I’m trying to make a docker container to manipulate data from a SQL Server.

Description of the problem and devices involved

Here’s the list of relevant devices:

• The docker container: OS is Debian 12.
• The host machine: Ubuntu 22.04.
• The SQL Server: version is 2016 13.0.2026. Running on a Windows Server 2012R2 VM. And no I can’t upgrade any of these (I asked…).

I’m using the exact same credentials (sourced from the same .env file to avoid errors).

I am able to connect via sqlcmd from the host (using sqlcmd v1.5.0, ODBC 17, and openssl 3.0.2-0ubuntu1.18).

I’m using this command to connect from the host:

        sqlcmd 
        --server "$UTT_SQLDB_SERVERNAME" 
        --database-name "$UTT_SQLDB_DATABASE" 
        --user-name "$UTT_SQLDB_USERNAME" 
        --password "$UTT_SQLDB_PASSWORD"

But from the docker container I can’t (using sqlcmd 17.10.0001.1 Linux, ODBC 17, and openssl 3.0.14-1~deb12u2):

I’m using this command to connect from the container:

sqlcmd 
    -S "$UTT_SQLDB_SERVERNAME" 
    -U "$UTT_SQLDB_USERNAME" 
    -P "$UTT_SQLDB_PASSWORD" 
    -d "$UTT_SQLDB_DATABASE"

There is no firewall problem since I can telnet and ping the SQL Server from the container.

Error messages

On the container I get the following error message:

root@50f7a7519b2b:/var/www/html# sqlcmd -S $UTT_SQLDB_SERVERNAME -U $UTT_SQLDB_USERNAME -P $UTT_SQLDB_PASSWORD -d $UTT_SQLDB_DATABASE
Sqlcmd: Error: Microsoft ODBC Driver 17 for SQL Server : TCP Provider: Error code 0x2746.
Sqlcmd: Error: Microsoft ODBC Driver 17 for SQL Server : Client unable to establish connection.

And on the SQL Server log I get these two error messages (I translated them from French):

TLS Error Code 40: This indicates a handshake failure during the TLS negotiation. It happens when the client and server cannot agree on the encryption protocols or ciphers.

SChannel Error 1205: This is a Windows error related to SChannel (Secure Channel), which is the component responsible for handling SSL/TLS encryption. Error 1205 generally means there was a mismatch in the TLS configuration between the client and the server.

What I’ve tried

Since it seems to be a cipher suite problem I tried to connect directly with openssl like this (from the container):

root@50f7a7519b2b:/var/www/html# openssl s_client -connect $UTT_SQLDB_SERVERNAME:1433 -tls1_2
CONNECTED(00000003)
root@50f7a7519b2b:/var/www/html# openssl s_client -connect $UTT_SQLDB_SERVERNAME:1433 -tls1_1
CONNECTED(00000003)
root@50f7a7519b2b:/var/www/html# openssl s_client -connect $UTT_SQLDB_SERVERNAME:1433 -tls1  
CONNECTED(00000003)

And it works. Which confuses me.

I also don’t understand why I’m able to connect from the host but not from the container using equivalent commands and similar OS?

I also tried running the container in host network mode. No luck.