4

I have a MySQL database with version 5.7.19 and TLS version 1.1. I'm using the following code snippet to establish a connection in my .NET Core 3.1 application:

string connStr = "server=Myserver;user id=myuser;password=my password;database=db;SslMode=Required;SslCa=D:\\server-ca.pem;SslCert=D:\\client-cert.pem;SslKey=D:\\client-key.pem;";

try
{
    using (MySqlConnection connection = new MySqlConnection(connStr))
    {
        connection.Open();
        connection.Close();
    }
}
catch (Exception ex)
{
    // handle the exception
}

This code works fine with .NET Core 3.1, but after upgrading to .NET 6, it throws the following exceptions:

MySqlConnector.MySqlException(0x80004005): SSL Authentication Error\ r\ n-- - > System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception.\r\ n-- - > System.ComponentModel.Win32Exception(0x8009030E): No credentials are available in the security package at System.Net.SSPIWrapper.AcquireCredentialsHandle(ISSPIInterface secModule, String package, CredentialUse intent, SCH_CREDENTIALS * scc) at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCH_CREDENTIALS * secureCredential) at System.Net.Security.SslStreamPal.AcquireCredentialsHandleSchCredentials(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer) at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer) -- - End of inner exception stack trace-- - at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer) at System.Net.Security.SecureChannel.AcquireClientCredentials(Byte[] & thumbPrint) at System.Net.Security.SecureChannel.GenerateToken(ReadOnlySpan1 inputBuffer, Byte[]& output)  at System.Net.Security.SecureChannel.NextMessage(ReadOnlySpan 1 incomingBuffer) at System.Net.Security.SslStream.ProcessBlob(Int32 frameSize) at System.Net.Security.SslStream.ReceiveBlobAsync[TIOAdapter](TIOAdapter adapter) at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm) at System.Net.Security.SslStream.AuthenticateAsClient(SslClientAuthenticationOptions sslClientAuthenticationOptions) at MySqlConnector.Core.ServerSession.InitSslAsync(ProtocolCapabilities serverCapabilities, ConnectionSettings cs, MySqlConnection connection, SslProtocols sslProtocols, IOBehavior ioBehavior, CancellationToken cancellationToken) in / _ / src / MySqlConnector / Core / ServerSession.cs: line 1539 at MySqlConnector.Core.ServerSession.InitSslAsync(ProtocolCapabilities serverCapabilities, ConnectionSettings cs, MySqlConnection connection, SslProtocols sslProtocols, IOBehavior ioBehavior, CancellationToken cancellationToken) in / _ / src / MySqlConnector / Core / ServerSession.cs: line 1569 at MySqlConnector.Core.ServerSession.ConnectAsync(ConnectionSettings cs, MySqlConnection connection, Int32 startTickCount, ILoadBalancer loadBalancer, Activity activity, IOBehavior ioBehavior, CancellationToken cancellationToken) in / _ / src / MySqlConnector / Core / ServerSession.cs: line 539 at MySqlConnector.Core.ConnectionPool.ConnectSessionAsync(MySqlConnection connection, String logMessage, Int32 startTickCount, Activity activity, IOBehavior ioBehavior, CancellationToken cancellationToken) in / _ / src / MySqlConnector / Core / ConnectionPool.cs: line 403 at MySqlConnector.Core.ConnectionPool.ConnectSessionAsync(MySqlConnection connection, String logMessage, Int32 startTickCount, Activity activity, IOBehavior ioBehavior, CancellationToken cancellationToken) in / _ / src / MySqlConnector / Core / ConnectionPool.cs: line 408 at MySqlConnector.Core.ConnectionPool.GetSessionAsync(MySqlConnection connection, Int32 startTickCount, Activity activity, IOBehavior ioBehavior, CancellationToken cancellationToken) in / _ / src / MySqlConnector / Core / ConnectionPool.cs: line 98 at MySqlConnector.Core.ConnectionPool.GetSessionAsync(MySqlConnection connection, Int32 startTickCount, Activity activity, IOBehavior ioBehavior, CancellationToken cancellationToken) in / _ / src / MySqlConnector / Core / ConnectionPool.cs: line 128 at MySqlConnector.MySqlConnection.CreateSessionAsync(ConnectionPool pool, Int32 startTickCount, Activity activity, Nullable1 ioBehavior, CancellationToken cancellationToken) in /_/src/MySqlConnector/MySqlConnection.cs:line 929  at MySqlConnector.MySqlConnection.OpenAsync(Nullable 1 ioBehavior, CancellationToken cancellationToken) in / _ / src / MySqlConnector / MySqlConnection.cs: line 423 at MySqlConnector.MySqlConnection.Open() in / _ / src / MySqlConnector / MySqlConnection.cs: line 382 at WebApplication1.Program.Main(String[] args) in D: \WebApplication1\ WebApplication1\ Program.cs: line 24

Does anyone know if there are any breaking changes in .NET 6 that could be causing this issue? If not, any suggestions on how to handle this error would be greatly appreciated.

Edit: The database version mentioned here is being used by one of the end users, and they are not willing to upgrade. Therefore, I am searching for concrete documentation to confirm that this version is not officially supported for my user.

Thank you in advance!

Venkat
  • 2,549
  • 2
  • 28
  • 61
janarthanan
  • 41
  • 4
  • 2
    Probably TLS 1.1 is disabled, especially considering it's basically broken now. MySQL 5.7 is also not much supported anymore, it's going EOL in a few months. Why not upgrade to MySQL 8.0? – Charlieface May 02 '23 at 14:18
  • @JoelCoehoorn - the mentioned database version is used by one of my user and they are not willing to upgrade. – janarthanan May 02 '23 at 14:27
  • @Charlieface - As I have mentioned above end user is not willing to upgrade. could you please suggest if it is an official limitation with any official documentation if available It will be helpful. – janarthanan May 02 '23 at 14:30
  • Looks like TLS 1.2 is supported, but would probably depend on the version of openssl installed on the server. See also https://dev.mysql.com/doc/refman/5.7/en/encrypted-connection-protocols-ciphers.html and https://dba.stackexchange.com/questions/292500/is-tls-1-2-supported-in-mysql-5-7-community-build – Charlieface May 02 '23 at 14:39
  • If it were me, I'd tell that user you are not willing to support 5.7 one it goes end of life. Period. That's a major liability for you, and it's common practice throughout the industry. Think about what the major browser vendors did as flash went EOL, for example. If it were me. – Joel Coehoorn May 02 '23 at 14:52
  • @JoelCoehoorn - I can understand your suggestion. However the same connection was worked in the  .NET Core 3.1, so customer is asking for more clarification and not willing to upgrade for some reason. So we need to either provide solution in .NET core 6 or mention it as breaking change based on official pages. – janarthanan May 03 '23 at 05:38
  • On what server os is this app running? – jeb May 04 '23 at 20:22
  • @jeb- windows 10 pro – janarthanan May 05 '23 at 05:13
  • Have you tried overriding the settings for SSL options for the .NET connector? (Not recommended of course) https://mysqlconnector.net/connection-options/ Something like TlsVersion = "TLS 1.1., TLS 1.2, TLS 1.3" – scotru May 09 '23 at 00:49
  • @scotru Yes I tried, but issue was persist – janarthanan May 09 '23 at 04:25
  • I think this might be what you are looking for documentation-wise. It looks like the change happened in .NET 5: https://learn.microsoft.com/en-us/dotnet/core/compatibility/cryptography/5.0/default-cipher-suites-for-tls-on-linux – scotru May 10 '23 at 06:00

1 Answers1

3

TLS v1.1 is now basically deprecated and insecure. And the version of MySQL that you have (5.7) only supports TLS v1.2 in certain cases. Please see the documentation, but basically you would need to either build MySQL yourself, or use MySQL Commercial. There are also some other config options you may need.

There are some other options:

  • Upgrade to MySQL v8+. I strongly recommend you do this, as you are on the edge of deprecation for 5.7.
  • Allow TLS 1.1 in your client machine. I strongly recommend you don't do this, but if you want, you can use the free IIS Crypto app, which works for any version of Windows, including client versions. For Linux, you would need to change the openssl.conf file.
  • Disable encryption for this MySQL connection. by using Encrypt=False. I strongly recommend you do not do this over the public internet.
Charlieface
  • 52,284
  • 6
  • 19
  • 43