SSL_ERROR_SSL MSSQL handshake fail while seeding/migrating data in dockerized C sharp micro service

2

Trying to seed/migrate data from C# (C Sharp) micro service within MSSQL database container (Image is mssql-server-linux:2017-latest)...

Connection is successful

Exception message is as below

exampleapi_1 | fail: Microsoft.EntityFrameworkCore.Database.Connection[20004]
exampleapi_1 | An error occurred using the connection to database 'Domain.exampleManagement.Docker' on server 'DOMAIN-DB'.
exampleapi_1 | fail: Puma.exampleManagement.API.Program[0]
exampleapi_1 | An error occurred while migrating or seeding the database.
exampleapi_1 | Microsoft.Data.SqlClient.SqlException (0x80131904): A connection was successfully established with the server, but then an error occurred during the pre-login handshake. (provider: TCP Provider, error: 35 - An internal exception was caught)
exampleapi_1 | ---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception.
exampleapi_1 | ---> Interop+OpenSsl+SslException: SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL.
exampleapi_1 | ---> Interop+Crypto+OpenSslCryptographicException: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol

Can I pass any environment variable similar to ACCEPT_EULA to disable SSL? In Connection String, I have updated Encrypted to False. Also, I could update Connection timeout to 600. Do I need to create a custom Dockerfile from this docker image as base? Should I be adding below line to this Dockerfile?

RUN sed -i "s|TLSv1.2|TLSv1.0|g" /etc/ssl/openssl.cnf

If there is tag with SSL enabled already in Dockerhub repository, kindly share it's link

sql-server
docker
ssl

1 Answer

1

This workaround helped me finally with the mcr.microsoft.com/dotnet/runtime:5.0-buster-slim docker image:

RUN sed -i 's/MinProtocol = TLSv1.2/MinProtocol = TLSv1/g' /etc/ssl/openssl.cnf
RUN sed -i 's/MinProtocol = TLSv1.2/MinProtocol = TLSv1/g' /usr/lib/ssl/openssl.cnf
RUN sed -i 's/DEFAULT@SECLEVEL=2/DEFAULT@SECLEVEL=1/g' /etc/ssl/openssl.cnf
RUN sed -i 's/DEFAULT@SECLEVEL=2/DEFAULT@SECLEVEL=1/g' /usr/lib/ssl/openssl.cnf
answered on Stack Overflow Mar 8, 2021 by Benni

User contributions licensed under CC BY-SA 3.0