問題描述

我將我的應(yīng)用程序從 .NET Core 3.1 更新到 .NET 5，但現(xiàn)在我無法打開到我的 SQL Server 數(shù)據(jù)庫(kù)的連接.最里面的異常錯(cuò)誤信息是

I updated my app from .NET Core 3.1 to .NET 5 and now I cant open a connection to my SQL Server database. The innermost exception error message is

從傳輸流中收到意外的 EOF 或 0 字節(jié).

Received an unexpected EOF or 0 bytes from the transport stream.

頂級(jí)錯(cuò)誤信息是

已成功與服務(wù)器建立連接，但在登錄前握手期間發(fā)生錯(cuò)誤.(提供者:SSL 提供者，錯(cuò)誤:31 - 加密(ssl/tls)握手失敗)

A connection was successfully established with the server, but then an error occurred during the pre-login handshake. (provider: SSL Provider, error: 31 - Encryption(ssl/tls) handshake failed)

除了 .NET 5 的版本，我只更新了基礎(chǔ)鏡像，從 3.1-bionic 到 5.0.3-focal-amd64

Other than the version of the .NET 5, I only updated the base image, from 3.1-bionic to 5.0.3-focal-amd64

還有什么我應(yīng)該做的嗎?

Is there anything I'm also supposed to do?

編輯 1:
我發(fā)現(xiàn) 這篇文章 似乎與我正在經(jīng)歷的事情密切相關(guān).但是在將我的 CipherString 更改為建議的值后，我對(duì)錯(cuò)誤沒有任何改變.一樣.也許有一個(gè) CipherString = ANY?

EDIT 1:
I found this article that seems closely related to what im going by. But after altering my CipherString to the values suggested, I got no change on the error. Same thing. Perhaps there's a CipherString = ANY?

推薦答案

注意

Microsoft 建議的操作是通過升級(jí)您的 SQL Server 以支持 TLS v1.2 來提高安全性

The Microsoft-recommended action is to improve security by upgrading your SQL Servers to support TLS v1.2

參考資料:

• SqlClient 故障排除指南
• 如何啟用 TLS 1.2
• KB3135244 - Microsoft SQL Server 的 TLS 1.2 支持

但是，如果您無法升級(jí)您的 SQL Server 以支持 TLS v1.2，您可以影響可用的密碼套件，以通過編輯 /etc/ssl/openssl 來實(shí)現(xiàn)協(xié)商的客戶端協(xié)議的降級(jí).cnf 文件.

If, however, you are unable to upgrade your SQL Server to support TLS v1.2 you are able to influence the available ciphersuites to effect a downgrade of the client protocols negotiated by editing the /etc/ssl/openssl.cnf file.

因?yàn)?Alpine 容器是裸機(jī)，請(qǐng)先安裝您最喜歡的編輯器，例如:

Because Alpine containers are bare bones, start by installing your favorite editor, e.g.:

apt-get update
apt-get install nano

編輯您的 /etc/ssl/openssl.cnf 以將以下行放在文件的開頭:

Edit your /etc/ssl/openssl.cnf to place the following line at the beginning of the file:

openssl_conf = default_conf

文件末尾的以下幾行:

########## Override default settings to enable TLS v1.0 and 1.1 ##########

[ default_conf ]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
CipherString = DEFAULT:@SECLEVEL=1
#It really should be:
#CipherString = DEFAULT:@SECLEVEL=2

這將影響容器中所有啟用 openssl 的進(jìn)程.您可以使用以下命令在更改前后測(cè)試連接性:

This will affect all openssl-enabled processes in the container. You can test connectivity before and after changes using the commands:

# Test TLS v1.0 connectivity
openssl s_client -host google.com -port 443 -tls1

# Test TLS v1.1 connectivity
openssl s_client -host google.com -port 443 -tls1_1

這篇關(guān)于.NET 5 + Microsoft.Data.SqlClient - 從傳輸流中收到意外的 EOF 或 0 字節(jié)的文章就介紹到這了，希望我們推薦的答案對(duì)大家有所幫助，也希望大家多多支持html5模板網(wǎng)！