Go version 1.18 TLS 1.0 and 1.1 disabled by default client-side (sql server old TLS versions not work)

[gus2286]

Hi and thanks for the work you do.

I just install the last GO compilator version 1.18 and the connections to databases where still uses the TLS 1.0 are broken.

Error: TLS Handshake failed: tls: server selected unsupported protocol version 301

There are a workaround for the moment using the environment variable GODEBUG=tls10default=1, BUT in the next version GO 1.19, this environment variable will be disabled.

My proposal is to have the way to pass the TLS config param Config.MinVersion to VersionTLS10 in some way to the driver, that's will be possible?

https://tip.golang.org/doc/go1.18#tls10

Thanks
Gus

[iambudi]

I'm using go version go1.18 darwin/amd64, adding GODEBUG environment (os env or go setEnv) still give TLS Handshake failed error.

Any other workaround?

[gus2286]

Is strange that the GODEBUG don't work, you make a double check after the set to verify that is set correctly?

You always can downgrade GO to 1.17 (like I do it)

[iambudi]

Yes, i double check it:

os.Setenv("GODEBUG", "tls10default=1")
log.Println(os.Getenv("GODEBUG"))
// output tls10default=1

[iambudi]

You always can downgrade GO to 1.17 (like I do it)

Sure i will check later. thanks.

[derwitzer]

One thing you may use as a workaround (but it's far away from best practice 😉) is to disable encryption in your connection string. I won't recommend this workaround, but if you may have coded some in-house apps with no critical data, you may think about it.

Hopefully there will be a solution soon for this driver. As I've seen Microsoft will take care about this project, so maybe we get a fix in near future.

Someone mentioned a downgrade, but this did not work for me :( Had the same issue with 1.17 :/ Maybe because of the updated drivers?

[iambudi]

I tried both combination of encrypt=False and TrustServerCertificate=True in the connection string still have TLS issue.
1.17 still does not make it.

[iambudi]

In package crypto/tls:

By default, TLS 1.2 is currently used as the minimum when acting as a client, and TLS 1.0 when acting as a server. TLS 1.0 is the minimum supported by this package, both as a client and as a server.
The client-side default can temporarily be reverted to TLS 1.0 by including the value "x509sha1=1" in the GODEBUG environment variable. Note that this option will be removed in Go 1.19 (but it will still be possible to set this field to VersionTLS10 explicitly).

So i have to go mod vendor to modify the conn_str.go of the driver and set the minimal version back to TLS 1.0 manually and it works now.

This is relate to proposal from @gus2286 to pass Config.MinVersion

[fumin]

Yes, i double check it:

os.Setenv("GODEBUG", "tls10default=1")
log.Println(os.Getenv("GODEBUG"))
// output tls10default=1

This does not work, because the standard library reads the environment variable at startup:
https://github.com/golang/go/blob/master/src/crypto/tls/common.go#L978

Can we please triage this MinVersion feature, as there are lots of Microsoft legacy software that sucks...

[zhiyunliu]

I tried to set GODEBUG parameter . it doesn't work well .
os.Setenv("GODEBUG", "x509sha1=1,tls10default=1")

[JuanRenteM]

Any updates on this?

[hugorosario]

Just ran into this situation.
The only fix I found was to disable TLS altogether by passing "encrypt=disable" on the connection string.
This is not recommended if you are doing any serious work.
In my case its just fine for localhost connections but definitely will need to have a fix before going into production.

[ZekeLu]

Yes, i double check it:

os.Setenv("GODEBUG", "tls10default=1")
log.Println(os.Getenv("GODEBUG"))
// output tls10default=1

This does not work, because the standard library reads the environment variable at startup:
https://github.com/golang/go/tree/go1.18.3/src/crypto/tls/common.go#L978

Yes, it doesn't work. The environment variable should be set before the app is started. Here are some common options to set it:

• set the env and run the app:
  • Linux: GODEBUG=tls10default=1 /path/to/your/app
  • Windows: set GODEBUG=tls10default=1 && c:\path\to\your\app
• Dockerfile: ENV GODEBUG=tls10default=1

And please note that it only works for go1.18. The flag has been removed in go1.19 (golang/go@f0ee7fd).

[WenTao-Love]

fmt.Sprintf("server=%s;port=%d;database=%s;user id=%s;password=%s;trustservercertificate=true;encrypt=DISABLE",
server, port, dbname, user, password)

or

connString := fmt.Sprintf("server=%s;port=%d;database=%s;user id=%s;password=%s;trustservercertificate=true",
server, port, dbname, user, password)
cfg, _, _ := msdsn.Parse(connString)
cfg.TLSConfig.MinVersion = tls.VersionTLS10

conn := mssql.NewConnectorConfig(cfg)
db := sql.OpenDB(conn)

[DhurghamFahem]

@WenTao-Love This saved my day thnx