C#.NET CORE .NET8连接SQL SERVER 2008 R2 报：证书链是由不受信任的颁发机构颁发的

一、C#.NET CORE .NET8连接SQL SERVER 2008 R2  报：证书链是由不受信任的颁发机构颁发的

报错内容：

A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - 证书链是由不受信任的颁发机构颁发的。)

解决方法：

在连接字符串里增加：

TrustServerCertificate=true;

微软给的方案：

https://learn.microsoft.com/zh-cn/troubleshoot/sql/database-engine/connect/certificate-chain-not-trusted?tabs=ole-db-driver-19

二、 如果报这个错：

Connection Timeout Expired.  The timeout period elapsed during the post-login phase.  The connection could have timed out while waiting for server to complete the login process and respond; Or it could have timed out while attempting to create multiple active connections.  The duration spent while attempting to connect to this server was - [Pre-Login] initialization=22; handshake=145; [Login] initialization=1; authentication=2; [Post-Login] complete=14006;

解决方法：

给SQL SERVER 2008 R2，打SP3补丁。

SQL SERVER 2008 R2，未打补丁版本号：

Microsoft SQL Server 2008 R2 (RTM) - 10.50.1600.1 (X64)

SQL SERVER 2008 R2，打了SP3补丁版本号：

Microsoft SQL Server 2008 R2 (SP3) - 10.50.6000.34 (X64)

三 、 如果报这个错：

A connection was successfully established with the server, but then an error occurred during the pre-login handshake. (provider: SSL Provider, error: 31 - Encryption(ssl/tls) handshake failed)

问题原因：.NET8 在docker里，默认最低版本是TLS1.2，而SQL 2008 R2 最高支持TLS1.0。

解决方法：在docker里，把openssl最低版本从TLS1.2 调整为 TLS1.0。

dockerfile里的调整命令。

# 下列配置适用于 openssl3.0 修改TLSv1.2 为 TLSv1
# https://askubuntu.com/questions/1436476/ubuntu-22-04-sqlcmd-can-not-connect-to-ms-sql-server-2016/1445405#1445405

# openssl.cnf  ****开始****
# openssl_conf = openssl_init

# [openssl_init]
# providers = provider_sect
# ssl_conf = ssl_sect
#
# [provider_sect]
# default = default_sect
# legacy = legacy_sect
#
# [default_sect]
# activate = 1
#
# [legacy_sect]
# activate = 1
#
# [ssl_sect]
# system_default = system_default_sect
#
# [system_default_sect]
# CipherString = DEFAULT:@SECLEVEL=0
# openssl.cnf ****结束****

# 修改默认的 openssl.cnf 配置

RUN sed -i 's/\[openssl_init\]/# \[openssl_init\]/g' /etc/ssl/openssl.cnf
RUN sed -i '$a\[openssl_init]' /etc/ssl/openssl.cnf
RUN sed -i '$a\providers = provider_sect' /etc/ssl/openssl.cnf
RUN sed -i '$a\ssl_conf = ssl_sect' /etc/ssl/openssl.cnf

RUN sed -i '$a\[provider_sect]' /etc/ssl/openssl.cnf
RUN sed -i '$a\default = default_sect' /etc/ssl/openssl.cnf
RUN sed -i '$a\legacy = legacy_sect' /etc/ssl/openssl.cnf

RUN sed -i '$a\[default_sect]' /etc/ssl/openssl.cnf
RUN sed -i '$a\activate = 1' /etc/ssl/openssl.cnf

RUN sed -i '$a\[legacy_sect]' /etc/ssl/openssl.cnf
RUN sed -i '$a\activate = 1' /etc/ssl/openssl.cnf

RUN sed -i '$a\[ssl_sect]' /etc/ssl/openssl.cnf
RUN sed -i '$a\system_default = system_default_sect' /etc/ssl/openssl.cnf

RUN sed -i '$a\[system_default_sect]' /etc/ssl/openssl.cnf
RUN sed -i '$a\CipherString = DEFAULT:@SECLEVEL=0' /etc/ssl/openssl.cnf

#号开头的是注释，可以不写到dockerfile里。

或者另一种写法，实测也可以：

RUN sed -i 's|\[openssl_init\]|&\nssl_conf = ssl_configuration\n[ssl_configuration]\nsystem_default = tls_system_default\n[tls_system_default]\nMinProtocol = TLSv1\nCipherString = DEFAULT@SECLEVEL=0|' /etc/ssl/openssl.cnf

这种写法,openssl.cnf内容大致如下：

[openssl_init]
ssl_conf = ssl_configuration

[ssl_configuration]
system_default = tls_system_defaul

[tls_system_defaul]
MinProtocol = TLSv1
CipherString = DEFAULT@SECLEVEL=0  

最小TLS版本设置为1.0，DEFAULT@SECLEVEL 设置为0.

--