4

This error occurs on a single endpoint. It is the one that tries to extract data from SqlServer. If I try to run IIS everything works fine. When I run in a linux docker container, it doesn't work anymore. I have the following errors:

OpenSslCryptographicException: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol

Unknown location SslException: SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL.

Interop+OpenSsl.DoSslHandshake(SafeSslHandle context, ReadOnlySpan input, out byte[] sendBuf, out int sendCount) AuthenticationException: Authentication failed, see inner exception.

System.Net.Security.SslStream.ForceAuthenticationAsync(TIOAdapter adapter, bool receiveFirst, byte[] reAuthenticationData, bool isApm) SqlException: A connection was successfully established with the server, but then an error occurred during the pre-login handshake. (provider: TCP Provider, error: 35 - An internal exception was caught)

Microsoft.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, bool breakConnection, Action wrapCloseInAction)

SecurityNegotiationException: Could not establish trust relationship for the SSL/TLS secure channel with authority '....'.

enter image description here

Improve this question
2
  • Sounds like you are running a .NET instance in a docker container that has a strong security policy configured for OpenSSL which disallows older (and weaker, less ecure) SSL versions that SqlServer tries to use. What container are you using? Commented Mar 18, 2022 at 14:01
  • 1
    Does the server support TLS 1.2? For SQL Server 2012 you need this update support.microsoft.com/en-us/topic/… and you also need to enable relevant registry settings if on Windows 7 or 2012r2 or earlier Commented Mar 19, 2022 at 20:27

3 Answers 3

Reset to default
6

If absolutely required you can lower minimum required TLS version of OpenSSL in your runtime Docker container. Add following lines somewhere prior ENTRYPOINT in your Dockerfile:

# fix for SQLServer 2008 R2 - reduce minimum protocol to tls v1.0
RUN sed -i -e "s|^MinProtocol = .*|MinProtocol = TLSv1.0|g" "/etc/ssl/openssl.cnf"

But upgrading SQL Server so it support latest TLS versions seems to be a correct solution here.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I'm still getting issues with this: System.IO.IOException: Received an unexpected EOF or 0 bytes from the transport stream.
1

Similar issue occured to me with MassTransit and RabbitMq when I moved to aspnet:9.0 at Dockerfile. I solved it in a such way:

  1. run at cmd:
openssl s_client -connect host:port

Add your host and port (of SqlServer for your case).

  1. I got information about protocol there: enter image description here

  2. Then I added next code snippet to my c# code:

host.UseSsl(sslCfg =>
{
    // ...
    sslCfg.Protocol = System.Security.Authentication.SslProtocols.Tls12;
    // ...
});

And so... My solution works at docker container. Maybe you could do sth similar with SqlServer.

Improve this answer

Comments

0

You can try add Encrypt=false on your connection string too

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.