search

microsoft / mssql-docker

Official Microsoft repository for SQL Server in Docker resources
MIT License
1.72k stars 756 forks source link

SQL Server 2022 in docker, accepts TDS 7 connection but closes the TDS 8.0 connection with Error: 17821 - A valid TLS certificate is not configured to accept strict (TDS 8.0 and above) connections. #878

Open dimdin opened 5 months ago

dimdin commented 5 months ago

I am using the latest 2022 container with TLS 1.2 I can connect using the option -Nm (mandatory security using TDS 7) and the installed key and certificate is accepted from both sqlcmd (Version 18.2.0001.1 Linux) and go-sqlcmd (Version: v1.6.0).

When I am trying to use TDS 8.0 using the option -Ns (strict security using TDS 8) the connection is closed after the TLS ServerHello message and SQL Server logs:

2024-05-13 15:42:46.69 Logon       Error: 17821, Severity: 20, State: 1.
2024-05-13 15:42:46.69 Logon       A valid TLS certificate is not configured to accept strict (TDS 8.0 and above) connections. The connection has been closed.

Using the same client setup and similar certificates I can connect to a SQL Server on a Windows machine using both TDS 8 and TDS 7.

Using the openssl client I am emulating a TDS 8 connection; SQL Server logs the error 17821, but before closing the connection it responds using a TLS alert packet with "decode error".

❯ openssl s_client -alpn "tds/8.0" -servername "mssql" -tls1_2 -state -debug -connect mssql:1433
CONNECTED(00000003)
SSL_connect:before SSL initialization
write to 0x56082d5bf450 [0x56082d6a7590] (216 bytes => 216 (0xD8))
0000 - 16 03 01 00 d3 01 00 00-cf 03 03 b1 d1 e1 7f 9a   ................
0010 - 4a 33 5f af 51 a9 47 2a-b5 c1 db 23 fb 5c 7e d0   J3_.Q.G*...#.\~.
0020 - 7d 57 71 66 0a 41 57 e8-5d ee b4 00 00 38 c0 2c   }Wqf.AW.]....8.,
0030 - c0 30 00 9f cc a9 cc a8-cc aa c0 2b c0 2f 00 9e   .0.........+./..
0040 - c0 24 c0 28 00 6b c0 23-c0 27 00 67 c0 0a c0 14   .$.(.k.#.'.g....
0050 - 00 39 c0 09 c0 13 00 33-00 9d 00 9c 00 3d 00 3c   .9.....3.....=.<
0060 - 00 35 00 2f 00 ff 01 00-00 6e 00 00 00 0a 00 08   .5./.....n......
0070 - 00 00 05 6d 73 73 71 6c-00 0b 00 04 03 00 01 02   ...mssql........
0080 - 00 0a 00 0c 00 0a 00 1d-00 17 00 1e 00 19 00 18   ................
0090 - 00 23 00 00 00 10 00 0a-00 08 07 74 64 73 2f 38   .#.........tds/8
00a0 - 2e 30 00 16 00 00 00 17-00 00 00 0d 00 2a 00 28   .0...........*.(
00b0 - 04 03 05 03 06 03 08 07-08 08 08 09 08 0a 08 0b   ................
00c0 - 08 04 08 05 08 06 04 01-05 01 06 01 03 03 03 01   ................
00d0 - 03 02 04 02 05 02 06 02-                          ........
SSL_connect:SSLv3/TLS write client hello
read from 0x56082d5bf450 [0x56082d69f373] (5 bytes => 0)
write to 0x56082d5bf450 [0x56082d6a7590] (7 bytes => 7 (0x7))
0000 - 15 03 01 00 02 02 32                              ......2
SSL3 alert write:fatal:decode error
SSL_connect:error in error
40A7BE41657F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../ssl/record/rec_layer_s3.c:303:

To reproduce:

docker-compose.conf

services:
  mssql:
    container_name: mssql
    hostname: mssql
    build:
      context: mssql/
      dockerfile: Dockerfile
    restart: always
    environment:
      ACCEPT_EULA: "Y"
      MSSQL_SA_PASSWORD: "change me"
      MSSQL_PID: "Developer"
      TZ: "UTC"
      MSSQL_TCP_PORT: "1433"
      MSSQL_LCID: "1033"
      MSSQL_COLLATION: "Latin1_General_100_CI_AS_SC_UTF8"
    volumes:
      - msdata:/var/opt/mssql
    ports:
      - 1433:1433
volumes:
  msdata:
    name: "mssql"

mssql/Dockerfile

FROM mcr.microsoft.com/mssql/server:2022-latest

COPY --chown=mssql --chmod=440 mssql.pem /certs/
COPY --chown=mssql --chmod=400 mssql-key.pem /certs/
COPY --chown=mssql mssql.conf /var/opt/mssql/mssql.conf

mssql/mssql.conf:

[EULA]
accepteula = Y

[network]
tlscert = /certs/mssql.pem
tlskey = /certs/mssql-key.pem
tlsprotocols = 1.2
forceencryption = 0

[telemetry]
customerfeedback = false

Certificates are generated using a modified version of mkcert that places the first host name as common name in subject.

diff --git a/cert.go b/cert.go
index 4ce36cc..7adad13 100644
--- a/cert.go
+++ b/cert.go
@@ -97,9 +97,7 @@ func (m *mkcert) makeCert(hosts []string) {

        // IIS (the main target of PKCS #12 files), only shows the deprecated
        // Common Name in the UI. See issue #115.
-       if m.pkcs12 {
-               tpl.Subject.CommonName = hosts[0]
-       }
+       tpl.Subject.CommonName = hosts[0]

        cert, err := x509.CreateCertificate(rand.Reader, tpl, m.caCert, pub, m.caKey)
        fatalIfErr(err, "failed to generate certificate")
Mik4sa commented 2 months ago

I get the same error. @dimdin Are there any news around this?

dimdin commented 2 months ago

I get the same error. @dimdin Are there any news around this?

Unfortunately, I have no news about it.