Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SQL Server 2022 in docker, accepts TDS 7 connection but closes the TDS 8.0 connection with Error: 17821 - A valid TLS certificate is not configured to accept strict (TDS 8.0 and above) connections. #878

Open
dimdin opened this issue May 13, 2024 · 2 comments
Open

SQL Server 2022 in docker, accepts TDS 7 connection but closes the TDS 8.0 connection with Error: 17821 - A valid TLS certificate is not configured to accept strict (TDS 8.0 and above) connections. #878

dimdin opened this issue May 13, 2024 · 2 comments

Comments

@dimdin
Copy link

dimdin commented May 13, 2024

I am using the latest 2022 container with TLS 1.2
I can connect using the option -Nm (mandatory security using TDS 7) and the installed key and certificate is accepted from both sqlcmd (Version 18.2.0001.1 Linux) and go-sqlcmd (Version: v1.6.0).

When I am trying to use TDS 8.0 using the option -Ns (strict security using TDS 8) the connection is closed after the TLS ServerHello message and SQL Server logs:

2024-05-13 15:42:46.69 Logon       Error: 17821, Severity: 20, State: 1.
2024-05-13 15:42:46.69 Logon       A valid TLS certificate is not configured to accept strict (TDS 8.0 and above) connections. The connection has been closed.

Using the same client setup and similar certificates I can connect to a SQL Server on a Windows machine using both TDS 8 and TDS 7.

Using the openssl client I am emulating a TDS 8 connection; SQL Server logs the error 17821, but before closing the connection it responds using a TLS alert packet with "decode error".

❯ openssl s_client -alpn "tds/8.0" -servername "mssql" -tls1_2 -state -debug -connect mssql:1433
CONNECTED(00000003)
SSL_connect:before SSL initialization
write to 0x56082d5bf450 [0x56082d6a7590] (216 bytes => 216 (0xD8))
0000 - 16 03 01 00 d3 01 00 00-cf 03 03 b1 d1 e1 7f 9a   ................
0010 - 4a 33 5f af 51 a9 47 2a-b5 c1 db 23 fb 5c 7e d0   J3_.Q.G*...#.\~.
0020 - 7d 57 71 66 0a 41 57 e8-5d ee b4 00 00 38 c0 2c   }Wqf.AW.]....8.,
0030 - c0 30 00 9f cc a9 cc a8-cc aa c0 2b c0 2f 00 9e   .0.........+./..
0040 - c0 24 c0 28 00 6b c0 23-c0 27 00 67 c0 0a c0 14   .$.(.k.#.'.g....
0050 - 00 39 c0 09 c0 13 00 33-00 9d 00 9c 00 3d 00 3c   .9.....3.....=.<
0060 - 00 35 00 2f 00 ff 01 00-00 6e 00 00 00 0a 00 08   .5./.....n......
0070 - 00 00 05 6d 73 73 71 6c-00 0b 00 04 03 00 01 02   ...mssql........
0080 - 00 0a 00 0c 00 0a 00 1d-00 17 00 1e 00 19 00 18   ................
0090 - 00 23 00 00 00 10 00 0a-00 08 07 74 64 73 2f 38   .#.........tds/8
00a0 - 2e 30 00 16 00 00 00 17-00 00 00 0d 00 2a 00 28   .0...........*.(
00b0 - 04 03 05 03 06 03 08 07-08 08 08 09 08 0a 08 0b   ................
00c0 - 08 04 08 05 08 06 04 01-05 01 06 01 03 03 03 01   ................
00d0 - 03 02 04 02 05 02 06 02-                          ........
SSL_connect:SSLv3/TLS write client hello
read from 0x56082d5bf450 [0x56082d69f373] (5 bytes => 0)
write to 0x56082d5bf450 [0x56082d6a7590] (7 bytes => 7 (0x7))
0000 - 15 03 01 00 02 02 32                              ......2
SSL3 alert write:fatal:decode error
SSL_connect:error in error
40A7BE41657F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../ssl/record/rec_layer_s3.c:303:

To reproduce:

docker-compose.conf

services:
  mssql:
    container_name: mssql
    hostname: mssql
    build:
      context: mssql/
      dockerfile: Dockerfile
    restart: always
    environment:
      ACCEPT_EULA: "Y"
      MSSQL_SA_PASSWORD: "change me"
      MSSQL_PID: "Developer"
      TZ: "UTC"
      MSSQL_TCP_PORT: "1433"
      MSSQL_LCID: "1033"
      MSSQL_COLLATION: "Latin1_General_100_CI_AS_SC_UTF8"
    volumes:
      - msdata:/var/opt/mssql
    ports:
      - 1433:1433
volumes:
  msdata:
    name: "mssql"

mssql/Dockerfile

FROM mcr.microsoft.com/mssql/server:2022-latest

COPY --chown=mssql --chmod=440 mssql.pem /certs/
COPY --chown=mssql --chmod=400 mssql-key.pem /certs/
COPY --chown=mssql mssql.conf /var/opt/mssql/mssql.conf

mssql/mssql.conf:

[EULA]
accepteula = Y

[network]
tlscert = /certs/mssql.pem
tlskey = /certs/mssql-key.pem
tlsprotocols = 1.2
forceencryption = 0

[telemetry]
customerfeedback = false

Certificates are generated using a modified version of mkcert that places the first host name as common name in subject.

diff --git a/cert.go b/cert.go
index 4ce36cc..7adad13 100644
--- a/cert.go
+++ b/cert.go
@@ -97,9 +97,7 @@ func (m *mkcert) makeCert(hosts []string) {
 
        // IIS (the main target of PKCS #12 files), only shows the deprecated
        // Common Name in the UI. See issue #115.
-       if m.pkcs12 {
-               tpl.Subject.CommonName = hosts[0]
-       }
+       tpl.Subject.CommonName = hosts[0]
 
        cert, err := x509.CreateCertificate(rand.Reader, tpl, m.caCert, pub, m.caKey)
        fatalIfErr(err, "failed to generate certificate")
@Mik4sa
Copy link

Mik4sa commented Jul 24, 2024

I get the same error.
@dimdin Are there any news around this?

@dimdin
Copy link
Author

dimdin commented Jul 25, 2024

I get the same error. @dimdin Are there any news around this?

Unfortunately, I have no news about it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dimdin @Mik4sa