-
Notifications
You must be signed in to change notification settings - Fork 282
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Encrypt=false not working #1561
Comments
Hi @vasicvuk, The pre-login process attempts to encrypt just the login if there were any supported encryption in between even though Could you elaborate on a sample console app with steps to reproduce the issue? It's not clear where the SQL Server is located! Also, could you verify your application by adding the following line on application startup? |
Hi @DavoudEshtehari, Here is the source code of a sample console app that I tried: using Microsoft.Data.SqlClient;
AppContext.SetSwitch("Switch.Microsoft.Data.SqlClient.EnableSecureProtocolsByOS", true);
var connectionString = "Data Source=hostname\\aaa;Initial Catalog=SampleDB;User ID=sa;Password=Sample123;Pooling=True;Min Pool Size=3;Max Pool Size=10;Connect Timeout=5;Trust Server Certificate=False;Encrypt=false;";
SqlConnection connection = new SqlConnection(connectionString);
connection.Open(); Unfortunately, I get the same exception. Also here is a Docker file I am trying with: FROM mcr.microsoft.com/dotnet/sdk:6.0 AS build
WORKDIR /src
COPY ./* /src/
RUN rm -rf bin obj Debug global.json
RUN dotnet publish -c Release -o out -f net6.0
FROM mcr.microsoft.com/dotnet/runtime:6.0-alpine
COPY --from=build /src/out .
ENV DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=false
RUN apk add icu
ENTRYPOINT ["dotnet", "TestSQLServer.dll"] As I said before SQL Server 2016 is located on Windows Server-based Virtual machine. Connection works with .NET Core 3.1 and Microsoft.Data.SqlClient version Changing openssl.conf on Alpine image so that CipherString Is set to |
I assumed this wasn't possible but I thought I should check and see why. So i looked at the spec and interestingly it says:
So in theory if the server allows no encryption and the client allows no encryption then it is possible to skip the login encryption. However looking at the code for this library I found that: SqlClient/src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/TdsParser.cs Lines 900 to 905 in 38dfaaa
So even if the client requests no encryption and the server would allow it we force login to be encrypted to protect the credentials being used. I think this is a good idea and the uses cases for totally disabling encryption aren't good. Is there compelling reason that you can't simply change the container security? |
Changing it to level 1 on openssl will also affect other components allowing SSL 3.0 and lower bits of encryption to be used and we don't want to do that. In general i don't see a point of using encryption if I must enable this security level on openssl as it will just create another security problem. https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_security_level.html
Maybe some feature flag disabling encryption on login stage would be useful |
The first thing to do is fine out if it's possible to configure the server to allow encryption-less logins because if it isn't then there's no point starting to try and change this library. If that is possible then it'll be up to the MS team to make a policy decision on whether it's worth allowing an unsafe use-case. |
If this was never allowed then there is another problem with client since the login passed without any issue on .Net 3.1 and library version 2.1.3 without specifing Encrypt=False in connection string |
Are you sure that the 3.1 base image was using the same version and configuration of alpine? because I thought this issue was mainly caused by slimlining of the underlying os image. The code around the login process hasn't changed much. |
Hi @Wraith2, I've found this document https://docs.microsoft.com/en-us/dotnet/core/compatibility/cryptography/5.0/default-cipher-suites-for-tls-on-linux It is related to .Net 5, but I'm sure it applies to .Net 6 also. I suppose it worked because, for .Net 5, Microsoft didn't respect the OpenSSL default configuration from the container? Thanks |
The implementation is based on MS TDS protocol: Depending upon whether the server has encryption available and enabled, the server responds with an ENCRYPTION value in the response according to the following table.
Assuming that the client is capable of encryption, the server requires the client to behave in the following manner.
Note: The |
@DavoudEshtehari This I understand, but maybe issue is in using OpenSSL configuration from .NET 5 instead of using separate configuration as @strainovic said. The question is can we relax this configuration only for MSSQL client which will not affect other components on system. |
In my case, I was running All connections failed with
From SQL logs, it turned out the problem was with the mounted volumes: By not mounting Docker volumes, I could connect. So the original error message threw me off in the wrong direction, debugging SSL and TLS1.2. Maybe this helps some others googling this. |
We are not running Sql server in Container at all for this case. Its a Windows server machine |
@vasicvuk can you try with the latest release of the driver (v5.0) and see if the issue still happens? |
Closing due to inactivity. Feel free to comment here or open a new issue if the the issue is still happening. |
@JRahnama issue is still valid.
sample app:
|
What SQL Server version are you connecting to? |
@ErikEJ it's a bit old: 10.50.6560. However, I can connect to it by running a sample app from my Mac. |
@luber that Server version is no longer supported. Maybe it does not have TLS 1.2 enabled |
@luber, just some hint from my own experience; while ago I had similar issues with Ubuntu v22.04 and net6/7 and that was related to openssl version in available net version in v22.04. The other related topic could be TLS1.3 which is enabled on 22.04 and other latest versions of Linux OS machines. TLS 1.3 is only works on SQL server 2022. There are some options to check the issue:
|
@JRahnama, thanks for the suggestions. So, I have started looking at OpenSSL: the worker node (running
And looks like MacOS does not use |
@luber, what I was trying to say was the version of OS. For example, in my case I saw similar errors on ubuntu 22.04 and when I downgraded to Ubuntu v20.04 everything worked fine. The OpenSSL v3.0.* came with some breaking changes. This has been documented at net5 breaking changes. You can read more here. |
Describe the bug
I am trying to connect to SQL Server using Encrypt=False but I cannot get it to work. SQL Server is 2016 placed on Windows Server and configured to not require encryption.
Connection string used:
Further technical details
Microsoft.Data.SqlClient version: 4.1.0
.NET target: 6.0
SQL Server version: (e.g. SQL Server 2016)
Operating system: Alpine Linux .NET 6 Runtime container
Additional context
This does not happen when the client is a Windows machine.
.NET 3.1 based service works without any issue
The text was updated successfully, but these errors were encountered: