Cannot connect when OS has TLS1.3 (and TLS1.2) enabled

[Rans4ckeR]

Describe the bug

After enabling TLS1.3 in the OS (for both client and server) the connection fails.
TLS1.2 is also enabled.
Client & server run on the same machine.

Exception.GetType: Microsoft.Data.SqlClient.SqlException
Exception.Message: A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - No process is on the other end of the pipe.)
Exception.Source: Core Microsoft SqlClient Data Provider
Exception.TargetSite: Void OnError(Microsoft.Data.SqlClient.SqlException, Boolean, System.Action`1[System.Action])
SqlException.Errors:
SqlError.Number: 233
SqlError.State: 0
SqlError.Class: 20
SqlError.Server: .
SqlError.Message: A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - No process is on the other end of the pipe.)
SqlError.Procedure: 
SqlError.LineNumber: 0
ExternalException.ErrorCode: -2146232060
ExternalException.ErrorCode Hex: 0x80131904
Win32Exception.Message: Unknown error (0x80131904)
HResult Facility: FACILITY_URT
HResult Code: 6404
HResult Severity: Failure
HResult Severe Failure: No Severe Failure
HResult Customer: Microsoft-defined
HResult Mapped NT Status Value: No NT status value mapped.
HResult Values: HRESULT values are status values.
Exception.StackTrace:    at Microsoft.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction) in Microsoft.Data.SqlClient.dll:token 0x6000fcc+0x27
   at Microsoft.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose) in Microsoft.Data.SqlClient.dll:token 0x6000ab1+0x174
   at Microsoft.Data.SqlClient.TdsParserStateObject.ThrowExceptionAndWarning(Boolean callerHasConnectionLock, Boolean asyncClose) in Microsoft.Data.SqlClient.dll:token 0x6001354+0x0
   at Microsoft.Data.SqlClient.TdsParserStateObject.SNIWritePacket(PacketHandle packet, UInt32& sniError, Boolean canAccumulate, Boolean callerHasConnectionLock) in Microsoft.Data.SqlClient.dll:token 0x600139d+0x14f
   at Microsoft.Data.SqlClient.TdsParserStateObject.WriteSni(Boolean canAccumulate) in Microsoft.Data.SqlClient.dll:token 0x60013a3+0x26
   at Microsoft.Data.SqlClient.TdsParserStateObject.WritePacket(Byte flushMode, Boolean canAccumulate) in Microsoft.Data.SqlClient.dll:token 0x600139b+0x134
   at Microsoft.Data.SqlClient.TdsParser.TdsLogin(SqlLogin rec, FeatureExtension requestedFeatures, SessionData recoverySessionData, FederatedAuthenticationFeatureExtensionData fedAuthFeatureExtensionData) in Microsoft.Data.SqlClient.dll:token 0x6000b2e+0x8ed
   at Microsoft.Data.SqlClient.SqlInternalConnectionTds.Login(ServerInfo server, TimeoutTimer timeout, String newPassword, SecureString newSecurePassword) in Microsoft.Data.SqlClient.dll:token 0x6001008+0x29d
   at Microsoft.Data.SqlClient.SqlInternalConnectionTds.AttemptOneLogin(ServerInfo serverInfo, String newPassword, SecureString newSecurePassword, Boolean ignoreSniOpenTimeout, TimeoutTimer timeout, Boolean withFailover) in Microsoft.Data.SqlClient.dll:token 0x6001010+0xa7
   at Microsoft.Data.SqlClient.SqlInternalConnectionTds.LoginNoFailover(ServerInfo serverInfo, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance, SqlConnectionString connectionOptions, SqlCredential credential, TimeoutTimer timeout) in Microsoft.Data.SqlClient.dll:token 0x600100c+0xc5
   at Microsoft.Data.SqlClient.SqlInternalConnectionTds.OpenLoginEnlist(TimeoutTimer timeout, SqlConnectionString connectionOptions, SqlCredential credential, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance) in Microsoft.Data.SqlClient.dll:token 0x600100a+0x8e
   at Microsoft.Data.SqlClient.SqlInternalConnectionTds..ctor(DbConnectionPoolIdentity identity, SqlConnectionString connectionOptions, SqlCredential credential, Object providerInfo, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance, SqlConnectionString userConnectionOptions, SessionData reconnectSessionData, Boolean applyTransientFaultHandling, String accessToken, DbConnectionPool pool) in Microsoft.Data.SqlClient.dll:token 0x6000fde+0x163
   at Microsoft.Data.SqlClient.SqlConnectionFactory.CreateConnection(DbConnectionOptions options, DbConnectionPoolKey poolKey, Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection owningConnection, DbConnectionOptions userOptions) in Microsoft.Data.SqlClient.dll:token 0x6000b7d+0x145
   at Microsoft.Data.ProviderBase.DbConnectionFactory.CreatePooledConnection(DbConnectionPool pool, DbConnection owningObject, DbConnectionOptions options, DbConnectionPoolKey poolKey, DbConnectionOptions userOptions) in Microsoft.Data.SqlClient.dll:token 0x60004e0+0xc
   at Microsoft.Data.ProviderBase.DbConnectionPool.CreateObject(DbConnection owningObject, DbConnectionOptions userOptions, DbConnectionInternal oldConnection) in Microsoft.Data.SqlClient.dll:token 0x6000480+0x2
   at Microsoft.Data.ProviderBase.DbConnectionPool.UserCreateRequest(DbConnection owningObject, DbConnectionOptions userOptions, DbConnectionInternal oldConnection) in Microsoft.Data.SqlClient.dll:token 0x6000496+0x40
   at Microsoft.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, UInt32 waitForMultipleObjectsTimeout, Boolean allowCreate, Boolean onlyOneCheckConnection, DbConnectionOptions userOptions, DbConnectionInternal& connection) in Microsoft.Data.SqlClient.dll:token 0x6000488+0x0
   at Microsoft.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, TaskCompletionSource`1 retry, DbConnectionOptions userOptions, DbConnectionInternal& connection) in Microsoft.Data.SqlClient.dll:token 0x6000487+0x3b
   at Microsoft.Data.ProviderBase.DbConnectionFactory.TryGetConnection(DbConnection owningConnection, TaskCompletionSource`1 retry, DbConnectionOptions userOptions, DbConnectionInternal oldConnection, DbConnectionInternal& connection) in Microsoft.Data.SqlClient.dll:token 0x60004f9+0x14d
   at Microsoft.Data.ProviderBase.DbConnectionInternal.TryOpenConnectionInternal(DbConnection outerConnection, DbConnectionFactory connectionFactory, TaskCompletionSource`1 retry, DbConnectionOptions userOptions) in Microsoft.Data.SqlClient.dll:token 0x60004ba+0x18
   at Microsoft.Data.ProviderBase.DbConnectionClosed.TryOpenConnection(DbConnection outerConnection, DbConnectionFactory connectionFactory, TaskCompletionSource`1 retry, DbConnectionOptions userOptions) in Microsoft.Data.SqlClient.dll:token 0x6000537+0x0
   at Microsoft.Data.SqlClient.SqlConnection.TryOpen(TaskCompletionSource`1 retry, SqlConnectionOverrides overrides) in Microsoft.Data.SqlClient.dll:token 0x6000e01+0xdf
   at Microsoft.Data.SqlClient.SqlConnection.Open(SqlConnectionOverrides overrides) in Microsoft.Data.SqlClient.dll:token 0x6000df2+0x63
   at Microsoft.Data.SqlClient.SqlConnection.Open() in Microsoft.Data.SqlClient.dll:token 0x6000df0+0x0
   <...>
Exception.InnerException:
Exception.GetType: System.ComponentModel.Win32Exception
Exception.Message: No process is on the other end of the pipe.
Exception.Source: 
Exception.TargetSite: 
ExternalException.ErrorCode: -2147467259
ExternalException.ErrorCode Hex: 0x80004005
Win32Exception.Message: Unspecified error
HResult Facility: FACILITY_NULL
HResult Code: 16389
HResult Severity: Failure
HResult Severe Failure: No Severe Failure
HResult Customer: Microsoft-defined
HResult Mapped NT Status Value: No NT status value mapped.
HResult Values: HRESULT values are status values.
Exception.StackTrace: 

To reproduce

1. Enable TLS1.3:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:ffffffff

2. Reboot
3. Run:

new SqlConnection("...").Open();

Expected behavior

The client should connect using TLS1.3 or if not supported fallback to a lower enabled TLS version.
Side note for EF: SqlServerDbContextOptionsBuilder should allow me to specify the acceptable TLS version(s) (similar to HttpClient).

Further technical details

Microsoft.Data.SqlClient version: 3.0.0
.NET target: net6.0-preview.5
SQL Server version: Microsoft SQL Server Developer (64-bit) 15.0.4138.2
Operating system: Windows 10 Pro 21H1 19043.1081

Additional context
-SSMS 18.9.1 can connect without problem.
-Azure Data Studio 1.30.0 fails with the same exception since it also uses Microsoft.Data.SqlClient.

[cheenamalhotra]

Hi @Rans4ckeR

I'm able to reproduce the issue as well and will update you as I have a fix.

[Rans4ckeR]

@DavoudEshtehari is it already known how this will be fixed?
-Proper TLS1.3 support?
-Fallback to the next supported and enabled TLS version?

Will it somehow be possible to explicitly set the list of allowed TLS versions in similar fashion to HttpClientHandler.SslProtocols?
If yes would it be technically possible for the EF team to implement support for this in SqlServerDbContextOptionsBuilder?

[cheenamalhotra]

Hi @Rans4ckeR

Currently, we are looking into fixing the driver to fallback on TLS 1.2.
TLS 1.3 is currently not supported by SQL Server (ref: blog article) and so not by client driver too.

Will it somehow be possible to explicitly set the list of allowed TLS versions in similar fashion to HttpClientHandler.SslProtocols?

It is something to think about, we haven't considered it yet.

[ErikEJ]

Interestingly, System.Data.SqlClient seems unaffected..