macOS Catalina and Azure Data Studio 1.10.0 = error: 31 - Encryption(ssl/tls) handshake failed

[stona1]

• Azure Data Studio Version:
  Version: 1.10.0
  Commit: 5fdb967
  Date: 2019-08-14T18:12:56.165Z
  VS Code 1.37.0
  Electron: 4.2.7
  Chrome: 69.0.3497.128
  Node.js: 10.11.0
  V8: 6.9.427.31-electron.0
  OS: Darwin x64 19.0.0

Steps to Reproduce:

Important: Problem only appears on beta macOS Catalina (aka 10.15 Beta)

1. Open Azure Data Studio
2. Try to connect to MS SQL Database (SQL 2008 R2)
3. It shows error like bellow:
   "A connection was successfully established with the server, but then an error occurred during the pre-login handshake. (provider: SSL Provider, error: 31 - Encryption(ssl/tls) handshake failed)"

The same steps done on macOS 10.14 working OK.

[Charles-Gagnon]

I'm closing this out as we don't support issues on beta OSes. If this continues to be an issue after the new version is officially released let us know and we can investigate at that time!

[huyungtang]

Version: 1.12.1
Commit: cccb932
Date: 2019-10-07T19:26:59.245Z
VS Code 1.37.0
Electron: 4.2.9
Chrome: 69.0.3497.128
Node.js: 10.11.0
V8: 6.9.427.31-electron.0
OS: Darwin x64 19.0.0

********** macOS Catalina officially released **********
********** macOS updated on 2019/10/08 **********

System.Data.SqlClient.SqlException (0x80131904): A connection was successfully established with the server, but then an error occurred during the pre-login handshake. (provider: SSL Provider, error: 31 - Encryption(ssl/tls) handshake failed) ---> System.Security.Cryptography.CryptographicException: Error occurred during a cryptographic operation.
   at Internal.Cryptography.Pal.SecTrustChainPal.ParseResults(SafeX509ChainHandle chainHandle, X509RevocationMode revocationMode)
   at Internal.Cryptography.Pal.SecTrustChainPal.Execute(DateTime verificationTime, Boolean allowNetwork, OidCollection applicationPolicy, OidCollection certificatePolicy, X509RevocationFlag revocationFlag)
   at Internal.Cryptography.Pal.ChainPal.BuildChain(Boolean useMachineContext, ICertificatePal cert, X509Certificate2Collection extraStore, OidCollection applicationPolicy, OidCollection certificatePolicy, X509RevocationMode revocationMode, X509RevocationFlag revocationFlag, DateTime verificationTime, TimeSpan timeout)
   at System.Security.Cryptography.X509Certificates.X509Chain.Build(X509Certificate2 certificate, Boolean throwOnException)
   at System.Security.Cryptography.X509Certificates.X509Chain.Build(X509Certificate2 certificate)
   at System.Net.CertificateValidationPal.VerifyCertificateProperties(SafeDeleteContext securityContext, X509Chain chain, X509Certificate2 remoteCertificate, Boolean checkCertName, Boolean isServer, String hostName)
   at System.Net.Security.SecureChannel.VerifyRemoteCertificate(RemoteCertValidationCallback remoteCertValidationCallback, ProtocolToken& alertToken)
   at System.Net.Security.SslState.CompleteHandshake(ProtocolToken& alertToken)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
   at System.Net.Security.SslStream.AuthenticateAsClient(SslClientAuthenticationOptions sslClientAuthenticationOptions)
   at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)
   at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost)
   at System.Data.SqlClient.SNI.SNITCPHandle.EnableSsl(UInt32 options) in /xplat/cfxfork/corefx/src/System.Data.SqlClient/src/System/Data/SqlClient/SNI/SNITcpHandle.cs:line 368
   at System.Data.SqlClient.SNI.SNIProxy.EnableSsl(SNIHandle handle, UInt32 options) in /xplat/cfxfork/corefx/src/System.Data.SqlClient/src/System/Data/SqlClient/SNI/SNIProxy.cs:line 50
   at System.Data.SqlClient.SqlInternalConnectionTds..ctor(DbConnectionPoolIdentity identity, SqlConnectionString connectionOptions, SqlCredential credential, Object providerInfo, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance, SqlConnectionString userConnectionOptions, SessionData reconnectSessionData, Boolean applyTransientFaultHandling, String accessToken) in /xplat/cfxfork/corefx/src/System.Data.SqlClient/src/System/Data/SqlClient/SqlInternalConnectionTds.cs:line 400
   at System.Data.SqlClient.SqlConnectionFactory.CreateConnection(DbConnectionOptions options, DbConnectionPoolKey poolKey, Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection owningConnection, DbConnectionOptions userOptions) in /xplat/cfxfork/corefx/src/System.Data.SqlClient/src/System/Data/SqlClient/SqlConnectionFactory.cs:line 136
   at System.Data.ProviderBase.DbConnectionFactory.CreateNonPooledConnection(DbConnection owningConnection, DbConnectionPoolGroup poolGroup, DbConnectionOptions userOptions) in /xplat/cfxfork/corefx/src/Common/src/System/Data/ProviderBase/DbConnectionFactory.cs:line 96
   at System.Data.ProviderBase.DbConnectionFactory.<>c__DisplayClass40_0.<TryGetConnection>b__1(Task`1 _) in /xplat/cfxfork/corefx/src/System.Data.SqlClient/src/System/Data/ProviderBase/DbConnectionFactory.cs:line 86
   at System.Threading.Tasks.ContinuationResultTaskFromResultTask`2.InnerInvoke()
   at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state)
--- End of stack trace from previous location where exception was thrown ---
   at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Task& currentTaskSlot)
--- End of stack trace from previous location where exception was thrown ---
   at Microsoft.SqlTools.ServiceLayer.Connection.ReliableConnection.ReliableSqlConnection.<>c__DisplayClass28_0.<<OpenAsync>b__0>d.MoveNext() in D:\a\1\s\src\Microsoft.SqlTools.ManagedBatchParser\ReliableConnection\ReliableSqlConnection.cs:line 303
--- End of stack trace from previous location where exception was thrown ---
   at Microsoft.SqlTools.ServiceLayer.Connection.ConnectionService.TryOpenConnection(ConnectionInfo connectionInfo, ConnectParams connectionParams) in D:\a\1\s\src\Microsoft.SqlTools.ServiceLayer\Connection\ConnectionService.cs:line 521
ClientConnectionId:bb97496b-3d42-4db6-ab44-55874aaf25b1

[aaomidi]

https://support.apple.com/en-us/HT210176

[stona1]

aaomidi thank you for pointed to this Apple Support website but in my case problem is that I have never configured any TLS certificate for work with Azure Data Studio. So now I do not know which certificate I should use or update.
From where I can take this certificate? Or maybe I can set Azure Data Studio to not use any TLS certificate?

[aaomidi]

@stona1 Sorry that information was just to add context to this issue, not as a solution to your problem.

[stona1]

OK, now I understand. To add more context to this issue I can add that the same problem is with newest Azure Data Studio and Catalina full release version (not Beta).
SQL 2008R2 is updated with all service packs and TLS 1.2 fix too.

[ggregg]

Same problem with SQL 2014 SP3.

I try to fix with enabling TLS 1.12 : Fix

Adding this keys and reboot :

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2] 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
  "DisabledByDefault"=dword:00000000
  "Enabled"=dword:00000001 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
  "DisabledByDefault"=dword:00000000
  "Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
  "Enabled"=dword:00000000

Unfortunately, the problem persists.

[leandrozapata]

I have the same error connecting from net core 2.2, this is the same error that i have when i try to connect from Azure Data Studio. Any solution or workaround about this?

[ggregg]

I have the same error connecting from net core 2.2, this is the same error that i have when i try to connect from Azure Data Studio. Any solution or workaround about this?

Same problem for me with .net core and unfortunately no solution :(

[SelmanAY]

We are not using SSL certificates to connect to our database servers. They are local servers not azure cloud instances.

With disabling Security related properties in Advanced Properties window i can managed to connect to our databases.

Column Encryption : Disabled
Encrypt : false
Persist Security info : false
Trust Server Certificate : True

[stona1]

For me your settings not solving problem.
Catalina 10.15.1 and Azure Data Studio 1.13.1 and problem still existing.

[ggregg]

Unfortunately it's the same for me. The solution does not work.

[cheenamalhotra]

I installed Azure Data Studio fresh on Catalina and I see no problems.
No advanced settings were modified.

Mode of Authentication: SQL Server Authentication with User/Password.

Client Version Summary:

• macOS Catalina 10.15.1 Beta (19B68f)
• Azure Data Studio (Version: 1.13.1)

SQL Server versions tested:

• SQL Server 2008 R2 (SP3-GDR) (10.50.6560.0)
• SQL Server 2012 SP3 (11.0.6020.0)
• SQL Server 2014 (12.0.2000.8)
• SQL Server 2016 (RTM-CU9) (13.0.2216.0)
• Azure Database (12.0.2000.8)

[ggregg]

Cheena it also works for me, under sql server 2017 in a docker container on my Mac. But not on the sql server 2014 full patched of my client.

[cheenamalhotra]

Hi @ggregg

Please check this article as it's related: Requirements for trusted certificates in iOS 13 and macOS Catalina.

To summarize, below are no longer trusted:

• RSA keys < 2048 bits
• SHA-1 signatures
• DNS Names in certificates

Recommended: Generate new SSL Certificate on Server machine that meets all above requirements and configure that in SQL Server Configuration Manager.

Microsoft Articles on Certificate Requirements: Certificate Requirements and SHA 1 deprecation: Link to PDF

Since it's a security requirement update so legacy SQL Server certificates will need to be updated if not done yet, or they may continue to fail.

[ggregg]

Hi @cheenamalhotra
I'm a little afraid of breaking my client's machine if I do that and then I'm not a system expert.
I'll think about it.