Can't connect to Sqlserver with Openssl 1.1.1c (Error code 0x2746) #1021
Comments
fabiang
changed the title
|
hi @fabiang I can reproduce the problem, except that SQL Server version does not seem to matter. I can't connect to SQL Server 2017 or 2014 without first downgrading openssl to 1.1.0k. We will investigate and get back to you on this. |
|
This is a workaround for now: Modify Change the last line from I can connect to SQL Server 2017 or 2014 without the need to downgrade OpenSSL. |
|
@yitam that worked for me as well. Waiting on a proper upstream fix. |
|
@yitam Thanks for the workaround! Is it even possible to fix this upstream? I understand, that OpenSSL removed some older and unsecure ciphers. Doesn't instead the config of the Sqlserver needs to be changed? |
|
Glad to hear the workaround, i.e. the temporary solution, works for you both, @fabiang and @bmintz As indicated in known issues with OpenSSL 1.1.1 in Debian 10:
Hence, Debian 10 has disabled SHA1 by default -- became more secure but less compatible. Those with older certificates with SHA1 hash or signatures <2K bit will be affected. In other words, this is actually a server / environment configuration issue. |
|
hi, i'v same error |
|
@danailkh re-read this thread. There's a configuration change you can make in openssl.cnf. Or you can upgrade your SQL Server's certificate. |
|
I can confirming the workaround is working too. For those using Docker (Debian-based PHP image), you can try this: RUN apt-get update -yqq \
&& apt-get install -y --no-install-recommends openssl \
&& sed -i -E 's/(CipherString\s*=\s*DEFAULT@SECLEVEL=)2/\11/' /etc/ssl/openssl.cnf \
&& rm -rf /var/lib/apt/lists/* |
fabiang
changed the title
|
@yitam can you point us to directions on how to upgrade the security of our SQL Server certificates? |
|
@fabiang you mentioned in your original problem description that you could connect to SQL Server 2017 but not 2014. I can confirm this case now. When I first tested this, I attempted to connect to a SQL Server 2017 instance, an upgrade from an older sql server. That connection attempt failed. However, when I tried another SQL Server 2017 instance (a fresh install), it works, just as you said. This article nailed it. Changes to hashing algorithm for self-signed certificate in SQL Server 2017 @bmintz I hope the following articles help. If not, please post your feedback/questions to sql server forum directly. |
|
@yitam |
|
I'm closing this issue now, since this can't be fixed in pdo_sqlsrv or msodbcsql. |
Works for me! Thanks! |
|
@ALL @avfigueredo Caution: the above workaround will downgrade your OpenSSL to allow older, deprecated and insecure ciphers and can harm your security! Instead consider updating the certificates of your SQLServer instance. On most other Linux systems (e.g. Fedora, RHEL, CentOS) you can "downgrade" your cipher suite with the command |
thanks very much, thanks a lot of |
|
Just for the record if someone hits this on Ubuntu 22.04, the solution is to set No idea what that really does, seems pretty dangerous. |
It lowers all possible ciphers that can be used by OpenSSL on your system for all SSL/TLS connections, so it is highly dangerous. Unfortunately it's not possible to define the ciphers per host/connection with this driver/openssl. This driver does support this, so I'll create issue here. |
PHP Driver version or file name
5.6.1
SQL Server version
Microsoft SQL Server 2014 (SP3-CU3) (KB4491539) - 12.0.6259.0 (X64)
Apr 1 2019 22:19:54
Copyright (c) Microsoft Corporation
Enterprise Edition: Core-based Licensing (64-bit) on Windows NT 6.3 (Build 9600: )
Client operating system
Debian GNU/Linux 10 (buster)
PHP version
PHP 7.3.8
Microsoft ODBC Driver version
17.4.1.1-1
Problem description
The base images of PHP for Docker just got upgraded to Debian 10, which includes OpenSSL 1.1.1c. I am extending those base images and install pdo_sqlsrv as PHP extensions in the latest versions.
I can't connect any longer to an Sqlserver 2014 server, which seems related to OpenSSL. The error I get is:
When I downgrade OpenSSL to version 1.1.0k the issue is gone:
The issue also doesn't occur when connecting to Sqlserver 2017 (not tested with 2019). Issue #252 seems unrelated to this one.
I guess this issue has an impact on all OS using newer OpenSSL together with Sqlserver 2014. I've also noticed problems when connecting via JDBC to Sqlserver 2012 from my local Fedora (OpenSSL 1.1.1c) in the last few days.
The text was updated successfully, but these errors were encountered: