我正在尝试从 Xubuntu 22.04 和 .NET 6.0 连接到 SQL Server 2008 R2(Microsoft SQL Server 2008 R2 (RTM) - 10.50.1600.1 (X64)):
var sqlConnection = new SqlConnection("Server=server;Database=MyDb;User Id=MyUser;Password=MyPassword;ENCRYPT=false;TrustServerCertificate=true");
尝试使用连接时出现此错误:
System.Data.SqlClient.SqlException : A connection was successfully established with the server, but then an error occurred during the pre-login handshake. (provider: TCP Provider, error: 35 - An internal exception was caught) ---- System.Security.Authentication.AuthenticationException : Authentication failed, see inner exception. -------- Interop+OpenSsl+SslException : SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL. ------------ Interop+Crypto+OpenSslCryptographicException : error:0A000102:SSL routines::unsupported protocol
从我已经尝试过的连接字符串中可以看出Encrypt=false,TrustServerCertificate=true.
Encrypt=false
TrustServerCertificate=true
我还尝试了解决方案:
sed -i 's/openssl_conf = openssl_init/#openssl_conf = openssl_init/g' /etc/ssl/openssl.cnf
我也试过这个:
MinProtocol=TLSv1 CipherString=DEFAULT@SECLEVEL=1 dotnet run
更新:
它无需从 Windows 客户端进行修改即可工作。
我/etc/ssl/openssl.cnf从这个改变:
/etc/ssl/openssl.cnf
[system_default_sect] CipherString = DEFAULT:@SECLEVEL=2
对此:
[system_default_sect] MinProtocol = TLSv1.0 CipherString = DEFAULT@SECLEVEL=1
现在错误是:
System.Data.SqlClient.SqlException A connection was successfully established with the server, but then an error occurred during the pre-login handshake. (provider: SSL Provider, error: 31 - Encryption(ssl/tls) handshake failed)
这个
[system_default_sect] CipherString = DEFAULT@SECLEVEL=1
导致这个:
Interop+OpenSsl+SslException SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL. at Interop.OpenSsl.DoSslHandshake(SafeSslHandle context, ReadOnlySpan`1 input, Byte[]& sendBuf, Int32& sendCount) at System.Net.Security.SslStreamPal.HandshakeInternal(SafeFreeCredentials credential, SafeDeleteSslContext& context, ReadOnlySpan`1 inputBuffer, Byte[]& outputBuffer, SslAuthenticationOptions sslAuthenticationOptions) Interop+Crypto+OpenSslCryptographicException error:0A0C0103:SSL routines::internal error Exception doesn't have a stacktrace
必须有一个可行的选项,因为我可以在同一台机器上使用带有 jTds 驱动程序的 DataGrip 连接到数据库。
[system_default_sect] MinProtocol = TLSv1.2 CipherString = DEFAULT@SECLEVEL=1
结果:
Interop+OpenSsl+SslException SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL. at Interop.OpenSsl.DoSslHandshake(SafeSslHandle context, ReadOnlySpan`1 input, Byte[]& sendBuf, Int32& sendCount) at System.Net.Security.SslStreamPal.HandshakeInternal(SafeFreeCredentials credential, SafeDeleteSslContext& context, ReadOnlySpan`1 inputBuffer, Byte[]& outputBuffer, SslAuthenticationOptions sslAuthenticationOptions) Interop+Crypto+OpenSslCryptographicException error:0A000102:SSL routines::unsupported protocol Exception doesn't have a stacktrace
**更新**(来自https://github.com/dotnet/SqlClient/issues/567):
openssl s_client -tls1 -connect server:1433 CONNECTED(00000003)
对注册表进行了以下更改:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server] "Enabled"=dword:00000000 "DisabledByDefault"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client] "Enabled"=dword:ffffffff "DisabledByDefault"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server] "Enabled"=dword:ffffffff "DisabledByDefault"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client] "Enabled"=dword:ffffffff "DisabledByDefault"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server] "Enabled"=dword:ffffffff "DisabledByDefault"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "Enabled"=dword:ffffffff "DisabledByDefault"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "Enabled"=dword:ffffffff "DisabledByDefault"=dword:00000000
我还安装了这样的根 CA 证书:
sudo apt-get install -y ca-certificates sudo cp local-ca.crt /usr/local/share/ca-certificates sudo update-ca-certificates
更多openssl输出:
openssl
SSL_connect:before SSL initialization >>> TLS 1.0, RecordHeader [length 0005] 16 03 01 00 74 >>> TLS 1.1, Handshake [length 0074], ClientHello write to 0x55971383cef0 [0x55971384e1b0] (121 bytes => 121 (0x79)) SSL_connect:SSLv3/TLS write client hello read from 0x55971383cef0 [0x559713844f93] (5 bytes => -1) SSL_connect:error in SSLv3/TLS write client hello write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 121 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.1 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: PSK identity: None PSK identity hint: None SRP username: None Start Time: 1658171132 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no --- read from 0x55971383cef0 [0x559713798600] (8192 bytes => 0)
您需要更新 SQL Server 计算机以使用 TLS 1.2。Windows 和 SQL Server 都必须更新,否则将无法工作。
我*强烈*建议您迁移到较新版本的 Windows 和 SQL Server。您拥有的两个版本都严重过时,并且没有收到最新的安全修复程序,其中一些非常严重。
