SQL 服务器登录前握手(错误:31 - 加密(ssl/tls)握手失败)
[英]SQL Server Pre-Login Handshake (error: 31 - Encryption(ssl/tls) handshake failed)
问题描述
I have a SQL server version 12.0.6205 and the following code in a.Net Core 3.1 (or 6) Web Api controller: 
I have a SQL server version 12.0.6205 and the following code in a.Net Core 3.1 (or 6) Web Api controller:
var builder = new SqlConnectionStringBuilder
{
DataSource = DataSource,
UserID = UserID,
Password = Password,
InitialCatalog = InitialCatalog,
ApplicationIntent = ApplicationIntent.ReadWrite,
// Same result if true/true
Encrypt = false,
TrustServerCertificate = false
};
var connection = new SqlConnection(builder.ToString());
using (var cmd = new SqlCommand() { Connection = connection, CommandText = "SELECT TOP 1 * FROM [dbo].[Table]" })
{
connection.Open(); // Breaks here
var reader = cmd.ExecuteReader();
Console.WriteLine(reader.HasRows);
}
Locally this code works without issues but when executing in Azure's App service it breaks when opening the connection with:在本地,此代码可以正常工作,但是在 Azure 的应用服务中执行时,它会在打开连接时中断:
System.Data.SqlClient.SqlException (0x80131904): A connection was successfully established with the server, but then an error occurred during the pre-login handshake. (provider: SSL Provider, error: 31 - Encryption(ssl/tls) handshake failed)
I also have been able to reproduce the error, locally, if creating a docker imaged based on appsvc/dotnetcore (any tag)如果创建基于appsvc/dotnetcore (任何标签)映像的docker,我也能够在本地重现该错误
FROM mcr.microsoft.com/appsvc/dotnetcore:3.1-latest_20220105.1
ENV ASPNETCORE_URLS=http://+:80
EXPOSE 8080
WORKDIR /home/site/wwwroot/
COPY . .
ENTRYPOINT ["dotnet", "Test.dll"]
2 个解决方案
解决方案1
0 2022-01-10 14:49:20
Found a similar issue in GitHub which is TLS HandShake Failure in SQL Server Pre-Login Handshake with Docker Image.在GitHub中发现了一个类似的问题,即 SQL 服务器登录前握手与 Docker 图像中的 TLS 握手失败。
Also, This error typically occurs in client environments like docker image containers, Unix clients, or Windows clients where TLS 1.2 is the minimum supported TLS protocol.此外,此错误通常发生在客户端环境中,例如 docker 图像容器、Unix 客户端或 Windows 客户端,其中 TLS 1.2 是支持的最低 TLS 协议。
Install the latest updates on supported versions of SQL Server1 and ensure the TLS 1.2 protocol is enabled on the server.在 SQL Server1 的受支持版本上安装最新更新,并确保在服务器上启用 TLS 1.2 协议。
- Install the target SQL Server's TLS/SSL certificate in the client environment.在客户端环境中安装目标 SQL Server 的 TLS/SSL 证书。 It will be validated if encryption is needed.如果需要加密,它将被验证。
- Set the "Trust Server Certificate = true" property in the connection string.在连接字符串中设置“Trust Server Certificate = true”属性。
- Generate a new TLS/SSL Certificate for the server whose hash is signed with at-least the SHA-256 hashing algorithm.为其 hash 至少使用 SHA-256 散列算法签名的服务器生成新的 TLS/SSL 证书。
Reference: Pre-Login Handshake Error Solution from Microsoft参考: Microsoft 的登录前握手错误解决方案
解决方案2
0 2022-01-10 16:30:12
Like @DraggonDragger said this is a TLS issue but in my specific case I can't rely on the SQL server being updated to allow TLS 1.2 therefore I had to allow TLS 1.0.就像@DraggonDragger 说这是一个 TLS 问题,但在我的具体情况下,我不能依赖 SQL 服务器被更新以允许 TLS 1.2,因此我必须允许 TLS 1.0。
I ended up following this answer: https://stackoverflow.com/a/61523341/17892120;我最终遵循了这个答案: https://stackoverflow.com/a/61523341/17892120;
Essentially, for docker images, adding this line is enough: RUN sed -i 's/DEFAULT@SECLEVEL=2/DEFAULT@SECLEVEL=1/g' /etc/ssl/openssl.cnf本质上,对于 docker 图像,添加这一行就足够了: RUN sed -i 's/DEFAULT@SECLEVEL=2/DEFAULT@SECLEVEL=1/g' /etc/ssl/openssl.cnf
And for Azure's App Service, we can add sed -i 's/DEFAULT@SECLEVEL=2/DEFAULT@SECLEVEL=1/g' /etc/ssl/openssl.cnf && dotnet Test.dll for the startup command.而对于Azure的App Service,我们可以在启动命令中添加sed -i 's/DEFAULT@SECLEVEL=2/DEFAULT@SECLEVEL=1/g' /etc/ssl/openssl.cnf && dotnet Test.dll 。
For future reference, there's also a discussion about this in GitHub, link .为了将来参考,GitHub 中也对此进行了讨论,链接。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.