Support TDS 8.0 (was: Issue connecting linux box using freeTDS 1.4.17 to MSSQL 2016 by enforcing TLS 1.3)

[BiljanaB]

Hi,

I have downloaded latest freeTDS 1.4.17 and tried to connect to MSSQL 2016 by restricting TLS to use only TLS 1.3 both on MSSQL server side and on linux (client) side.
When I tried to connect using tsql tool I get next errors:

Error 20017 (severity 9):
Unexpected EOF from the server
Error 20002 (severity 9):
Adaptive Server connection failed
Error 20002 (severity 9):
Adaptive Server connection failed
OS error 110, "Connection timed out"

When I check pcap logs I can see next sequence:
First there is TCP handshake and then TDS prelogin which is encrypted. Which looks strange to me since it is documented that for TDS 8.0 sequence should be: "TCP handshake -> TLS handshake -> TDS prelogin (encrypted) and response (encrypted)

I have tried setting protocol version to 8.0 but in freetds logs I can see that it can't be recognized:
"(config.c:952):error: no such version: 8.0"

Does freeTDS support Microsoft TDS 8.0 mentioned in https://learn.microsoft.com/en-us/sql/relational-databases/security/networking/tds-8?view=sql-server-ver16#how-tds-works?

Regards,
Biljana

[freddy77]

There's a bit of confusion. See https://www.freetds.org/userguide/ChoosingTdsProtocol.html. TLS protocol is one thing, TDS another. As the document you pointed out your MSSQL 2016 does not support TDS 8.0 so FreeTDS should be able to connect to it.
No, currently FreeTDS does not support TDS 8.0 and the new "naked" TLS usage.

[BiljanaB]

Hi freddyy77,

Thank you for quick response.
I am aware that TLS and TDS are not the same protocol.
When I don't restrict MSSQL server to only TLS 1.3 and when I don't restrict linux node to only TLS 1.3, client (linux box) can connect to MSSQL server using TLS 1.2. And everything works fine.
But I have issue connecting linux box to MSSQL server when TLS protocol is restricted to 1.3 both on client and server.

Did I understand correctly, you are saying that latest freeTDS doesn't support Microsoft TDS 8.0 as described in https://learn.microsoft.com/en-us/sql/relational-databases/security/networking/tds-8?view=sql-server-ver16#how-tds-works ?
Once again thanks and sorry if I was not clear enough.

Regards,
Biljana

[freddy77]

No, FreeTDS, at the moment does not support TDS 8.0.

Not clear how do you restrict TLS 1.3 on client, the client is FreeTDS. Did you change OpenSSL/GnuTLS settings?

Yesterday I tried to connect to a machine with MSSQL 2022 in strict mode. Not hard to get it connected, I had to change the code, but it's not an hard change. But on MS this setting came with a lot of changes like forcing certificate validation.

[freddy77]

Added strict encryption option in master branch. There's still quite some stuff to do in terms of settings but you could use it to check if your server works only in "strict" mode.

[BiljanaB]

Hi freddyy77,

Thank you very much for help.
Did you change OpenSSL/GnuTLS settings? There is configuration file where min TLS is set, file is loaded and openSSL restrict TLS version by calling SSL_CTX_set_min_proto_version.

I will try latest code from master branch.
Is there any plan/timeline for additional work(if any) to be done to fully support Microsoft TDS 8.0?
Regards,
Biljana

[freddy77]

There's no plan. Simply I had tried to setup the server on Linux time ago and failed (simply apparently cannot be done on Linux), I had some time this weekend so I tried with a Windows server and worked.

I think Microsoft got you really confused with this TLS/TDS thing. There was not reason to bound the two, in the sense that MSSQL 2000 (yes!) could be changed to support TLS 1.3, if only Microsoft wanted to do it! And they could have supported full standard TLS with TDS 8.0 even using TLS 1.0 or SSL 3 if they wanted to.
I personally let OpenSSL configuration deal with the protocol, there are plenty of system settings for that.

About TDS 8.0 the difference between the version numbers (7.4 and 8.0) seems huge but in practice is pretty small. But usually you want to bump major number for incompatible changes. The TDS protocol (like HTTP and like TLS) dialog is initiated by the client. In this case if the client decided to use TDS 8.0 connecting to a server not supporting it the server won't understand it and close the connection so the incompatibility. If an older client connect to a server supporting TDS 8.0 the server can detect it and decide to handle it (that's what happens if you don't force strict mode on the server). What's the protocol difference between TDS 7.4 and TDS 8.0? The TLS handshake is done at socket level... that's it! Internally (to the encrypted socket) the protocol is still using version 7.4.

But the main differences are settings. If you decide to use TDS 8.0 or Strict encryption (basically one mandate the other) you need to have stricter certificate checking (never trusted) and add some settings (server certificate, new encryption setting, certificate name).

Currently (using master) you need to use strict for encryption setting in freetds.conf (see https://www.freetds.org/userguide/freetdsconf.html) or Encryption in odbc (see https://www.freetds.org/userguide/OdbcConnAttr.html). But proper certificate checks and additional settings are not there (you need to configure them manually using ca file/crl file settings).

[BiljanaB]

Hi freddyy77,

Thank you very much for your time and explanation, it is appreciated.
Regards,
Biljana

[freddy77]

@BiljanaB can I close this issue? Or maybe change to something like "support TDS 8.0" ?

[BiljanaB]

Hi freddy77,
You can change title to "support TDS 8.0" and/or close the case.
Thanks for support.
Regards,
Biljana