.NET 5 + Microsoft.Data.SqlClient - 从传输流中收到意外的 EOF 或 0 字节

2021-11-26 00:00:00 ssl sql-server .net-5

我将我的应用从 .NET Core 3.1 更新到 .NET 5,但现在我无法打开到我的 SQL Server 数据库的连接.最里面的异常错误信息是

I updated my app from .NET Core 3.1 to .NET 5 and now I cant open a connection to my SQL Server database. The innermost exception error message is

从传输流中收到意外的 EOF 或 0 字节.

Received an unexpected EOF or 0 bytes from the transport stream.

顶级错误信息是

已成功与服务器建立连接,但在登录前握手期间发生错误.(提供者:SSL 提供者,错误:31 - 加密(ssl/tls)握手失败)

A connection was successfully established with the server, but then an error occurred during the pre-login handshake. (provider: SSL Provider, error: 31 - Encryption(ssl/tls) handshake failed)

除了 .NET 5 的版本,我只更新了基础镜像,从 3.1-bionic5.0.3-focal-amd64

Other than the version of the .NET 5, I only updated the base image, from 3.1-bionic to 5.0.3-focal-amd64

还有什么我应该做的吗?

Is there anything I'm also supposed to do?

编辑 1:
我发现 这篇文章 似乎与我正在经历的事情密切相关.但是在将我的 CipherString 更改为建议的值后,我对错误没有任何改变.一样.也许有一个 CipherString = ANY?

EDIT 1:
I found this article that seems closely related to what im going by. But after altering my CipherString to the values suggested, I got no change on the error. Same thing. Perhaps there's a CipherString = ANY?

推荐答案

注意

Microsoft 推荐的操作是通过升级您的 SQL Server 以支持 TLS v1.2 来提高安全性

The Microsoft-recommended action is to improve security by upgrading your SQL Servers to support TLS v1.2

参考资料:

  • SqlClient 故障排除指南
  • 如何启用 TLS 1.2
  • KB3135244 - 对 Microsoft SQL Server 的 TLS 1.2 支持

但是,如果您无法升级您的 SQL Server 以支持 TLS v1.2,您可以影响可用的密码套件以通过编辑 /etc/ssl/openssl 来实现协商的客户端协议的降级.cnf 文件.

If, however, you are unable to upgrade your SQL Server to support TLS v1.2 you are able to influence the available ciphersuites to effect a downgrade of the client protocols negotiated by editing the /etc/ssl/openssl.cnf file.

因为 Alpine 容器是最基本的,所以从安装你最喜欢的编辑器开始,例如:

Because Alpine containers are bare bones, start by installing your favorite editor, e.g.:

apt-get update
apt-get install nano

编辑您的 /etc/ssl/openssl.cnf 以将以下行放在文件的开头:

Edit your /etc/ssl/openssl.cnf to place the following line at the beginning of the file:

openssl_conf = default_conf

文件末尾的以下几行:

########## Override default settings to enable TLS v1.0 and 1.1 ##########

[ default_conf ]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
CipherString = DEFAULT:@SECLEVEL=1
#It really should be:
#CipherString = DEFAULT:@SECLEVEL=2

这将影响容器中所有启用 openssl 的进程.您可以使用以下命令在更改前后测试连接性:

This will affect all openssl-enabled processes in the container. You can test connectivity before and after changes using the commands:

# Test TLS v1.0 connectivity
openssl s_client -host google.com -port 443 -tls1

# Test TLS v1.1 connectivity
openssl s_client -host google.com -port 443 -tls1_1

相关文章