-
Notifications
You must be signed in to change notification settings - Fork 260
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dotnet 8: Error Microsoft.Data.SqlClient.SqlException (0x80131904): A connection was successfully established with the server, but then an error occurred during the pre-login handshake. (provider: SSL Provider, error: 31 - Encryption(ssl/tls) handshake failed) #2252
Comments
dotnet8 base image uses debian 12, which uses openssl-3, where SHA-1 was downgraded to security level 0. I did not manage to connect yet, even with |
Here is the modified openssl.cnf I used to correctly connect :
|
@BastienDurel have you looked into WireShark traces to see what TLS version is being sent to the server? SQL Server 2012 does not support TLS 1.3. |
Yes I did :
TLS 1.3 is TLS 1.2 in disguise ;) NB: the server I'm connecting to is 2014, not 2012 |
@BastienDurel have you tried disabling TLS 1.3 and see the results? Another approach would be testing against SQL Server 2022 to see if you can make a connection. SQL Server 2022 and after are supporting TLS 1.3. in this packet Client has offered TLS1.3 and TLS 1.2 |
I cannot upgrade the SQL server itself, it's a client's production server :( But the problem is not the TLS1.3 offering, is the fact openssl does not offer TLS1 ciphers and SHA-1 hash methods by default, hence the modified openssl.cnf |
so, the issue seems like not SqlClient related maybe? |
Thank you @BastienDurel I have tested with the below modification in the openssl.cnf
I can confirm now it is connected with SQL and working as expected. Again, thank you for your help. |
not really SqlClient-specific, it's a general TLS problem which affects SqlClient because the server it connects to is often non-upgradable (no-one exposes a web-server that does not support TLS1.2, but the problem should arise with every TLS client trying to connect to an outdated server.) |
Did you append it manually or using a command in your Dockerfile? Was curious if I'm on the right track by trying to modify openssl.cnf with "RUN -i -e" commands in my Dockerfile. |
I used to append via printf :
BTW: I use a conditional inclusion :
So I can generate images for old servers or new ones by changing BUILD_FOR parameter |
I used also printf mentioned by BestienDurel |
Considering the then add the code below in the Dockerfile according @BastienDurel comment: ConnectionString: |
Closing as it is not SQL client related |
Hi everyone, I encountered that this is an issue with TLS/SSL communication between .NET 8 and SQL Server due to an older TLS version being used. To resolve this, inserting the following into the Dockerfile before the "AS build" block works great:
Although these 3 lines can be combined into 2 lines, it makes it too lengthy, so I preferred this format. I've tested it on .NET 8 with SQL Server 2016 in a Docker environment. Here's a snippet of my Dockerfile:
|
Describe the bug
This is the same issue as described here. We need to upgrade dotnet from 6 to 8, needed for LTS, however, we cannot upgrade the database (yet).
To reproduce
Very simple console app to replicate:
Dockerfile:
Expected behaviour
Top 10 records from "dbo.< Table > "
Further technical details
Microsoft.Data.SqlClient version: 5.1.2
.NET target: 8
SQL Server version: SQL Server 2012
Operating system: Microsoft SQL Server Standard (64-bit)
Additional context
I have tested with different dotnet images, any of the dotnet 8 works.
The same run changing dotnet images and target framework to 5, 6 and 7 connects properly and works as expected.
I've run and made changes in the openssl.cnf in "/etc/ssl/" and "/usr/lib/ssl/openssl.cnf" and looks like it does not contain the "SECLEVEL" and/or "MinProtocol" properties.
I have also appended the properties into the configuration files, but seems not difference take effect.
Here is the output once I open the file:
RUN cd /usr/lib/ssl/ && cat openssl.cnf
Any help would be much appreciated.
The text was updated successfully, but these errors were encountered: