Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS_error:|268435703:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER #291

Open
shiponcs opened this issue Jan 7, 2025 · 0 comments
Open

TLS_error:|268435703:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER #291

shiponcs opened this issue Jan 7, 2025 · 0 comments

Comments

@shiponcs
Copy link

shiponcs commented Jan 7, 2025

We were implementing StartTLS for MSSQL server. We are calling startSecureTransport() from envoy when it's time to start the TLS handshake. When the client sent the Client Hello packet Envoy gives the following error:

[2025-01-06 15:58:02.792][75030][debug][connection] [source/common/tls/ssl_socket.cc:251] [Tags: "ConnectionId":"0"] remote address:172.18.0.2:33671,TLS_error:|268435703:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER:TLS_error_end

versions:

mssql-server version: 2022-cu12
sqlcmd-version: v1.8.0

Connection command:

sqlcmd -S 127.0.0.1,10001 -U sa -P "123!" -N
Error : TLS Handshake failed: cannot read handshake packet: unexpected EOF

Envoy Configuration:

static_resources:
  listeners:
    - name: listener_0
      address:
        socket_address:
          address: 0.0.0.0
          port_value: 10001
      filter_chains:
        - filters:
            - name: envoy.filters.network.sql_server
              typed_config:
                "@type": type.googleapis.com/envoy.extensions.filters.network.sql_server.v3.SQLServer
                downstreamTLS: true
                upstreamTLS: true
            - name: envoy.filters.network.tcp_proxy
              typed_config:
                "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
                stat_prefix: destination
                cluster: cluster_0
          transport_socket:
            name: envoy.transport_sockets.starttls
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.transport_sockets.starttls.v3.StartTlsConfig
              tls_socket_config:
                common_tls_context:
                  tls_certificates:
                  - certificate_chain: {filename: "certs/tls.crt"}
                    private_key: {filename: "certs/tls.key"}     

  clusters:
    - name: cluster_0
      connect_timeout: 30s
      type: LOGICAL_DNS
      load_assignment:
        cluster_name: cluster_0
        endpoints:
          - lb_endpoints:
              - endpoint:
                  address:
                    socket_address:
                      address: 127.0.0.1
                      port_value: 1433

We have created the filter: type.googleapis.com/envoy.extensions.filters.network.sql_server.v3.SQLServer
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@shiponcs