問題描述

我將我的應用程序從 .NET Core 3.1 更新到 .NET 5，但現在我無法打開到我的 SQL Server 數據庫的連接.最里面的異常錯誤信息是

I updated my app from .NET Core 3.1 to .NET 5 and now I cant open a connection to my SQL Server database. The innermost exception error message is

從傳輸流中收到意外的 EOF 或 0 字節.

Received an unexpected EOF or 0 bytes from the transport stream.

頂級錯誤信息是

已成功與服務器建立連接，但在登錄前握手期間發生錯誤.(提供者:SSL 提供者，錯誤:31 - 加密(ssl/tls)握手失敗)

A connection was successfully established with the server, but then an error occurred during the pre-login handshake. (provider: SSL Provider, error: 31 - Encryption(ssl/tls) handshake failed)

除了 .NET 5 的版本，我只更新了基礎鏡像，從 3.1-bionic 到 5.0.3-focal-amd64

Other than the version of the .NET 5, I only updated the base image, from 3.1-bionic to 5.0.3-focal-amd64

還有什么我應該做的嗎?

Is there anything I'm also supposed to do?

編輯 1:
我發現 這篇文章 似乎與我正在經歷的事情密切相關.但是在將我的 CipherString 更改為建議的值后，我對錯誤沒有任何改變.一樣.也許有一個 CipherString = ANY?

EDIT 1:
I found this article that seems closely related to what im going by. But after altering my CipherString to the values suggested, I got no change on the error. Same thing. Perhaps there's a CipherString = ANY?

推薦答案

注意

Microsoft 建議的操作是通過升級您的 SQL Server 以支持 TLS v1.2 來提高安全性

The Microsoft-recommended action is to improve security by upgrading your SQL Servers to support TLS v1.2

參考資料:

• SqlClient 故障排除指南
• 如何啟用 TLS 1.2
• KB3135244 - Microsoft SQL Server 的 TLS 1.2 支持

但是，如果您無法升級您的 SQL Server 以支持 TLS v1.2，您可以影響可用的密碼套件，以通過編輯 /etc/ssl/openssl 來實現協商的客戶端協議的降級.cnf 文件.

If, however, you are unable to upgrade your SQL Server to support TLS v1.2 you are able to influence the available ciphersuites to effect a downgrade of the client protocols negotiated by editing the /etc/ssl/openssl.cnf file.

因為 Alpine 容器是裸機，請先安裝您最喜歡的編輯器，例如:

Because Alpine containers are bare bones, start by installing your favorite editor, e.g.:

apt-get update
apt-get install nano

編輯您的 /etc/ssl/openssl.cnf 以將以下行放在文件的開頭:

Edit your /etc/ssl/openssl.cnf to place the following line at the beginning of the file:

openssl_conf = default_conf

文件末尾的以下幾行:

########## Override default settings to enable TLS v1.0 and 1.1 ##########

[ default_conf ]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
CipherString = DEFAULT:@SECLEVEL=1
#It really should be:
#CipherString = DEFAULT:@SECLEVEL=2

這將影響容器中所有啟用 openssl 的進程.您可以使用以下命令在更改前后測試連接性:

This will affect all openssl-enabled processes in the container. You can test connectivity before and after changes using the commands:

# Test TLS v1.0 connectivity
openssl s_client -host google.com -port 443 -tls1

# Test TLS v1.1 connectivity
openssl s_client -host google.com -port 443 -tls1_1

這篇關于.NET 5 + Microsoft.Data.SqlClient - 從傳輸流中收到意外的 EOF 或 0 字節的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網！