Skip to content

SQL Server 2022 in docker, accepts TDS 7 connection but closes the TDS 8.0 connection with Error: 17821 - A valid TLS certificate is not configured to accept strict (TDS 8.0 and above) connections. #878

Open
@dimdin

Description

@dimdin

I am using the latest 2022 container with TLS 1.2
I can connect using the option -Nm (mandatory security using TDS 7) and the installed key and certificate is accepted from both sqlcmd (Version 18.2.0001.1 Linux) and go-sqlcmd (Version: v1.6.0).

When I am trying to use TDS 8.0 using the option -Ns (strict security using TDS 8) the connection is closed after the TLS ServerHello message and SQL Server logs:

2024-05-13 15:42:46.69 Logon       Error: 17821, Severity: 20, State: 1.
2024-05-13 15:42:46.69 Logon       A valid TLS certificate is not configured to accept strict (TDS 8.0 and above) connections. The connection has been closed.

Using the same client setup and similar certificates I can connect to a SQL Server on a Windows machine using both TDS 8 and TDS 7.

Using the openssl client I am emulating a TDS 8 connection; SQL Server logs the error 17821, but before closing the connection it responds using a TLS alert packet with "decode error".

❯ openssl s_client -alpn "tds/8.0" -servername "mssql" -tls1_2 -state -debug -connect mssql:1433
CONNECTED(00000003)
SSL_connect:before SSL initialization
write to 0x56082d5bf450 [0x56082d6a7590] (216 bytes => 216 (0xD8))
0000 - 16 03 01 00 d3 01 00 00-cf 03 03 b1 d1 e1 7f 9a   ................
0010 - 4a 33 5f af 51 a9 47 2a-b5 c1 db 23 fb 5c 7e d0   J3_.Q.G*...#.\~.
0020 - 7d 57 71 66 0a 41 57 e8-5d ee b4 00 00 38 c0 2c   }Wqf.AW.]....8.,
0030 - c0 30 00 9f cc a9 cc a8-cc aa c0 2b c0 2f 00 9e   .0.........+./..
0040 - c0 24 c0 28 00 6b c0 23-c0 27 00 67 c0 0a c0 14   .$.(.k.#.'.g....
0050 - 00 39 c0 09 c0 13 00 33-00 9d 00 9c 00 3d 00 3c   .9.....3.....=.<
0060 - 00 35 00 2f 00 ff 01 00-00 6e 00 00 00 0a 00 08   .5./.....n......
0070 - 00 00 05 6d 73 73 71 6c-00 0b 00 04 03 00 01 02   ...mssql........
0080 - 00 0a 00 0c 00 0a 00 1d-00 17 00 1e 00 19 00 18   ................
0090 - 00 23 00 00 00 10 00 0a-00 08 07 74 64 73 2f 38   .#.........tds/8
00a0 - 2e 30 00 16 00 00 00 17-00 00 00 0d 00 2a 00 28   .0...........*.(
00b0 - 04 03 05 03 06 03 08 07-08 08 08 09 08 0a 08 0b   ................
00c0 - 08 04 08 05 08 06 04 01-05 01 06 01 03 03 03 01   ................
00d0 - 03 02 04 02 05 02 06 02-                          ........
SSL_connect:SSLv3/TLS write client hello
read from 0x56082d5bf450 [0x56082d69f373] (5 bytes => 0)
write to 0x56082d5bf450 [0x56082d6a7590] (7 bytes => 7 (0x7))
0000 - 15 03 01 00 02 02 32                              ......2
SSL3 alert write:fatal:decode error
SSL_connect:error in error
40A7BE41657F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../ssl/record/rec_layer_s3.c:303:

To reproduce:

docker-compose.conf

services:
  mssql:
    container_name: mssql
    hostname: mssql
    build:
      context: mssql/
      dockerfile: Dockerfile
    restart: always
    environment:
      ACCEPT_EULA: "Y"
      MSSQL_SA_PASSWORD: "change me"
      MSSQL_PID: "Developer"
      TZ: "UTC"
      MSSQL_TCP_PORT: "1433"
      MSSQL_LCID: "1033"
      MSSQL_COLLATION: "Latin1_General_100_CI_AS_SC_UTF8"
    volumes:
      - msdata:/var/opt/mssql
    ports:
      - 1433:1433
volumes:
  msdata:
    name: "mssql"

mssql/Dockerfile

FROM mcr.microsoft.com/mssql/server:2022-latest

COPY --chown=mssql --chmod=440 mssql.pem /certs/
COPY --chown=mssql --chmod=400 mssql-key.pem /certs/
COPY --chown=mssql mssql.conf /var/opt/mssql/mssql.conf

mssql/mssql.conf:

[EULA]
accepteula = Y

[network]
tlscert = /certs/mssql.pem
tlskey = /certs/mssql-key.pem
tlsprotocols = 1.2
forceencryption = 0

[telemetry]
customerfeedback = false

Certificates are generated using a modified version of mkcert that places the first host name as common name in subject.

diff --git a/cert.go b/cert.go
index 4ce36cc..7adad13 100644
--- a/cert.go
+++ b/cert.go
@@ -97,9 +97,7 @@ func (m *mkcert) makeCert(hosts []string) {
 
        // IIS (the main target of PKCS #12 files), only shows the deprecated
        // Common Name in the UI. See issue #115.
-       if m.pkcs12 {
-               tpl.Subject.CommonName = hosts[0]
-       }
+       tpl.Subject.CommonName = hosts[0]
 
        cert, err := x509.CreateCertificate(rand.Reader, tpl, m.caCert, pub, m.caKey)
        fatalIfErr(err, "failed to generate certificate")

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions