denisenkom / go-mssqldb

Microsoft SQL server driver written in go language

BSD 3-Clause "New" or "Revised" License

1.81k stars 493 forks source link

Go version 1.18 TLS 1.0 and 1.1 disabled by default client-side (sql server old TLS versions not work) #726

Open gus2286 opened 2 years ago

gus2286 commented 2 years ago

Hi and thanks for the work you do.

I just install the last GO compilator version 1.18 and the connections to databases where still uses the TLS 1.0 are broken.

Error: TLS Handshake failed: tls: server selected unsupported protocol version 301

There are a workaround for the moment using the environment variable GODEBUG=tls10default=1, BUT in the next version GO 1.19, this environment variable will be disabled.

My proposal is to have the way to pass the TLS config param Config.MinVersion to VersionTLS10 in some way to the driver, that's will be possible?

https://tip.golang.org/doc/go1.18#tls10

Thanks Gus

iambudi commented 2 years ago

I'm using go version go1.18 darwin/amd64, adding GODEBUG environment (os env or go setEnv) still give TLS Handshake failed error.

Any other workaround?

gus2286 commented 2 years ago

Is strange that the GODEBUG don't work, you make a double check after the set to verify that is set correctly?

You always can downgrade GO to 1.17 (like I do it)

iambudi commented 2 years ago

Yes, i double check it:

os.Setenv("GODEBUG", "tls10default=1")
log.Println(os.Getenv("GODEBUG"))
// output tls10default=1

iambudi commented 2 years ago

You always can downgrade GO to 1.17 (like I do it)

Sure i will check later. thanks.

derwitzer commented 2 years ago

One thing you may use as a workaround (but it's far away from best practice 😉) is to disable encryption in your connection string. I won't recommend this workaround, but if you may have coded some in-house apps with no critical data, you may think about it.

Hopefully there will be a solution soon for this driver. As I've seen Microsoft will take care about this project, so maybe we get a fix in near future.

Someone mentioned a downgrade, but this did not work for me :( Had the same issue with 1.17 :/ Maybe because of the updated drivers?

iambudi commented 2 years ago

I tried both combination of encrypt=False and TrustServerCertificate=True in the connection string still have TLS issue. 1.17 still does not make it.

iambudi commented 2 years ago

In package crypto/tls:

By default, TLS 1.2 is currently used as the minimum when acting as a client, and TLS 1.0 when acting as a server. TLS 1.0 is the minimum supported by this package, both as a client and as a server. The client-side default can temporarily be reverted to TLS 1.0 by including the value "x509sha1=1" in the GODEBUG environment variable. Note that this option will be removed in Go 1.19 (but it will still be possible to set this field to VersionTLS10 explicitly).

So i have to go mod vendor to modify the conn_str.go of the driver and set the minimal version back to TLS 1.0 manually and it works now.

This is relate to proposal from @gus2286 to pass Config.MinVersion

fumin commented 2 years ago

Yes, i double check it:

os.Setenv("GODEBUG", "tls10default=1")
log.Println(os.Getenv("GODEBUG"))
// output tls10default=1

This does not work, because the standard library reads the environment variable at startup: https://github.com/golang/go/blob/master/src/crypto/tls/common.go#L978

Can we please triage this MinVersion feature, as there are lots of Microsoft legacy software that sucks...

zhiyunliu commented 2 years ago

I tried to set GODEBUG parameter . it doesn't work well . os.Setenv("GODEBUG", "x509sha1=1,tls10default=1")

JuanRenteM commented 2 years ago

Any updates on this?

hugorosario commented 2 years ago

Just ran into this situation. The only fix I found was to disable TLS altogether by passing "encrypt=disable" on the connection string. This is not recommended if you are doing any serious work. In my case its just fine for localhost connections but definitely will need to have a fix before going into production.

ZekeLu commented 2 years ago

Yes, i double check it:

os.Setenv("GODEBUG", "tls10default=1") log.Println(os.Getenv("GODEBUG")) // output tls10default=1

This does not work, because the standard library reads the environment variable at startup: https://github.com/golang/go/tree/go1.18.3/src/crypto/tls/common.go#L978

Yes, it doesn't work. The environment variable should be set before the app is started. Here are some common options to set it:

set the env and run the app:
- Linux: GODEBUG=tls10default=1 /path/to/your/app
- Windows: set GODEBUG=tls10default=1 && c:\path\to\your\app
Dockerfile: ENV GODEBUG=tls10default=1

And please note that it only works for go1.18. The flag has been removed in go1.19 (golang/go@f0ee7fda636408b4f04ca3f3b11788f662c90610).

WenTao-Love commented 2 years ago

fmt.Sprintf("server=%s;port=%d;database=%s;user id=%s;password=%s;trustservercertificate=true;encrypt=DISABLE", server, port, dbname, user, password)

or

connString := fmt.Sprintf("server=%s;port=%d;database=%s;user id=%s;password=%s;trustservercertificate=true", server, port, dbname, user, password) cfg, , := msdsn.Parse(connString) cfg.TLSConfig.MinVersion = tls.VersionTLS10

conn := mssql.NewConnectorConfig(cfg) db := sql.OpenDB(conn)

DhurghamFahem commented 1 year ago

@WenTao-Love This saved my day thnx