docker + .net5+sqlserver异常：System.Data.SqlClient.SqlException (0x80131904)。。。。(provider: SSL Provider, error: 31 - Encryption(ssl/tls) handshake failed)

 1、进入容器（容器是debian系统）,

docker exec -it 容器名（或容器id）bash

 2、进入ssl 目录 cd /etc/ssl ，查看目录下文件，可以看到openssl.cnf

 

 

 3、

使用vim打开openssl.cnf（没有vim，使用apt-get update -y ,apt-get install vim -y  安装vim），将TLSv1.2改为TLSv1，SECLEVEL改为1（SECLEVEL也要改，部署的时候SECLECEL没改，测试库连接可用，正式库报SSL 31错误，不明白为什么）。

 

 

 

 

 

4、重启容器，docker stop cstest(容器名)，docker start cstest（容器名）

 

5、或者使用Dockerfile，增加 

#sql server 连接异常问题 不要用1.0，测试环境不行
#MinProtocol TLSv1.2 =》 TLSv1 && CipherString 修改，两个都改，qa和正式连接都可以。
#MinProtocol TLSv1.2 =》 TLSv1 && CipherString 不改，测试库连接可用，正式库不可用
#MinProtocol TLSv1.2 =》 TLSv1.0 && CipherString 不改，正式库连接可用，测试库不可用

RUN sed -i 's/MinProtocol = TLSv1.2/MinProtocol = TLSv1/' /etc/ssl/openssl.cnf \
&& sed -i 's/CipherString = DEFAULT@SECLEVEL=2/CipherString = DEFAULT@SECLEVEL=1/' /etc/ssl/openssl.cnf

 

对于已经运行起来的容器

docker exec cstest(容器名或容器id) sed -i 's/TLSv1.2/TLSv1.0/g' /etc/ssl/openssl.cnf

然后对容器stop 再start。

 

ps：崩溃的是，同一个系统用到sqlserver和mysql两种连接，sqlserver改了TSL协议好了，mysql好好的连接又不行了。心累啊心累

解决方案：将mysql连接字符串增加SslMode=none，禁用SSL就可以了。

ps：sql server的连接字符串中：TrustServerCertificate = true; MultipleActiveResultSets=true;  不知道TrustServerCertificate 这个设置有没有用，后边再验证吧

 

sql server  详细错误信息：

ystem.Data.SqlClient.SqlException (0x80131904): A connection was successfully established with the server, but then an error occurred during the pre-login handshake. (provider: SSL Provider, error: 31 - Encryption(ssl/tls) handshake failed)
 ---> System.IO.EndOfStreamException: End of stream reached
   at System.Data.SqlClient.SNI.SslOverTdsStream.ReadInternal(Byte[] buffer, Int32 offset, Int32 count, CancellationToken token, Boolean async)
   at System.Data.SqlClient.SNI.SslOverTdsStream.Read(Byte[] buffer, Int32 offset, Int32 count)
   at System.IO.Stream.Read(Span`1 buffer)
   at System.Net.Security.SslStream.FillHandshakeBufferAsync[TIOAdapter](TIOAdapter adapter, Int32 minSize)
   at System.Net.Security.SslStream.ReceiveBlobAsync[TIOAdapter](TIOAdapter adapter)
   at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
   at System.Net.Security.SslStream.ProcessAuthentication(Boolean isAsync, Boolean isApm, CancellationToken cancellationToken)
   at System.Net.Security.SslStream.AuthenticateAsClient(SslClientAuthenticationOptions sslClientAuthenticationOptions)
   at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)
   at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost)
   at System.Data.SqlClient.SNI.SNITCPHandle.EnableSsl(UInt32 options)
   at System.Data.SqlClient.SNI.SNIProxy.EnableSsl(SNIHandle handle, UInt32 options)
   at System.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, UInt32 waitForMultipleObjectsTimeout, Boolean allowCreate, Boolean onlyOneCheckConnection, DbConnectionOptions userOptions, DbConnectionInternal& connection)
   at System.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, TaskCompletionSource`1 retry, DbConnectionOptions userOptions, DbConnectionInternal& connection)
   at System.Data.ProviderBase.DbConnectionFactory.TryGetConnection(DbConnection owningConnection, TaskCompletionSource`1 retry, DbConnectionOptions userOptions, DbConnectionInternal oldConnection, DbConnectionInternal& connection)
   at System.Data.ProviderBase.DbConnectionInternal.TryOpenConnectionInternal(DbConnection outerConnection, DbConnectionFactory connectionFactory, TaskCompletionSource`1 retry, DbConnectionOptions userOptions)
   at System.Data.ProviderBase.DbConnectionClosed.TryOpenConnection(DbConnection outerConnection, DbConnectionFactory connectionFactory, TaskCompletionSource`1 retry, DbConnectionOptions userOptions)
   at System.Data.SqlClient.SqlConnection.TryOpen(TaskCompletionSource`1 retry)
   at System.Data.SqlClient.SqlConnection.Open()

更改TSL版本后，mysql连接异常详细信息：

System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception.
 ---> Interop+OpenSsl+SslException: SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL.
 ---> Interop+Crypto+OpenSslCryptographicException: error:141A90B5:SSL routines:ssl_cipher_list_to_bytes:no ciphers available
   --- End of inner exception stack trace ---

关于TLSv1 、TLSv1.0、TLSv1.1、TLSv1.2关系：