SSL routines:ssl_choose_client_version:unsupported protocol] #1023

FROM php:fpm

# composer.lock and composer.json
COPY composer.lock composer.json /var/www/

# Set working directory
WORKDIR /var/www

# Install dependencies
RUN apt-get update && apt-get install -y \
    build-essential \
    libpng-dev \
    libzip-dev \
    libjpeg62-turbo-dev \
    libfreetype6-dev \
    locales \
    zip \
    jpegoptim optipng pngquant gifsicle \
    vim \
    unzip \
    git \
    curl apt-transport-https debconf-utils

# Clear cache
RUN apt-get clean && rm -rf /var/lib/apt/lists/*

# Install extensions
RUN docker-php-ext-install pdo_mysql mbstring zip exif pcntl
RUN docker-php-ext-configure gd --with-gd --with-freetype-dir=/usr/include/ --with-jpeg-dir=/usr/include/ --with-png-dir=/usr/include/
RUN docker-php-ext-install gd

# Install composer
RUN curl -sS | php -- --install-dir=/usr/local/bin --filename=composer

# Add user for laravel application
RUN groupadd -g 1000 www
RUN useradd -u 1000 -ms /bin/bash -g www www

Add . /var/www
RUN chown -R www:www /var/www

# Copy existing application directory contents
COPY . /var/www

# Copy existing application directory permissions
COPY --chown=www:www . /var/www

# Microsft SQL driver install
RUN curl | apt-key add -
#RUN curl > /etc/apt/sources.list.d/mssql-tools.list
RUN curl > /etc/apt/sources.list.d/mssql-release.list
RUN apt-get update
RUN echo 'y' | ACCEPT_EULA=Y apt-get install msodbcsql17 mssql-tools
RUN echo 'export PATH="$PATH:/opt/mssql-tools/bin"' >> ~/.bash_profile
RUN echo 'export PATH="$PATH:/opt/mssql-tools/bin"' >> ~/.bashrc
RUN apt-get install -y unixodbc-dev
RUN pecl install  sqlsrv \
    && pecl install pdo_sqlsrv \
    && docker-php-ext-enable sqlsrv pdo_sqlsrv

# Change current user to www
USER www

# Expose port 9000 and start php-fpm server
CMD ["php-fpm"]


version: '3'

  #PHP Service
      context: .
      dockerfile: Dockerfile
    image: phpimage
    container_name: app
    restart: unless-stopped
    tty: true
      SERVICE_NAME: app
      SERVICE_TAGS: dev
    working_dir: /var/www
      - ./:/var/www
      - ./php/local.ini:/usr/local/etc/php/conf.d/local.ini
      - app-network

  #Nginx Service
    image: nginx:alpine
    container_name: webserver
    restart: unless-stopped
    tty: true
      - "80:80"
      - "443:443"
      - ./:/var/www
      - ./nginx/conf.d/:/etc/nginx/conf.d/
      - app-network

#Docker Networks
    driver: bridge
    driver: local
david-puglielli commented 5 years ago

@afroty The latest ODBC driver (version 17.4) fixes some issues with SSL, although we haven't seen that error before. Please check if you are using the latest one and upgrade if not (instructions here). Also, what version of the sqlsrv drivers are you using?

aaly00 commented 5 years ago

@david-puglielli I think I am using the latest version. I attached my dockerfile as well as my docker-compose.yml to the issue.

david-puglielli commented 5 years ago

You would be getting the latest ODBC driver and sqlsrv drivers then, but none supports SQL Server 2008 unfortunately. If upgrading SQL Server is not an option, then you can try rolling back to a previous version of the ODBC driver using the instructions here (you may need version 13.x of the driver, for which instructions are further down the page).

aaly00 commented 5 years ago

But version 13.x is not compatible with debian 10 ?

david-puglielli commented 5 years ago

Actually SQL Server 2008 SP4 does support TLS 1.2 - see here.

Also there a number of known issues with openSSL and Debian 10: This may require a configuration change - see #1021 and this comment. Please try that and let us know if it works.

aaly00 commented 5 years ago

@david-puglielli . I did try that but it didn't work.

aaly00 commented 5 years ago

Downgrading the minimum to TLSv1.0 actually worked, but it is not a permanent solution. I changed /etc/ssl/openssl.cnf section [system_default_sect] to

[system_default_sect] MinProtocol = TLSv1.0 CipherString = DEFAULT@SECLEVEL=1

david-puglielli commented 5 years ago

Have you upgraded your SQL Server with TLS 1.2 support from the link I provided? The update is available here.

aaly00 commented 5 years ago

Unfortunately that is not possible for now. I'll close this since msphpsql is not the cause for the issue.

lmtam commented 5 years ago

hi @afroty , Did you fix this issue? if yes, can you help me fix it?

aaly00 commented 5 years ago

@lmtam Yes. You could upgrade you SQL Server as @david-puglielli mentioned, or you could downgrade openssl minprotocol and CipherString.

if you are using debian. You can add this to your dockerfile which should fix the file. Understand, however, that there is a security risk with this.

RUN apt-get update -yqq \
    && apt-get install -y --no-install-recommends openssl \ 
    && sed -i 's,^\(MinProtocol[ ]*=\).*,\1'TLSv1.0',g' /etc/ssl/openssl.cnf \
    && sed -i 's,^\(CipherString[ ]*=\).*,\1'DEFAULT@SECLEVEL=1',g' /etc/ssl/openssl.cnf\
    && rm -rf /var/lib/apt/lists/*
lmtam commented 5 years ago

Thanks. I upgraded the SQL Server and fixed this issue.

go-xmyang commented 4 years ago

@lmtam 是的。您可以按照@ david-puglielli 所述升级SQL Server ,也可以降级openssl minprotocol和CipherString。


This is very useful to me.

unvaare commented 4 years ago

@afroty I am facing similar issue on CentOS7, any idea how can I fix this on CentOS? This happens when I am running MS SQBL ODBC driver using a dot net core app that connects with MS SQL Server using ODBC and then disconnects. It connects in first iteration it works but after that it gives SSL Provider error.

Razorhunter commented 4 years ago

I'm getting the same issue after upgrading to Ubuntu 20.04 Beta...first, it worked on 19.10...but after upgrade ubuntu distro, it prompt me the error.By the way, I'm not using docker


yitam commented 4 years ago

@unvaare please check with the folks at dotnet/runtime instead

@Razorhunter please create a new issue with details of your server, client, etc. You can refer this issue

ludufre commented 4 years ago

Downgrading the minimum to TLSv1.0 actually worked, but it is not a permanent solution. I changed /etc/ssl/openssl.cnf section [system_default_sect] to

[system_default_sect] MinProtocol = TLSv1.0 CipherString = DEFAULT@SECLEVEL=1

For those who are in the same situation (cannot update SQLServer) and are on Oracle Linux 8.2 (probably CentOS 8 too), just change MinProtocol to TLSv1.0 in the file: /etc/crypto-policies/back-ends/opensslcnf.config

eddyprasetyo commented 4 years ago

@lmtam Yes. You could upgrade you SQL Server as @david-puglielli mentioned, or you could downgrade openssl minprotocol and CipherString.

if you are using debian. You can add this to your dockerfile which should fix the file. Understand, however, that there is a security risk with this.

the "sed" part very useful for me, on debian10 and in the situation of "Cannot update SQL Server"

Fedeorlandau commented 4 years ago

Be careful and use TLSv1 instead of TLSv1.0


caiadogithub commented 4 years ago

Be careful and use TLSv1 instead of TLSv1.0


pachadotdev commented 3 years ago

this configuration worked for me

MinProtocol = TLSv1
kamrankausar commented 2 years ago

Ubuntu 20.04 Sqlcmd: Error: Microsoft ODBC Driver 18 for SQL Server : Login timeout expired. Sqlcmd: Error: Microsoft ODBC Driver 18 for SQL Server : TCP Provider: Error code 0x2AF9. Sqlcmd: Error: Microsoft ODBC Driver 18 for SQL Server : A network-related or instance-specific error has occurred while establishing a connection to SQL Server. Server is not found or not accessible. Check if instance name is correct and if SQL Server is configured to allow remote connections. For more information see SQL Server Books Online..

v-johoang commented 2 years ago

Try checking your DNS, connection string, and server. Error code 0x2AF9 usually means that the server's hostname couldn't be resolved so it could be a DNS problem, or you entered in a invalid server in the connection string.

Try checking your DNS, connection string, and server. Error code 0x2AF9 usually means that the server's hostname couldn't be resolved so it could be a DNS problem, or you entered in a invalid server in the connection string.