TLS_error:|268435703:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER #291
Description
We were implementing StartTLS for MSSQL server. We are calling startSecureTransport() from envoy when it's time to start the TLS handshake. When the client sent the Client Hello packet Envoy gives the following error:
[2025-01-06 15:58:02.792][75030][debug][connection] [source/common/tls/ssl_socket.cc:251] [Tags: "ConnectionId":"0"] remote address:172.18.0.2:33671,TLS_error:|268435703:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER:TLS_error_end
versions:
mssql-server version: 2022-cu12
sqlcmd-version: v1.8.0
Connection command:
sqlcmd -S 127.0.0.1,10001 -U sa -P "123!" -N
Error : TLS Handshake failed: cannot read handshake packet: unexpected EOF
Envoy Configuration:
static_resources:
listeners:
- name: listener_0
address:
socket_address:
address: 0.0.0.0
port_value: 10001
filter_chains:
- filters:
- name: envoy.filters.network.sql_server
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.sql_server.v3.SQLServer
downstreamTLS: true
upstreamTLS: true
- name: envoy.filters.network.tcp_proxy
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
stat_prefix: destination
cluster: cluster_0
transport_socket:
name: envoy.transport_sockets.starttls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.starttls.v3.StartTlsConfig
tls_socket_config:
common_tls_context:
tls_certificates:
- certificate_chain: {filename: "certs/tls.crt"}
private_key: {filename: "certs/tls.key"}
clusters:
- name: cluster_0
connect_timeout: 30s
type: LOGICAL_DNS
load_assignment:
cluster_name: cluster_0
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: 127.0.0.1
port_value: 1433
We have created the filter: type.googleapis.com/envoy.extensions.filters.network.sql_server.v3.SQLServer