FREETDS doesn't work with newer SqlServer version

[AlbertoRen]

Good morning everybody.
My name is Alberto and i'm from Italy; i've a problem trying to reach a MSSqlServer with FreeTDS starting from an AS400 mounting ZendServer (PHP).

The version installed of FreeTDS is

sql -C
Compile-time settings (established with the "configure" script)
Version: FreeTDS v1.4.10
freetds.conf directory: /QOpenSys/etc
MS db-lib source compatibility: no
Sybase binary compatibility: no
Thread safety: yes
iconv library: yes
TDS version: auto
iODBC: no
unixodbc: yes
SSPI "trusted" logins: no
Kerberos: no
OpenSSL: yes
GnuTLS: no
MARS: yes

If i try to connect to a SQLServer with these attributes --> SqlServer 2000 Version 8.00.2039 - Level SP4 - Standard Edition
all works well

tsql -H 10.1.1.218 -p 1433 -U XXX -P XXX
locale is "IT_IT IT_IT IT_IT IT_IT IT_IT IT_IT"
locale charset is "UTF-8"
using default charset "UTF-8"
1>
use MG
2>
SELECT SERVERPROPERTY('ProductVersion') AS ProductVersion
3>
go
ProductVersion
8.00.2039
(1 row affected)

    **INSTEAD**

if i try to connect to another SQLServer like this --> SqlServer 2008 Version 10.50.6000.34 - Level SP3 - Standard Edition (64-bit)
i can't proceed because

tsql -H 10.1.1.211 -p 1433 -U XXX -P XXX
locale is "IT_IT IT_IT IT_IT IT_IT IT_IT IT_IT"
locale charset is "UTF-8"
using default charset "UTF-8"
Error 20002 (severity 9):
Adaptive Server connection failed
There was a problem connecting to the server

Do you have any suggestions ?
Thank you for your help.

Alberto

[freddy77]

Benvenuto! You are using pretty old systems!

See https://www.freetds.org/userguide/logging.html on how to enable more logging. Surely you should be able to understand, for instance, if is a TCP connection error.
Login packet is not logged for security reasons.
Another issue could be related to OpenSSL configuration. Recent versions have settings quite restrict. For quite old system I have a openssl.cnf file like

openssl_conf = openssl_init

[openssl_init]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
CipherString = DEFAULT@SECLEVEL=1

You can try setting OPENSSL_CONF environment variable pointing to such file. Not sure if the same exact configuration is going to work on AS400.

[AlbertoRen]

LOG_ko.txt
LOG_ok.txt

Thank you Freddy77 for your reply !
I confirm you there arennt TCP issues or anything similar (this is what my network specilaist colleague swears...) .
Before doing anything else, I would like you to give me your opinion concerning the logs I've attached,
hoping you can find something that explains the problem, thanks

In the meanwhile i'll try to find openssl config on AS400...

Thanks again !
Alberto

[freddy77]

Yes, I can confirm it's a TLS handshake issue, see lines

tls.c:117:in tds_pull_func_login
tls.c:147:in tds_push_func_login
tls.c:1036:handshake failed with -1 3 1
tls.c:1080:handshake failed
login.c:644:login packet rejected

[AlbertoRen]

Thank you Freddy, i will speak with my network specialist again !

Alberto

[freddy77]

I would bet it's the cipher list accepted by OpenSSL. Either reduce security adding ciphers (like the way I described) or increase the list on the server (which could need to install some updates or... upgrade entire Windows server).