-
Notifications
You must be signed in to change notification settings - Fork 164
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support TDS 8.0 (was: Issue connecting linux box using freeTDS 1.4.17 to MSSQL 2016 by enforcing TLS 1.3) #592
Comments
There's a bit of confusion. See https://www.freetds.org/userguide/ChoosingTdsProtocol.html. TLS protocol is one thing, TDS another. As the document you pointed out your MSSQL 2016 does not support TDS 8.0 so FreeTDS should be able to connect to it. |
Hi freddyy77, Thank you for quick response. Did I understand correctly, you are saying that latest freeTDS doesn't support Microsoft TDS 8.0 as described in https://learn.microsoft.com/en-us/sql/relational-databases/security/networking/tds-8?view=sql-server-ver16#how-tds-works ? Regards, |
No, FreeTDS, at the moment does not support TDS 8.0. Not clear how do you restrict TLS 1.3 on client, the client is FreeTDS. Did you change OpenSSL/GnuTLS settings? Yesterday I tried to connect to a machine with MSSQL 2022 in strict mode. Not hard to get it connected, I had to change the code, but it's not an hard change. But on MS this setting came with a lot of changes like forcing certificate validation. |
Added |
Hi freddyy77, Thank you very much for help. I will try latest code from master branch. |
There's no plan. Simply I had tried to setup the server on Linux time ago and failed (simply apparently cannot be done on Linux), I had some time this weekend so I tried with a Windows server and worked. I think Microsoft got you really confused with this TLS/TDS thing. There was not reason to bound the two, in the sense that MSSQL 2000 (yes!) could be changed to support TLS 1.3, if only Microsoft wanted to do it! And they could have supported full standard TLS with TDS 8.0 even using TLS 1.0 or SSL 3 if they wanted to. About TDS 8.0 the difference between the version numbers (7.4 and 8.0) seems huge but in practice is pretty small. But usually you want to bump major number for incompatible changes. The TDS protocol (like HTTP and like TLS) dialog is initiated by the client. In this case if the client decided to use TDS 8.0 connecting to a server not supporting it the server won't understand it and close the connection so the incompatibility. If an older client connect to a server supporting TDS 8.0 the server can detect it and decide to handle it (that's what happens if you don't force strict mode on the server). What's the protocol difference between TDS 7.4 and TDS 8.0? The TLS handshake is done at socket level... that's it! Internally (to the encrypted socket) the protocol is still using version 7.4. But the main differences are settings. If you decide to use TDS 8.0 or Strict encryption (basically one mandate the other) you need to have stricter certificate checking (never trusted) and add some settings (server certificate, new encryption setting, certificate name). Currently (using |
Hi freddyy77, Thank you very much for your time and explanation, it is appreciated. |
@BiljanaB can I close this issue? Or maybe change to something like "support TDS 8.0" ? |
Hi freddy77, |
|
Hi,
I have downloaded latest freeTDS 1.4.17 and tried to connect to MSSQL 2016 by restricting TLS to use only TLS 1.3 both on MSSQL server side and on linux (client) side.
When I tried to connect using tsql tool I get next errors:
Error 20017 (severity 9):
Unexpected EOF from the server
Error 20002 (severity 9):
Adaptive Server connection failed
Error 20002 (severity 9):
Adaptive Server connection failed
OS error 110, "Connection timed out"
When I check pcap logs I can see next sequence:
First there is TCP handshake and then TDS prelogin which is encrypted. Which looks strange to me since it is documented that for TDS 8.0 sequence should be: "TCP handshake -> TLS handshake -> TDS prelogin (encrypted) and response (encrypted)
I have tried setting protocol version to 8.0 but in freetds logs I can see that it can't be recognized:
"(config.c:952):error: no such version: 8.0"
Does freeTDS support Microsoft TDS 8.0 mentioned in https://learn.microsoft.com/en-us/sql/relational-databases/security/networking/tds-8?view=sql-server-ver16#how-tds-works?
Regards,
Biljana
The text was updated successfully, but these errors were encountered: