Description
I am using the latest 2022 container with TLS 1.2
I can connect using the option -Nm (mandatory security using TDS 7) and the installed key and certificate is accepted from both sqlcmd (Version 18.2.0001.1 Linux) and go-sqlcmd (Version: v1.6.0).
When I am trying to use TDS 8.0 using the option -Ns (strict security using TDS 8) the connection is closed after the TLS ServerHello message and SQL Server logs:
2024-05-13 15:42:46.69 Logon Error: 17821, Severity: 20, State: 1.
2024-05-13 15:42:46.69 Logon A valid TLS certificate is not configured to accept strict (TDS 8.0 and above) connections. The connection has been closed.
Using the same client setup and similar certificates I can connect to a SQL Server on a Windows machine using both TDS 8 and TDS 7.
Using the openssl client I am emulating a TDS 8 connection; SQL Server logs the error 17821, but before closing the connection it responds using a TLS alert packet with "decode error".
❯ openssl s_client -alpn "tds/8.0" -servername "mssql" -tls1_2 -state -debug -connect mssql:1433
CONNECTED(00000003)
SSL_connect:before SSL initialization
write to 0x56082d5bf450 [0x56082d6a7590] (216 bytes => 216 (0xD8))
0000 - 16 03 01 00 d3 01 00 00-cf 03 03 b1 d1 e1 7f 9a ................
0010 - 4a 33 5f af 51 a9 47 2a-b5 c1 db 23 fb 5c 7e d0 J3_.Q.G*...#.\~.
0020 - 7d 57 71 66 0a 41 57 e8-5d ee b4 00 00 38 c0 2c }Wqf.AW.]....8.,
0030 - c0 30 00 9f cc a9 cc a8-cc aa c0 2b c0 2f 00 9e .0.........+./..
0040 - c0 24 c0 28 00 6b c0 23-c0 27 00 67 c0 0a c0 14 .$.(.k.#.'.g....
0050 - 00 39 c0 09 c0 13 00 33-00 9d 00 9c 00 3d 00 3c .9.....3.....=.<
0060 - 00 35 00 2f 00 ff 01 00-00 6e 00 00 00 0a 00 08 .5./.....n......
0070 - 00 00 05 6d 73 73 71 6c-00 0b 00 04 03 00 01 02 ...mssql........
0080 - 00 0a 00 0c 00 0a 00 1d-00 17 00 1e 00 19 00 18 ................
0090 - 00 23 00 00 00 10 00 0a-00 08 07 74 64 73 2f 38 .#.........tds/8
00a0 - 2e 30 00 16 00 00 00 17-00 00 00 0d 00 2a 00 28 .0...........*.(
00b0 - 04 03 05 03 06 03 08 07-08 08 08 09 08 0a 08 0b ................
00c0 - 08 04 08 05 08 06 04 01-05 01 06 01 03 03 03 01 ................
00d0 - 03 02 04 02 05 02 06 02- ........
SSL_connect:SSLv3/TLS write client hello
read from 0x56082d5bf450 [0x56082d69f373] (5 bytes => 0)
write to 0x56082d5bf450 [0x56082d6a7590] (7 bytes => 7 (0x7))
0000 - 15 03 01 00 02 02 32 ......2
SSL3 alert write:fatal:decode error
SSL_connect:error in error
40A7BE41657F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../ssl/record/rec_layer_s3.c:303:
To reproduce:
docker-compose.conf
services:
mssql:
container_name: mssql
hostname: mssql
build:
context: mssql/
dockerfile: Dockerfile
restart: always
environment:
ACCEPT_EULA: "Y"
MSSQL_SA_PASSWORD: "change me"
MSSQL_PID: "Developer"
TZ: "UTC"
MSSQL_TCP_PORT: "1433"
MSSQL_LCID: "1033"
MSSQL_COLLATION: "Latin1_General_100_CI_AS_SC_UTF8"
volumes:
- msdata:/var/opt/mssql
ports:
- 1433:1433
volumes:
msdata:
name: "mssql"
mssql/Dockerfile
FROM mcr.microsoft.com/mssql/server:2022-latest
COPY --chown=mssql --chmod=440 mssql.pem /certs/
COPY --chown=mssql --chmod=400 mssql-key.pem /certs/
COPY --chown=mssql mssql.conf /var/opt/mssql/mssql.conf
mssql/mssql.conf:
[EULA]
accepteula = Y
[network]
tlscert = /certs/mssql.pem
tlskey = /certs/mssql-key.pem
tlsprotocols = 1.2
forceencryption = 0
[telemetry]
customerfeedback = false
Certificates are generated using a modified version of mkcert that places the first host name as common name in subject.
diff --git a/cert.go b/cert.go
index 4ce36cc..7adad13 100644
--- a/cert.go
+++ b/cert.go
@@ -97,9 +97,7 @@ func (m *mkcert) makeCert(hosts []string) {
// IIS (the main target of PKCS #12 files), only shows the deprecated
// Common Name in the UI. See issue #115.
- if m.pkcs12 {
- tpl.Subject.CommonName = hosts[0]
- }
+ tpl.Subject.CommonName = hosts[0]
cert, err := x509.CreateCertificate(rand.Reader, tpl, m.caCert, pub, m.caKey)
fatalIfErr(err, "failed to generate certificate")