问题描述
您需要更新 sql Server 计算机以使用 TLS 1.2。Windows 和 sql Server 都必须更新,否则将无法工作。
- 对于 Windows 本身,您使用的是 Windows Server 2008 R2,它至少需要此更新,实际上您应该更新到最新版本。
- 对于 sql Server,您至少需要获取此更新。在执行此操作之前,您还必须进行SP4 更新。
您拥有的两个版本都严重过时,并且没有收到最新的安全修复程序,其中一些非常严重。
解决方法
我正在尝试从 Xubuntu 22.04 和 .NET 6.0 连接到 SQL Server 2008 R2(Microsoft SQL Server 2008 R2 (RTM) - 10.50.1600.1 (X64)):
var sqlConnection = new SqlConnection("Server=server;Database=MyDb;User Id=MyUser;Password=MyPassword;ENCRYPT=false;TrustServerCertificate=true");
尝试使用连接时出现此错误:
System.Data.SqlClient.SqlException : A connection was successfully established with the server,but then an error occurred during the pre-login handshake. (provider: TCP Provider,error: 35 - An internal exception was caught)
---- System.Security.Authentication.AuthenticationException : Authentication failed,see inner exception.
-------- Interop+OpenSsl+SslException : SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL.
------------ Interop+Crypto+OpenSslCryptographicException : error:0A000102:SSL routines::unsupported protocol
从我已经尝试过的连接字符串中可以看出Encrypt=false
,TrustServerCertificate=true
.
我还尝试了解决方案:
sed -i 's/openssl_conf = openssl_init/#openssl_conf = openssl_init/g' /etc/ssl/openssl.cnf
我也试过这个:
MinProtocol=TLSv1 CipherString=DEFAULT@SECLEVEL=1 dotnet run
更新:
它无需从 Windows 客户端进行修改即可工作。
更新:
我/etc/ssl/openssl.cnf
从这个改变:
[system_default_sect]
CipherString = DEFAULT:@SECLEVEL=2
对此:
[system_default_sect]
MinProtocol = TLSv1.0
CipherString = DEFAULT@SECLEVEL=1
现在错误是:
System.Data.SqlClient.SqlException
A connection was successfully established with the server,but then an error occurred during the pre-login handshake. (provider: SSL Provider,error: 31 - Encryption(ssl/tls) handshake failed)
这个
[system_default_sect]
CipherString = DEFAULT@SECLEVEL=1
导致这个:
Interop+OpenSsl+SslException
SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL.
at Interop.OpenSsl.DoSslHandshake(SafeSslHandle context,ReadOnlySpan`1 input,Byte[]& sendBuf,Int32& sendCount)
at System.Net.Security.SslStreamPal.HandshakeInternal(SafeFreeCredentials credential,SafeDeleteSslContext& context,ReadOnlySpan`1 inputBuffer,Byte[]& outputBuffer,SslAuthenticationOptions sslAuthenticationOptions)
Interop+Crypto+OpenSslCryptographicException
error:0A0C0103:SSL routines::internal error
Exception doesn't have a stacktrace
更新:
必须有一个可行的选项,因为我可以在同一台机器上使用带有 jTds 驱动程序的 DataGrip 连接到数据库。
更新:
[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=1
结果:
Interop+OpenSsl+SslException
SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL.
at Interop.OpenSsl.DoSslHandshake(SafeSslHandle context,SslAuthenticationOptions sslAuthenticationOptions)
Interop+Crypto+OpenSslCryptographicException
error:0A000102:SSL routines::unsupported protocol
Exception doesn't have a stacktrace
**更新**(来自https://github.com/dotnet/SqlClient/issues/567):
openssl s_client -tls1 -connect server:1433
CONNECTED(00000003)
更新:
对注册表进行了以下更改:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000
更新:
我还安装了这样的根 CA 证书:
sudo apt-get install -y ca-certificates
sudo cp local-ca.crt /usr/local/share/ca-certificates
sudo update-ca-certificates
更新:
更多openssl
输出:
SSL_connect:before SSL initialization
>>> TLS 1.0,RecordHeader [length 0005]
16 03 01 00 74
>>> TLS 1.1,Handshake [length 0074],ClientHello
write to 0x55971383cef0 [0x55971384e1b0] (121 bytes => 121 (0x79))
SSL_connect:SSLv3/TLS write client hello
read from 0x55971383cef0 [0x559713844f93] (5 bytes => -1)
SSL_connect:error in SSLv3/TLS write client hello
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 121 bytes
Verification: OK
---
New,(NONE),Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1658171132
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
read from 0x55971383cef0 [0x559713798600] (8192 bytes => 0)