.NET 5 + Microsoft.Data.SqlClient - 从传输流中收到意外的 EOF 或 0 字节
我将我的应用从 .NET Core 3.1 更新到 .NET 5,但现在我无法打开到我的 SQL Server 数据库的连接.最里面的异常错误信息是
I updated my app from .NET Core 3.1 to .NET 5 and now I cant open a connection to my SQL Server database. The innermost exception error message is
从传输流中收到意外的 EOF 或 0 字节.
Received an unexpected EOF or 0 bytes from the transport stream.
顶级错误信息是
已成功与服务器建立连接,但在登录前握手期间发生错误.(提供者:SSL 提供者,错误:31 - 加密(ssl/tls)握手失败)
A connection was successfully established with the server, but then an error occurred during the pre-login handshake. (provider: SSL Provider, error: 31 - Encryption(ssl/tls) handshake failed)
除了 .NET 5 的版本,我只更新了基础镜像,从 3.1-bionic
到 5.0.3-focal-amd64
Other than the version of the .NET 5, I only updated the base image, from 3.1-bionic
to 5.0.3-focal-amd64
还有什么我应该做的吗?
Is there anything I'm also supposed to do?
编辑 1:
我发现 这篇文章 似乎与我正在经历的事情密切相关.但是在将我的 CipherString
更改为建议的值后,我对错误没有任何改变.一样.也许有一个 CipherString = ANY
?
EDIT 1:
I found this article that seems closely related to what im going by. But after altering my CipherString
to the values suggested, I got no change on the error. Same thing. Perhaps there's a CipherString = ANY
?
推荐答案
注意
Microsoft 推荐的操作是通过升级您的 SQL Server 以支持 TLS v1.2 来提高安全性
The Microsoft-recommended action is to improve security by upgrading your SQL Servers to support TLS v1.2
参考资料:
- SqlClient 故障排除指南
- 如何启用 TLS 1.2
- KB3135244 - 对 Microsoft SQL Server 的 TLS 1.2 支持
但是,如果您无法升级您的 SQL Server 以支持 TLS v1.2,您可以影响可用的密码套件以通过编辑 /etc/ssl/openssl 来实现协商的客户端协议的降级.cnf
文件.
If, however, you are unable to upgrade your SQL Server to support TLS v1.2 you are able to influence the available ciphersuites to effect a downgrade of the client protocols negotiated by editing the /etc/ssl/openssl.cnf
file.
因为 Alpine 容器是最基本的,所以从安装你最喜欢的编辑器开始,例如:
Because Alpine containers are bare bones, start by installing your favorite editor, e.g.:
apt-get update
apt-get install nano
编辑您的 /etc/ssl/openssl.cnf
以将以下行放在文件的开头:
Edit your /etc/ssl/openssl.cnf
to place the following line at the beginning of the file:
openssl_conf = default_conf
文件末尾的以下几行:
########## Override default settings to enable TLS v1.0 and 1.1 ##########
[ default_conf ]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
CipherString = DEFAULT:@SECLEVEL=1
#It really should be:
#CipherString = DEFAULT:@SECLEVEL=2
这将影响容器中所有启用 openssl 的进程.您可以使用以下命令在更改前后测试连接性:
This will affect all openssl-enabled processes in the container. You can test connectivity before and after changes using the commands:
# Test TLS v1.0 connectivity
openssl s_client -host google.com -port 443 -tls1
# Test TLS v1.1 connectivity
openssl s_client -host google.com -port 443 -tls1_1
相关文章