runliuv

runliuv@cnblogs
  博客园 :: 首页 :: 博问 :: 闪存 :: 新随笔 :: 联系 :: 订阅 订阅 :: 管理 ::
C#.NET CORE .NET8连接SQL SERVER 2008 R2 报:证书链是由不受信任的颁发机构颁发的

 

一、C#.NET CORE .NET8连接SQL SERVER 2008 R2  报:证书链是由不受信任的颁发机构颁发的

报错内容:

A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - 证书链是由不受信任的颁发机构颁发的。)

 

解决方法:

在连接字符串里增加:

TrustServerCertificate=true;

 

微软给的方案:

https://learn.microsoft.com/zh-cn/troubleshoot/sql/database-engine/connect/certificate-chain-not-trusted?tabs=ole-db-driver-19

 

二、 如果报这个错:

Connection Timeout Expired.  The timeout period elapsed during the post-login phase.  The connection could have timed out while waiting for server to complete the login process and respond; Or it could have timed out while attempting to create multiple active connections.  The duration spent while attempting to connect to this server was - [Pre-Login] initialization=22; handshake=145; [Login] initialization=1; authentication=2; [Post-Login] complete=14006; 

 解决方法:

给SQL SERVER 2008 R2,打SP3补丁。

 

SQL SERVER 2008 R2,未打补丁版本号:

Microsoft SQL Server 2008 R2 (RTM) - 10.50.1600.1 (X64)

 

SQL SERVER 2008 R2,打了SP3补丁版本号:

Microsoft SQL Server 2008 R2 (SP3) - 10.50.6000.34 (X64)

 

三 、 如果报这个错:

A connection was successfully established with the server, but then an error occurred during the pre-login handshake. (provider: SSL Provider, error: 31 - Encryption(ssl/tls) handshake failed)

问题原因:.NET8 在docker里,默认最低版本是TLS1.2,而SQL 2008 R2 最高支持TLS1.0。

解决方法:在docker里,把openssl最低版本从TLS1.2 调整为 TLS1.0。

dockerfile里的调整命令。

# 下列配置适用于 openssl3.0 修改TLSv1.2 为 TLSv1
# https://askubuntu.com/questions/1436476/ubuntu-22-04-sqlcmd-can-not-connect-to-ms-sql-server-2016/1445405#1445405

# openssl.cnf  ****开始****
# openssl_conf = openssl_init

# [openssl_init]
# providers = provider_sect
# ssl_conf = ssl_sect
# 
# [provider_sect]
# default = default_sect
# legacy = legacy_sect
# 
# [default_sect]
# activate = 1
# 
# [legacy_sect]
# activate = 1
# 
# [ssl_sect]
# system_default = system_default_sect
# 
# [system_default_sect]
# CipherString = DEFAULT:@SECLEVEL=0  
# openssl.cnf ****结束****

# 修改默认的 openssl.cnf 配置


RUN sed -i 's/\[openssl_init\]/# \[openssl_init\]/g' /etc/ssl/openssl.cnf
RUN sed -i '$a\[openssl_init]' /etc/ssl/openssl.cnf
RUN sed -i '$a\providers = provider_sect' /etc/ssl/openssl.cnf
RUN sed -i '$a\ssl_conf = ssl_sect' /etc/ssl/openssl.cnf
 
RUN sed -i '$a\[provider_sect]' /etc/ssl/openssl.cnf
RUN sed -i '$a\default = default_sect' /etc/ssl/openssl.cnf
RUN sed -i '$a\legacy = legacy_sect' /etc/ssl/openssl.cnf
 
RUN sed -i '$a\[default_sect]' /etc/ssl/openssl.cnf
RUN sed -i '$a\activate = 1' /etc/ssl/openssl.cnf
 
RUN sed -i '$a\[legacy_sect]' /etc/ssl/openssl.cnf
RUN sed -i '$a\activate = 1' /etc/ssl/openssl.cnf
 
RUN sed -i '$a\[ssl_sect]' /etc/ssl/openssl.cnf
RUN sed -i '$a\system_default = system_default_sect' /etc/ssl/openssl.cnf
 
RUN sed -i '$a\[system_default_sect]' /etc/ssl/openssl.cnf
RUN sed -i '$a\CipherString = DEFAULT:@SECLEVEL=0' /etc/ssl/openssl.cnf

 

#号开头的是注释,可以不写到dockerfile里。

或者另一种写法,实测也可以: 

RUN sed -i 's|\[openssl_init\]|&\nssl_conf = ssl_configuration\n[ssl_configuration]\nsystem_default = tls_system_default\n[tls_system_default]\nMinProtocol = TLSv1\nCipherString = DEFAULT@SECLEVEL=0|' /etc/ssl/openssl.cnf

 

这种写法,openssl.cnf内容大致如下:

[openssl_init] 
ssl_conf = ssl_configuration
 
[ssl_configuration]
system_default = tls_system_defaul
 
[tls_system_defaul]
MinProtocol = TLSv1
CipherString = DEFAULT@SECLEVEL=0

 

 最小TLS版本设置为1.0,DEFAULT@SECLEVEL 设置为0.

--

 

posted on 2024-05-18 10:32  runliuv  阅读(434)  评论(0编辑  收藏  举报