SqlClient: .NET Core and .NET 5 - focal Docker images Won't Connect to SQL Server

Issue appear as TLS protocol version 1.0 had been disabled by default since Ubuntu 20.04

The solution for now is update /etc/ssl/openssl.cnf file to enable TLSv1:

openssl_conf = openssl_init

[openssl_init]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
MinProtocol = TLSv1
CipherString = DEFAULT@SECLEVEL=1

for example:

FROM mcr.microsoft.com/dotnet/aspnet:5.0.0-rc.2-focal AS base
* * *
RUN wget -O /etc/ssl/openssl.cnf https://raw.githubusercontent.com/zs-dima/view/master/openssl.cnf
RUN wget -O /usr/lib/ssl/openssl.cnf https://raw.githubusercontent.com/zs-dima/view/master/openssl.cnf

Reproduced on .NET Core 3+ and .NET 5 focal images:

mcr.microsoft.com/dotnet/core/aspnet:3.1-focal
mcr.microsoft.com/dotnet/aspnet:5.0.0-rc.1-focal
mcr.microsoft.com/dotnet/aspnet:5.0.0-rc.2-focal
***

Microsoft SQL Server 2008 R2 (SP2)

Exception message:
A connection was successfully established with the server, but then an error occurred during the pre-login handshake. (provider: TCP Provider, error: 35 - An internal exception was caught)
Stack trace:
Microsoft.Data.SqlClient.SqlException (0x80131904): A connection was successfully established with the server, but then an error occurred during the pre-login handshake. (provider: TCP Provider, error: 35 - An internal exception was caught)
|  ---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception.
|  ---> Interop+OpenSsl+SslException: SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL.
|  ---> Interop+Crypto+OpenSslCryptographicException: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
|    --- End of inner exception stack trace ---
|    at Interop.OpenSsl.DoSslHandshake(SafeSslHandle context, Byte[] recvBuf, Int32 recvOffset, Int32 recvCount, Byte[]& sendBuf, Int32& sendCount)
|    at System.Net.Security.SslStreamPal.HandshakeInternal(SafeFreeCredentials credential, SafeDeleteContext& context, ArraySegment`1 inputBuffer, Byte[]& outputBuffer, SslAuthenticationOptions sslAuthenticationOptions)
|    --- End of inner exception stack trace ---

similar issue with bionic images: https://github.com/dotnet/SqlClient/issues/222

About this issue

Original URL
State: closed
Created 4 years ago
Reactions: 18
Comments: 35 (5 by maintainers)

Most upvoted comments

It is working for me on .net 5.0 , AKS , docker Please try below code in docker file

FROM mcr.microsoft.com/dotnet/aspnet:5.0 AS base WORKDIR /app EXPOSE 80 EXPOSE 443

RUN sed -i ‘s/DEFAULT@SECLEVEL=2/DEFAULT@SECLEVEL=1/g’ /etc/ssl/openssl.cnf RUN sed -i ‘s/MinProtocol = TLSv1.2/MinProtocol = TLSv1/g’ /etc/ssl/openssl.cnf RUN sed -i ‘s/DEFAULT@SECLEVEL=2/DEFAULT@SECLEVEL=1/g’ /usr/lib/ssl/openssl.cnf RUN sed -i ‘s/MinProtocol = TLSv1.2/MinProtocol = TLSv1/g’ /usr/lib/ssl/openssl.cnf

FROM mcr.microsoft.com/dotnet/sdk:5.0 AS build WORKDIR /src

reference: vcsjones https://github.com/dotnet/SqlClient/issues/222

+21

mkris2003 on Aug 3, 2021

RUN sed -i '1i openssl_conf = default_conf' /etc/ssl/openssl.cnf && echo -e "\n[ default_conf ]\nssl_conf = ssl_sect\n[ssl_sect]\nsystem_default = system_default_sect\n[system_default_sect]\nMinProtocol = TLSv1\nCipherString = DEFAULT:@SECLEVEL=1" >> /etc/ssl/openssl.cnf

it’s work for SQLServer 2014 (.net5-alpine)

+12

LGinC on Mar 30, 2021

Just had this problem. After a half day of debugging, I found this thread. Then it took another few hours to find out that on Ubuntu you must remove the -e flag from the echo command… 😑

So the command that I used is a slightly modified version of @LGinC (removed the -e and set the MinProtocol to TLSv1.2):

RUN sed -i '1i openssl_conf = default_conf' /etc/ssl/openssl.cnf && echo "\n[ default_conf ]\nssl_conf = ssl_sect\n[ssl_sect]\nsystem_default = system_default_sect\n[system_default_sect]\nMinProtocol = TLSv1.2\nCipherString = DEFAULT:@SECLEVEL=1" >> /etc/ssl/openssl.cnf

I hope this helps someone not to waste a whole day in debugging like me. 😄

KarlKl on Apr 23, 2021

Hi @marekstachura

Below post sounds familiar, could you try the recommendation: https://docs.microsoft.com/en-us/dotnet/core/compatibility/cryptography/5.0/default-cipher-suites-for-tls-on-linux (original issue dotnet/runtime#45244)

Also please take a look at SqlClient Troubleshooting Guide - Login Phase solutions to verify your environment is configured correctly.

My solution to connect to a SQL SERVER 2012 (from alpine mcr.microsoft.com/dotnet/aspnet:5.0-alpine) was the following: testing many configurations, between of them the instructions of the commented link. Just after appending the legacy configuration from Mozilla SSL Configuration Generator I have achieved the connection to the SQL Instance.

My fix was the following:

RUN sed -i '1i openssl_conf = default_conf' /etc/ssl/openssl.cnf && echo -e "\n\n[default_conf]\nssl_conf = ssl_sect\n[ssl_sect]\nsystem_default = system_default_sect\n[system_default_sect]\nMinProtocol = TLSv1\nCipherString = DEFAULT:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA" >> /etc/ssl/openssl.cnf

thyago-ribeiro on Mar 26, 2021

Hi @marekstachura

Below post sounds familiar, could you try the recommendation: https://docs.microsoft.com/en-us/dotnet/core/compatibility/cryptography/5.0/default-cipher-suites-for-tls-on-linux (original issue https://github.com/dotnet/runtime/issues/45244)

Also please take a look at SqlClient Troubleshooting Guide - Login Phase solutions to verify your environment is configured correctly.

cheenamalhotra on Jan 22, 2021

It is working for me on .net 5.0 , AKS , docker Please try below code in docker file

FROM mcr.microsoft.com/dotnet/aspnet:5.0 AS base WORKDIR /app EXPOSE 80 EXPOSE 443

RUN sed -i ‘s/DEFAULT@SECLEVEL=2/DEFAULT@SECLEVEL=1/g’ /etc/ssl/openssl.cnf RUN sed -i ‘s/MinProtocol = TLSv1.2/MinProtocol = TLSv1/g’ /etc/ssl/openssl.cnf RUN sed -i ‘s/DEFAULT@SECLEVEL=2/DEFAULT@SECLEVEL=1/g’ /usr/lib/ssl/openssl.cnf RUN sed -i ‘s/MinProtocol = TLSv1.2/MinProtocol = TLSv1/g’ /usr/lib/ssl/openssl.cnf

FROM mcr.microsoft.com/dotnet/sdk:5.0 AS build WORKDIR /src

reference: vcsjones #222

Thanks so much , it work for me , you was help my life

cuuminh10 on Aug 12, 2021

@GregBalajewicz does anyone have a sample docker file with this fixed? running into the same issue

Add the RUN sed ... command just before the ENTRYPOINT in your Dockerfile. For Ubuntu 20.04(focal), you can use my command I’ve posted last week, for the other distros there are slightly other commands above.

I have added the Command to the base image(line 4 on default Dockerfile) right after the EXPOSE 80 in my setup, so that it also works in debugging mode. 😉

KarlKl on Apr 30, 2021

Hey @cheenamalhotra,

after setting the CipherString to recommended values we can talk from dotnet5.0 docker image to SQL Server 2016 hosted on Windows 2012 R2.

Thank you ❤️!

marekstachura on Jan 25, 2021

Hi @zs-dima

The correct solution to this issue is to ensure target SQL Server supports TLS 1.2 protocol by installing all latest updates. This Microsoft Article: TLS 1.2 support for Microsoft SQL Server can be used to figure out whether target SQL Server supports TLS 1.2 or not. If your server supports and is enabled with TLS 1.2, it will be negotiated.

The workaround to bring back TLS 1.0 support in client machine, is not Microsoft recommendation. Microsoft has declared TLS 1.0 and TLS 1.1 protocols as insecure with known vulnerabilities and all customers must move towards TLS 1.2 protocol.

More information: Enable TLS 1.2 on Servers

cheenamalhotra on Oct 28, 2020

I modified dotnet core runtime has fixed this problem

gaoconggit on Apr 4, 2023

Microsoft SQL Server 2008 (SP3) - 10.0.5500.0 (X64) Sep 21 2011 22:45:45 Copyright © 1988-2008 Microsoft Corporation Enterprise Edition (64-bit) on Windows NT 6.1 <X64> (Build 7601: Service Pack 1) (VM)

I have used all the above schemes and still can’t succeed

gaoconggit on May 11, 2021

Just checked and it turns out TLSv1.2 works fine. So the problem was with my CipherString and not the MinProtocol.

krzysztofmajewski on Apr 15, 2021

Just for your consideration, @krzysztofmajewski. This solution isn’t the best, because you’re downgrading the minimum TLS configuration. Please, use it with caution.

thyago-ribeiro on Apr 14, 2021

Update on this: I used @thyago-ribeiro 's sed expression to hack my openssl.cnf, and now the problem is resolved. Thanks again @thyago-ribeiro .

krzysztofmajewski on Apr 14, 2021