SQL Server error 31 - "Encryption(ssl/tls) handshake failed", in an AWS Lambda function
I have an AWS Lambda function (REST Api), which has been running for years, that just queries a stored procedure on a remote SQL Server. I wanted to make some changes to it and took the opportunity to update the code, since its target framework is .NET Core 2.1.
So I created a new C# project targeting .NET 8.0 and using the 'Lambda ASP.NET Core Web Minimal API' template. By the way, I had a hard time getting it to work, but I finally did it thanks to this article: Building Serverless .NET Minimal API (using Controller) with AWS Lambda.
But now I get this exception when I try to connect to my SQL Server:
A connection was successfully established with the server, but then an error occurred during the pre-login handshake. (provider: SSL Provider, error: 31 - Encryption(ssl/tls) handshake failed)
With this inner exception:
System.IO.IOException: Received an unexpected EOF or 0 bytes from the transport stream.
In the research I've done, almost everywhere says this exception has to do with using TLS 1.2 to connect to SQL Server. I have tried many solutions but without success.
This is the SQL Server environment (it is hosted on a local cloud server provider):
- Windows Server 2008 R2 Datacenter (64-bit) SP1 (version 6.1 build 7601)
- Microsoft SQL Server 2012
- Exposed via an HTTP URL (we don't have HTTPS option there)
And this is the connection string I'm using:
$"Data Source={serverUrl};Initial Catalog={database};User ID={username};Password={pwd};"
Things I've tried so far:
- Updated SQL Server 2012 from SP3 to SP4 (version
11.0.7507now). - Enabled TLS 1.2 in Database server via RegEdit (TLS 1.2 support for Microsoft SQL Server).
- Added
TrustServerCertificate=True,Encrypt=FalseandMultiSubnetFailover=Truein the connection string. - Changed from
System.Data.SqlClient(version 4.8.6) toMicrosoft.Data.SqlClient(version 5.2.0).
-- EDIT 1 --
After some exchange of information with users AlwaysLearning and Charlieface in the comments section, I've tried capturing more information using WireShark at the server, so I'll post some screenshots of that. I've used tcp port 1433 as a capture filter, and then I've used ssl as display filter.
When I execute the old AWS Lambda function (running on .NET Core 2.1), it communicates with the server using TLS v1.2 already, and it works:
But when I execute the new AWS Lambda function (running on .NET 8.0), it also communicates using TLS v1.2, but it's a bit different, at first it says it's TLSv1, but inside the message it says it's TLS v1.2 also:
And there are some extensions (marked in yellow) that were not used in the call that it's working:
I guess some of those are the problem, maybe psk_key_exchange_modes and key_share?
Is it expecting some kind of key that I don't have?
-- EDIT 2 --
Looking at the Server Hello message that's exchanged between client and server when the old function is executed, it seems that TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) was the Cipher Suite used in the handshake protocol:
Those are the Cipher Suites listed in the Client Hello message when the old function is executed:
When the new function is executed, this Cipher Suite (TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)) is not listed in the Client Hello message:
After some research, I discovered that it is unusual that in a TLS handshake process the server receives a Client Hello message from the client and just ends the "conversation" abruptly with a [FIN, ACK] message, rather than a Server Hello response or an alert message demonstrating any problem that may have occurred when parsing the Client Hello message.
Then I read somewhere that this unusual behavior could be caused by some issue with the Cipher Suites or some issue related to the certificate. I didn't have a certificate on the server, so I started wondering if that could be the problem. So I searched for a way to use the free TLS certificate generator Let's Encrypt with SQL Server and found this article:
- Encrypting SQL Server connections with Let’s Encrypt certificates
(by Daniel Hutmacher, in 2017)
And this other article also has some good advice on how to configure a TLS certificate in SQL Server:
- Enable TLS on SQL Server
(by Surender Kumar, in 2022)
After installing the TLS certificate on the server and associating it with SQL Server, the connection to SQL Server in the new AWS Lambda function started working!
- Which of definitions of database schema is correct?
- How to get isolation level in EF for MSSQL?
- Generate SQL Create Scripts for existing tables with query
- Insert multiple rows WITHOUT repeating the "INSERT INTO ..." part of the statement?
- Index for two columns that will be used in an operation on where clause?
- How do you update a datetime field in a table every time another field in the same table gets updated?
- Pros & Cons of TRUNCATE vs DELETE FROM
- comparing and contrasting Sybase and SQL Server
- How does sql server choose values in an update statement where there are multiple options?
- How to disconnect all users in sql server except sa?
- Select Consecutive Numbers in SQL
- SQL Find consecutive numbers in groups
- Spring Quartz configuration for connecting MS SQL server
- The most elegant way to generate permutations in SQL server
- Check column has 'letter' or '-' then bring value from another column
- Reading child XML node from column
- Combine JSON objects from multiple rows into a single object
- Find all stored procedures that reference a specific column in some table
- Laravel 10 stopped working with SQL Server Database
- Using TransactionScope around a stored procedure with transaction in SQL Server 2014
- Entity storing it's status as a FK to a status table. Can I update the FK once the status changes?
- How can I convert a Sql Server 2008 DateTimeOffset to a DateTime
- I need to replace old path's images to new path with the same image
- Format date as yyyy-mm-dd hh:mm:ss.000
- Does a foreign key automatically create an index?
- How do I select only the latest entry in a table for each group so each 'latest' is a single row?
- "The certificate chain was issued by an authority that is not trusted" when connecting DB in VM Role from Azure website
- Kafka Connect SqlServer Configuration (SSL)
- SQL-Server: Is there a SQL script that I can use to determine the progress of a SQL Server backup or restore process?
- TSQL Email Validation (without regex)