Official Microsoft repository for SQL Server in Docker resources
MIT License
1.72k
stars
756
forks
source link
SQL Server 2022 in docker, accepts TDS 7 connection but closes the TDS 8.0 connection with Error: 17821 - A valid TLS certificate is not configured to accept strict (TDS 8.0 and above) connections. #878
I am using the latest 2022 container with TLS 1.2
I can connect using the option -Nm (mandatory security using TDS 7) and the installed key and certificate is accepted from both sqlcmd (Version 18.2.0001.1 Linux) and go-sqlcmd (Version: v1.6.0).
When I am trying to use TDS 8.0 using the option -Ns (strict security using TDS 8) the connection is closed after the TLS ServerHello message and SQL Server logs:
2024-05-13 15:42:46.69 Logon Error: 17821, Severity: 20, State: 1.
2024-05-13 15:42:46.69 Logon A valid TLS certificate is not configured to accept strict (TDS 8.0 and above) connections. The connection has been closed.
Using the same client setup and similar certificates I can connect to a SQL Server on a Windows machine using both TDS 8 and TDS 7.
Using the openssl client I am emulating a TDS 8 connection; SQL Server logs the error 17821, but before closing the connection it responds using a TLS alert packet with "decode error".
I am using the latest 2022 container with TLS 1.2 I can connect using the option
-Nm
(mandatory security using TDS 7) and the installed key and certificate is accepted from bothsqlcmd
(Version 18.2.0001.1 Linux) andgo-sqlcmd
(Version: v1.6.0).When I am trying to use TDS 8.0 using the option
-Ns
(strict security using TDS 8) the connection is closed after the TLS ServerHello message and SQL Server logs:Using the same client setup and similar certificates I can connect to a SQL Server on a Windows machine using both TDS 8 and TDS 7.
Using the openssl client I am emulating a TDS 8 connection; SQL Server logs the error 17821, but before closing the connection it responds using a TLS alert packet with "decode error".
To reproduce:
docker-compose.conf
mssql/Dockerfile
mssql/mssql.conf:
Certificates are generated using a modified version of mkcert that places the first host name as common name in subject.