4

This error occurs on a single endpoint. It is the one that tries to extract data from SqlServer. If I try to run IIS everything works fine. When I run in a linux docker container, it doesn't work anymore. I have the following errors:

OpenSslCryptographicException: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol

Unknown location SslException: SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL.

Interop+OpenSsl.DoSslHandshake(SafeSslHandle context, ReadOnlySpan input, out byte[] sendBuf, out int sendCount) AuthenticationException: Authentication failed, see inner exception.

System.Net.Security.SslStream.ForceAuthenticationAsync(TIOAdapter adapter, bool receiveFirst, byte[] reAuthenticationData, bool isApm) SqlException: A connection was successfully established with the server, but then an error occurred during the pre-login handshake. (provider: TCP Provider, error: 35 - An internal exception was caught)

Microsoft.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, bool breakConnection, Action wrapCloseInAction)

SecurityNegotiationException: Could not establish trust relationship for the SSL/TLS secure channel with authority '....'.

enter image description here

Maddiet97
  • 41
  • 1
  • 3
  • Sounds like you are running a .NET instance in a docker container that has a strong security policy configured for OpenSSL which disallows older (and weaker, less ecure) SSL versions that SqlServer tries to use. What container are you using? – omajid Mar 18 '22 at 14:01
  • 1
    Does the server support TLS 1.2? For SQL Server 2012 you need this update https://support.microsoft.com/en-us/topic/kb3135244-tls-1-2-support-for-microsoft-sql-server-e4472ef8-90a9-13c1-e4d8-44aad198cdbe and you also need to enable relevant registry settings if on Windows 7 or 2012r2 or earlier – Charlieface Mar 19 '22 at 20:27

1 Answers1

6

If absolutely required you can lower minimum required TLS version of OpenSSL in your runtime Docker container. Add following lines somewhere prior ENTRYPOINT in your Dockerfile:

# fix for SQLServer 2008 R2 - reduce minimum protocol to tls v1.0
RUN sed -i -e "s|^MinProtocol = .*|MinProtocol = TLSv1.0|g" "/etc/ssl/openssl.cnf"

But upgrading SQL Server so it support latest TLS versions seems to be a correct solution here.

Evgeniy
  • 61
  • 2
  • I'm still getting issues with this: `System.IO.IOException: Received an unexpected EOF or 0 bytes from the transport stream.` – ChadT Jul 03 '23 at 01:15