Reputation: 11
Establishing SSL trust to SQL Server with an AWS Lambda (Linux Client)
I'm trying to connect to a SQL Server 2019 instance from an AWS lambda. I'm using a self-signed certificate for the SQL instance.
Our lambda is using Entity Framework Core 7.0.5 in .NET 6 (also tested Microsoft.Data.SqlClient 5.1 with the same results)
The error is:
Microsoft.Data.SqlClient.SqlException (0x80131904): A connection was successfully established with the server, but then an error occurred during the pre-login handshake. (provider: TCP Provider, error: 35 - An internal exception was caught)
The connection string is like the following: "Data Source=xxxxxxx;Initial Catalog=xxxxxxx;Integrated Security=false;Encrypt=True;TrustServerCertificate=False
When I change to TrustServerCertificate=true;, everything connects fine. (I don't want to do that and override trust).
Does anyone have experience accomplishing this in an AWS lambda function?
There's an official guide for Linux client connections, but it requires lower level operating system access than AWS allows in its lambdas. (https://learn.microsoft.com/en-us/sql/linux/sql-server-linux-encrypted-connections?view=sql-server-ver16)
I typically use OpenSSL's SSL_CERT_FILE environment variable to register our certificates in lambdas, but that does not work in this case.
I've also tried ServerCertificate in the connection string (ServerCertificate=/opt/path/server.cer) as documented here, which works great in Windows, but does not seem to work in Linux: https://learn.microsoft.com/en-us/dotnet/api/microsoft.data.sqlclient.sqlconnectionstringbuilder.servercertificate?view=sqlclient-dotnet-standard-5.1
What alternative approaches for registering a SQL Server client certificate in Linux can I can try?
Upvotes: 0
Views: 534
Answers (1)
Reputation: 11
I worked through this item with Microsoft Support - we were able to get a response from the SqlClient team. There are two official paths to add server trust to the client for SQL in Linux:
- Trust store
- The trust store isn't currently an option to install a certificate to in AWS lambda functions
- ServerCertificate
- ServerCertificate currently has an issue with Linux support, per SqlClient team
There is an issue tracked for ServerCertificate in the SqlClient repo here: https://github.com/dotnet/SqlClient/issues/2178. I'll try to update this answer when that issue moves forward.
Workarounds include using a public CA, or AWS ACM in the case of an AWS lambda, to generate the SQL certificate (public certificates that your system likely already has installed in other words)
Upvotes: 1
Related Questions
- How to add a column with a default value to an existing table in SQL Server?
- .NET 8 API with SQL Server: Error During Login Process
- OR is not supported with CASE expression SQL Server
- I intermittently experience SQL Server connection issues from AWS Lambda using Microsoft.Data.SqlClient
- How can I do an UPDATE statement with JOIN in SQL Server?
- an error occurred during the pre-login handshake. using Azure Data, entity core
- How can I delete using INNER JOIN with SQL Server?
- What is "with (nolock)" in SQL Server?
- Has anyone successfully run a SQL Server connector within a C# AWS Lambda function, or AWS Linux EC2 instance?