self._raise_ssl_error(self._ssl, result)
  File "/usr/lib/python3/dist-packages/OpenSSL/SSL.py", line 1647, in _raise_ssl_error
    _raise_current_error()
  File "/usr/lib/python3/dist-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue
    raise exception_type(errors)
OpenSSL.SSL.Error: [('SSL routines', 'state_machine', 'internal error')]
[-] [('SSL routines', 'state_machine', 'internal error')]

[francoataffarel]

same error

` python3 mssqlclient.py ARCHETYPE/sql_svc@10.10.10.27 -windows-auth
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

Password:
[*] Encryption required, switching to TLS
[-] [('SSL routines', 'state_machine', 'internal error')]
`

[kazkansouh]

Yep I just got this too.

I think its related to python 3.8. What is odd is both mssql-cli and mssqlclient both issued the internal error message when I tried them against a MSSQL 2014.

However, trying again after pulling a docker image with python 3.7 the impacket mssqlclient script worked fine. So probably its python 3.8 or one of the dependencies.

[LeviPesin]

Also look into #866. I opened this issue on pyOpenSSL: pyca/pyopenssl#916

[LeviPesin]

Hmm... I looked into the impacket/tds.py and I found this:
if resp['Encryption'] == TDS_ENCRYPT_REQ or resp['Encryption'] == TDS_ENCRYPT_OFF:
LOG.info("Encryption required, switching to TLS")
Is it what it is supposed to be? Maybe it should be TDS_ENCRYPT_ON instead of TDS_ENCRYPT_OFF?

[Mastermjr]

on python 3.8.5 and ubuntu 20.04 I was able to fix this issue by changing the TLS context method to a newer version, the original code uses v1, and changing the following lines allows me to connect just fine:

diff --git a/impacket/tds.py b/impacket/tds.py
index a24333d4..675ef822 100644
--- a/impacket/tds.py
+++ b/impacket/tds.py
@@ -660,10 +660,11 @@ class MSSQL:
             LOG.info("Encryption required, switching to TLS")

             # Switching to TLS now
-            ctx = SSL.Context(SSL.TLSv1_METHOD)
+            ctx = SSL.Context(SSL.TLSv1_2_METHOD)
             ctx.set_cipher_list('RC4, AES256')
             tls = SSL.Connection(ctx,None)
             tls.set_connect_state()
+
             while True:
                 try:
                     tls.do_handshake()
@@ -908,7 +909,7 @@ class MSSQL:
             LOG.info("Encryption required, switching to TLS")

             # Switching to TLS now
-            ctx = SSL.Context(SSL.TLSv1_METHOD)
+            ctx = SSL.Context(SSL.TLSv1_2_METHOD)
             ctx.set_cipher_list('RC4, AES256')
             tls = SSL.Connection(ctx,None)

qbit uses v1_2 in the linked issue above

[ichig069]

I've been having the same issue. I'll include a wireshark capture if anyone want's to check it out. If you can see what's going on please get back to me.x-special/nautilus-clipboard

mssqlpcap.zip

[nbaAnomaly]

on python 3.8.5 and ubuntu 20.04 I was able to fix this issue by changing the TLS context method to a newer version, the original code uses v1, and changing the following lines allows me to connect just fine:

diff --git a/impacket/tds.py b/impacket/tds.py
index a24333d4..675ef822 100644
--- a/impacket/tds.py
+++ b/impacket/tds.py
@@ -660,10 +660,11 @@ class MSSQL:
             LOG.info("Encryption required, switching to TLS")

             # Switching to TLS now
-            ctx = SSL.Context(SSL.TLSv1_METHOD)
+            ctx = SSL.Context(SSL.TLSv1_2_METHOD)
             ctx.set_cipher_list('RC4, AES256')
             tls = SSL.Connection(ctx,None)
             tls.set_connect_state()
+
             while True:
                 try:
                     tls.do_handshake()
@@ -908,7 +909,7 @@ class MSSQL:
             LOG.info("Encryption required, switching to TLS")

             # Switching to TLS now
-            ctx = SSL.Context(SSL.TLSv1_METHOD)
+            ctx = SSL.Context(SSL.TLSv1_2_METHOD)
             ctx.set_cipher_list('RC4, AES256')
             tls = SSL.Connection(ctx,None)

qbit uses v1_2 in the linked issue above

Running Ubuntu 21.04, python 3.9 I followed this method and modified /usr/local/lib/python3.9/dist-packages/impacket-0.9.23-py3.9.egg/impacket/tds.py

replaced ctx = SSL.Context(SSL.TLSv1_METHOD) with ctx = SSL.Context(SSL.TLSv1_2_METHOD) both at line 911 & 663 and now mssqlclient.py works

[MaxALEau]

Same problem for me : Impacket v0.9.25.dev1+20211027.123255.1dad8f7f

[pizza-power]

on python 3.8.5 and ubuntu 20.04 I was able to fix this issue by changing the TLS context method to a newer version, the original code uses v1, and changing the following lines allows me to connect just fine:

diff --git a/impacket/tds.py b/impacket/tds.py
index a24333d4..675ef822 100644
--- a/impacket/tds.py
+++ b/impacket/tds.py
@@ -660,10 +660,11 @@ class MSSQL:
             LOG.info("Encryption required, switching to TLS")

             # Switching to TLS now
-            ctx = SSL.Context(SSL.TLSv1_METHOD)
+            ctx = SSL.Context(SSL.TLSv1_2_METHOD)
             ctx.set_cipher_list('RC4, AES256')
             tls = SSL.Connection(ctx,None)
             tls.set_connect_state()
+
             while True:
                 try:
                     tls.do_handshake()
@@ -908,7 +909,7 @@ class MSSQL:
             LOG.info("Encryption required, switching to TLS")

             # Switching to TLS now
-            ctx = SSL.Context(SSL.TLSv1_METHOD)
+            ctx = SSL.Context(SSL.TLSv1_2_METHOD)
             ctx.set_cipher_list('RC4, AES256')
             tls = SSL.Connection(ctx,None)

qbit uses v1_2 in the linked issue above

Running Ubuntu 21.04, python 3.9 I followed this method and modified /usr/local/lib/python3.9/dist-packages/impacket-0.9.23-py3.9.egg/impacket/tds.py

replaced ctx = SSL.Context(SSL.TLSv1_METHOD) with ctx = SSL.Context(SSL.TLSv1_2_METHOD) both at line 911 & 663 and now mssqlclient.py works

This worked for me, too. Thanks!

[elliott-fwdsec]

on python 3.8.5 and ubuntu 20.04 I was able to fix this issue by changing the TLS context method to a newer version, the original code uses v1, and changing the following lines allows me to connect just fine:

diff --git a/impacket/tds.py b/impacket/tds.py
index a24333d4..675ef822 100644
--- a/impacket/tds.py
+++ b/impacket/tds.py
@@ -660,10 +660,11 @@ class MSSQL:
             LOG.info("Encryption required, switching to TLS")

             # Switching to TLS now
-            ctx = SSL.Context(SSL.TLSv1_METHOD)
+            ctx = SSL.Context(SSL.TLSv1_2_METHOD)
             ctx.set_cipher_list('RC4, AES256')
             tls = SSL.Connection(ctx,None)
             tls.set_connect_state()
+
             while True:
                 try:
                     tls.do_handshake()
@@ -908,7 +909,7 @@ class MSSQL:
             LOG.info("Encryption required, switching to TLS")

             # Switching to TLS now
-            ctx = SSL.Context(SSL.TLSv1_METHOD)
+            ctx = SSL.Context(SSL.TLSv1_2_METHOD)
             ctx.set_cipher_list('RC4, AES256')
             tls = SSL.Connection(ctx,None)

qbit uses v1_2 in the linked issue above

Had to rerun python3 -m pip install . for the changes to take effect it seemed.

[MartialSeron]

same with impacket-0.9.25.dev1+20220218.140931.6042675a

the changes in file impacket/tds.py and python3 -m pip install . fixed it

[iosusan]

#856 (comment)

this worked for me aswell. In my case i manually edited my user-installed lib ~/.local/lib/python3.8/site-packages/impacket.tds.py

[mpgn]

Okay, thanks to @H00K the solution seems to be pretty simple ctx = SSL.Context(SSL.TLS_METHOD) instead of selecting one particular protocol !

PR: #1356

SSL.TLS_METHOD = These are the general-purpose version-flexible SSL/TLS methods. The actual protocol version used will be negotiated to the highest version mutually supported by the client and the server. The supported protocols are SSLv3, TLSv1, TLSv1.1, TLSv1.2 and TLSv1.3. Applications should use these methods, and avoid the version-specific methods described below, which are deprecated.
https://www.openssl.org/docs/manmaster/man3/TLS_method.html

[0xdeaddood]

Should be fixed in #1364. Please re-open if needed.

[sVignone]

on python 3.8.5 and ubuntu 20.04 I was able to fix this issue by changing the TLS context method to a newer version, the original code uses v1, and changing the following lines allows me to connect just fine:

diff --git a/impacket/tds.py b/impacket/tds.py
index a24333d4..675ef822 100644
--- a/impacket/tds.py
+++ b/impacket/tds.py
@@ -660,10 +660,11 @@ class MSSQL:
             LOG.info("Encryption required, switching to TLS")

             # Switching to TLS now
-            ctx = SSL.Context(SSL.TLSv1_METHOD)
+            ctx = SSL.Context(SSL.TLSv1_2_METHOD)
             ctx.set_cipher_list('RC4, AES256')
             tls = SSL.Connection(ctx,None)
             tls.set_connect_state()
+
             while True:
                 try:
                     tls.do_handshake()
@@ -908,7 +909,7 @@ class MSSQL:
             LOG.info("Encryption required, switching to TLS")

             # Switching to TLS now
-            ctx = SSL.Context(SSL.TLSv1_METHOD)
+            ctx = SSL.Context(SSL.TLSv1_2_METHOD)
             ctx.set_cipher_list('RC4, AES256')
             tls = SSL.Connection(ctx,None)

qbit uses v1_2 in the linked issue above

Running Ubuntu 21.04, python 3.9 I followed this method and modified /usr/local/lib/python3.9/dist-packages/impacket-0.9.23-py3.9.egg/impacket/tds.py

replaced ctx = SSL.Context(SSL.TLSv1_METHOD) with ctx = SSL.Context(SSL.TLSv1_2_METHOD) both at line 911 & 663 and now mssqlclient.py works

I've been struggling with this for weeks and this fixed it right away, only difference was I found mine on line 666 and 914. Thanks again!

[younes-benniz]

running python3 -m pip install . fixed it.