We noticed a Java application, Metabase, having an error when connecting to SQL Server 2016, and with the same configuration, the issue happens on Red Hat Enterprise Linux 9, but not on Red Hat Enterprise Linux 7. So, we hope to get help to confirm whether it's due to the operating system, and to fix it.
Longer story:
We are testing an upgraded instance of Metabase, and the upgraded components include
- Red Hat Enterprise Linux (from v7 to v9) operating system,
- Java (from 11 to 21), and
- Metabase software (from v0.32.x to the current v0.50.x).
And we noticed the following error in the upgraded instance when connecting to a data source of SQL Server 2016.
"encrypt" property is set to "false" and "trustServerCertificate" property is set to "false" but the driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption: Error: Certificates do not conform to algorithm constraints. ClientConnectionId:6bf62750-d5c4-49c5-8ada-4253d8b55055
We suspect the error is related to the system behavior of Red Hat Enterprise Linux 9, therefore we designed the following simplified test case to support our point:
Test configuration:
- Java openjdk v11.0.23
- metabase.jar v0.32.5
We start the application by calling command java -jar metabase.jar, so it starts a fresh demonstration instance of Metabase running on local H2 for application database.
Then, we try to add a data source of SQL Server 2016 configured with encryption not required.
Running on Red Hat Enterprise Linux 7, the above test succeeded. However, running on Red Hat Enterprise Linux 9, it failed with the following log events, notice the timestamp of 12-19 14:58:44:
12-19 14:58:09 DEBUG middleware.log :: GET /api/setup/admin_checklist 200 14 ms (10 DB calls) Jetty threads: 8/50 (3 busy, 5 idle, 0 queued) (48 total active threads)
12-19 14:58:44 INFO metabase.driver :: Initializing driver :sqlserver...
12-19 14:58:44 DEBUG plugins.classloader :: Setting current thread context classloader to shared classloader clojure.lang.DynamicClassLoader@1dc9fc0...
12-19 14:58:44 INFO plugins.classloader :: Added URL file:/data/metabase-test/v0.32.5/plugins/sqlserver.metabase-driver.jar to classpath
12-19 14:58:44 DEBUG plugins.init-steps :: Loading plugin namespace metabase.driver.sqlserver...
12-19 14:58:44 INFO metabase.driver :: Registered driver :sqlserver (parents: :sql-jdbc)
12-19 14:58:44 DEBUG plugins.jdbc-proxy :: Registering JDBC proxy driver for class com.microsoft.sqlserver.jdbc.SQLServerDriver...
Load lazy loading driver :sqlserver took 173 ms
12-19 14:58:44 DEBUG middleware.log :: POST /api/database 400 314 ms (0 DB calls) Jetty threads: 8/50 (3 busy, 4 idle, 0 queued) (45 total active threads)
{:valid false,
:dbname
"com.microsoft.sqlserver.jdbc.SQLServerException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: \"Certificates do not conform to algorithm constraints\". ClientConnectionId:ca179b99-b3b3-4351-a0de-736b7dc8e765",
:message
"com.microsoft.sqlserver.jdbc.SQLServerException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: \"Certificates do not conform to algorithm constraints\". ClientConnectionId:ca179b99-b3b3-4351-a0de-736b7dc8e765"}
12-19 14:58:44 DEBUG middleware.log :: GET /api/database 200 5 ms (3 DB calls) Jetty threads: 8/50 (3 busy, 4 idle, 0 queued) (45 total active threads)
12-19 15:00:00 INFO task. Send-pulses :: Sending scheduled pulses...
We wonder if we missed anything with regard to the new operating system, and we highly appreciate any pointers and hints.
Additional Information
About TLS:
The SQL Server 2016 under test does not have SSL certificate installed, and it is configured as "encryption not required".
- We checked the Windows host in the context of "SQLServerManager13.msc > SQL Server Network Configuration > Protocols for MSSQLSERVER > Properties". The "Force Encryption" is
No, and there is nothing in the "Certificate" tab. - The command
openssl s_clientoutputs the following results:# openssl s_client -connect <sql-server-hostname>:1433 -showcerts Connecting to xxx.xxx.xxx.xxx CONNECTED(00000003) 001EA5D0C87F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 309 bytes Verification: OK --- New, (NONE), Cipher is (NONE) This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) ---
About SQL Server Version:
With everything the same for running Metabase, we tested adding a data source on SQL Server 2022 instead of 2016, and the test passed on RHEL9.
About the Differences in java. Security:
We retrieved the java.security files from both RHEL7 and RHEL9, then filtered out the comments and blanks to get the net contents. By comparing the two files, we got a number of differences below.
