Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Connection Pool permanently falls back to TLS 1.1 #1349

Closed
bgrainger opened this issue Jul 21, 2023 · 2 comments
Closed

Connection Pool permanently falls back to TLS 1.1 #1349

bgrainger opened this issue Jul 21, 2023 · 2 comments
Assignees
@bgrainger
Labels
bug

Comments

@bgrainger
Copy link
Member

Software versions
MySqlConnector version: 2.2.6
Server type (MySQL, MariaDB, Aurora, etc.) and version: Azure Database for MySQL Flexible Server 5.7
.NET version: .NET Framework 4.7.2

Describe the bug

Infrequently, a website running in an IIS App Pool gets "stuck" in a state where it can no longer make any connections to a backend server. The workaround is to recycle the app pool and restart the website. Other app pools running the same code on a different server are not affected when this happens.

Exception

Session1.10676 couldn't initialize TLS connection
System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception. ---> System.ComponentModel.Win32Exception: The message received was unexpected or badly formatted
   --- End of inner exception stack trace ---
   at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest, Boolean renegotiation)
   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
   at MySqlConnector.Core.ServerSession.<InitSslAsync>d__102.MoveNext() in /_/src/MySqlConnector/Core/ServerSession.cs:line 1547

Additional context

A packet capture indicates that MySqlConnector is sending a TLS 1.1 "Client Hello". The server requires TLS 1.2 and above, so it's not surprising that the connection attempt fails.

image

It is a little unexpected to receive an SSPI exception, instead of an exception message like the one from #1132:

MySqlConnector.MySqlException (0x80004005): The server doesn't support the client's specified TLS versions.
---> System.ComponentModel.Win32Exception (0x80090331): The client and server cannot communicate, because they do not possess a common algorithm.

However, it seems very probable that a wrong TLS version is the cause of the problem, even though the exception message doesn't clearly state that.
@bgrainger
Copy link
Member Author

The yaSSL fallback code is probably only necessary for MySQL <= 5.7.28, which is now almost four years old. However, there do seem to be a lot of very old MySQL versions still out there in the wild (based on bug reports) so it probably should be kept around for now.

@bgrainger bgrainger self-assigned this Jul 21, 2023
@bgrainger bgrainger added the bug label Jul 21, 2023
@bgrainger
Copy link
Member Author

Fixed in 2.2.7.

@bgrainger bgrainger mentioned this issue Nov 12, 2023
Closed
@bgrainger bgrainger mentioned this issue Dec 5, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bgrainger bgrainger

Labels
bug
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bgrainger