FreeTDS was auto-updated on 5/13/25 and it broke TLS on 8.0 protocol for a critical integration

Hello

I have a client site where there are some direct connections to their internal MSSQL database from their website for syncing data. Overnight between 5/13 and 5/14 the connection failed and it took me until yesterday to figure out the problem was on our end and not their end which isn't a great look for me.

Once I discovered it was not a network issue and realized it was a TLS handshake issue (took me longer than I'd like to admit to get this to actually write a debug log so I could understand what was happening), still could not understand why it was happening for quite some time and still unsure if the source of the issue was on our end or their end.

I messed around with this for several hours and then on a fluke my TSQL command line testing connected correctly. I saw in the debug log that for some reason the working connection used TDS version 7.4 and not 8.0 even though 8.0 is specified in the freetds.conf file for this server. I still do not understand why it did this, but I'm glad it did as it allowed me to get this "working" again.

My temporary fix at this point was to downgrade the configuration to use 7.4 and set the encryption setting to "require" which does still encrypt the connection (verified via tcpdump).

All this being said, I would like to know what changed in this update and why the 8.0 protocol no longer works, and if there is something I need to do to make it work again, or if this is some kind of bug that got introduced in this update (update log below).

Here is a debug log of the TLS handshake failure when using 8.0:

10:49:00.698263 560925 (log.c:187):Starting log file for FreeTDS 1.5.1
        on 2025-05-16 10:49:00 with debug flags 0xffff.
10:49:00.698278 560925 (iconv.c:371):tds_iconv_open(0x2b5cad0, UTF-8, 1)
10:49:00.698341 560925 (iconv.c:202):local name for ISO-8859-1 is ISO-8859-1
10:49:00.698345 560925 (iconv.c:202):local name for UTF-8 is UTF-8
10:49:00.698347 560925 (iconv.c:202):local name for UCS-2LE is UCS-2LE
10:49:00.698349 560925 (iconv.c:202):local name for UCS-2BE is UCS-2BE
10:49:00.698362 560925 (iconv.c:390):setting up conversions for client charset "UTF-8"
10:49:00.698364 560925 (iconv.c:392):preparing iconv for "UTF-8" <-> "UCS-2LE" conversion
10:49:00.698414 560925 (iconv.c:431):tds_iconv_open: done
10:49:00.698417 560925 (net.c:369):Connecting with protocol version 8.0
10:49:00.698429 560925 (net.c:295):Connecting to <IP REMOVED> port 1433
10:49:00.698473 560925 (net.c:317):tds_setup_socket: connect(2) returned "Operation now in progress"
10:49:00.737696 560925 (net.c:506):tds_open_socket() succeeded
10:49:00.744689 560925 (tls.c:1091):setting default openssl cipher to:HIGH:!SSLv2:!aNULL:-DH
10:49:00.744839 560925 (tls.c:190):in tds_push_func
10:49:00.744850 560925 (tls.c:171):in tds_pull_func
10:49:01.030337 560925 (util.c:179):Changed query state from IDLE to DEAD
10:49:01.030345 560925 (util.c:333):tdserror(0x2b5a8a0, 0x2b5cec0, 20017, 0)
10:49:01.030349 560925 (odbc.c:2527):msgno 20017 20003
10:49:01.030353 560925 (util.c:363):tdserror: client library returned TDS_INT_CANCEL(2)
10:49:01.030356 560925 (util.c:386):tdserror: returning TDS_INT_CANCEL(2)
10:49:01.030360 560925 (tls.c:1119):handshake failed with -1 12 5
10:49:01.030791 560925 (tls.c:1168):handshake failed
10:49:01.030795 560925 (login.c:693):login packet rejected
10:49:01.030798 560925 (util.c:333):tdserror(0x2b5a8a0, 0x2b5cec0, 20002, 0)
10:49:01.030800 560925 (odbc.c:2527):msgno 20002 20003
10:49:01.030803 560925 (util.c:363):tdserror: client library returned TDS_INT_CANCEL(2)
10:49:01.030805 560925 (util.c:386):tdserror: returning TDS_INT_CANCEL(2)
10:49:01.030808 560925 (mem.c:665):tds_free_all_results()
10:49:01.030862 560925 (error.c:417):odbc_errs_add: "Unable to connect to data source"
10:49:01.030866 560925 (error_export.h:107):SQLError((nil), 0x2b5a900, (nil), 0x7ffddef6c82a, 0x7ffddef6c410, 0x7ffddef6cb30, 513, 0x7ffddef6c40a)
10:49:01.030870 560925 (error.c:563):SQLGetDiagRec: "[FreeTDS][SQL Server]Unexpected EOF from the server"
10:49:01.031044 560925 (error_export.h:107):SQLError((nil), 0x2b5a900, (nil), 0x7ffddef6c82a, 0x7ffddef6c410, 0x7ffddef6cb30, 513, 0x7ffddef6c40a)
10:49:01.031047 560925 (error.c:563):SQLGetDiagRec: "[FreeTDS][SQL Server]TDS server connection failed"
10:49:01.031052 560925 (error_export.h:107):SQLError((nil), 0x2b5a900, (nil), 0x7ffddef6c82a, 0x7ffddef6c410, 0x7ffddef6cb30, 513, 0x7ffddef6c40a)
10:49:01.031054 560925 (error.c:563):SQLGetDiagRec: "[FreeTDS][SQL Server]Unable to connect to data source"
10:49:01.031059 560925 (error_export.h:107):SQLError((nil), 0x2b5a900, (nil), 0x7ffddef6c82a, 0x7ffddef6c410, 0x7ffddef6cb30, 513, 0x7ffddef6c40a)
10:49:01.031061 560925 (odbc.c:4295):SQLFreeHandle(2, 0x2b5a900)
10:49:01.031064 560925 (odbc.c:4321):odbc_SQLFreeConnect(0x2b5a900)
10:49:01.031066 560925 (bcp.c:685):_bcp_free_storage(0x2b5a900)
10:49:01.031068 560925 (odbc.c:4295):SQLFreeHandle(1, 0x2b5a810)
10:49:01.031078 560925 (odbc.c:4368):odbc_SQLFreeEnv(0x2b5a810)

Here is the update/version history for the two freetds packages on my system:

[root@host updatelogs]# yum history ea-freetds
This system is receiving updates from CloudLinux Network server.
ID     | Command line                                                                                                                                                                                                | Date and time    | Action(s)      | Altered
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
   629 | --assumeyes --color=never --config /etc/yum.conf update --enablerepo=cloudlinux-PowerTools --enablerepo=epel                                                                                                | 2025-05-13 10:32 | I, U           |  622 E<
   113 | --assumeyes --color=never --config /etc/yum.conf update --enablerepo=cloudlinux-PowerTools --enablerepo=epel                                                                                                | 2023-12-15 05:34 | I, U           |  163 ><
    86 | --assumeyes --color=never --config /etc/yum.conf update --enablerepo=cloudlinux-PowerTools --enablerepo=epel                                                                                                | 2023-11-15 05:33 | Upgrade        |   42 ><
    67 | -y shell /tmp/LMuKg3qXgS                                                                                                                                                                                    | 2023-11-03 19:36 | E, I, U        |  145 >E
[root@host updatelogs]# yum history ea-freetds-libs
This system is receiving updates from CloudLinux Network server.
ID     | Command line                                                                                                                                                                                                | Date and time    | Action(s)      | Altered
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
   629 | --assumeyes --color=never --config /etc/yum.conf update --enablerepo=cloudlinux-PowerTools --enablerepo=epel                                                                                                | 2025-05-13 10:32 | I, U           |  622 E<
   113 | --assumeyes --color=never --config /etc/yum.conf update --enablerepo=cloudlinux-PowerTools --enablerepo=epel                                                                                                | 2023-12-15 05:34 | I, U           |  163 ><
    86 | --assumeyes --color=never --config /etc/yum.conf update --enablerepo=cloudlinux-PowerTools --enablerepo=epel                                                                                                | 2023-11-15 05:33 | Upgrade        |   42 ><
    67 | -y shell /tmp/LMuKg3qXgS

Here are the relevant entries from the update log that occurred on 5/13:

# cd /var/cpanel/updatelogs/
# grep 2025-05-13 * | grep freetds
update.1979674.4521078969.1701921532.log:[2025-05-13 10:32:11 +0000]      [/usr/local/cpanel/scripts/update-packages]  ea-freetds                       x86_64  1:1.5.1-1.el8.cloudlinux  cl-ea4                      313 k
update.1979674.4521078969.1701921532.log:[2025-05-13 10:32:11 +0000]      [/usr/local/cpanel/scripts/update-packages]  ea-freetds-libs                  x86_64  1:1.5.1-1.el8.cloudlinux  cl-ea4                      420 k
update.1979674.4521078969.1701921532.log:[2025-05-13 10:32:43 +0000]      [/usr/local/cpanel/scripts/update-packages] (583/622): ea-freetds-1.5.1-1.el8.cloudlinux.x8 2.7 MB/s | 313 kB     00:00
update.1979674.4521078969.1701921532.log:[2025-05-13 10:32:43 +0000]      [/usr/local/cpanel/scripts/update-packages] (584/622): ea-freetds-libs-1.5.1-1.el8.cloudlin 4.6 MB/s | 420 kB     00:00
update.1979674.4521078969.1701921532.log:[2025-05-13 10:34:00 +0000]      [/usr/local/cpanel/scripts/update-packages]    Upgrading        : ea-freetds-libs-1:1.5.1-1.el8.cloudlinux.x86_6    115/1226
update.1979674.4521078969.1701921532.log:[2025-05-13 10:34:00 +0000]      [/usr/local/cpanel/scripts/update-packages]    Running scriptlet: ea-freetds-libs-1:1.5.1-1.el8.cloudlinux.x86_6    115/1226
update.1979674.4521078969.1701921532.log:[2025-05-13 10:34:00 +0000]      [/usr/local/cpanel/scripts/update-packages]    Upgrading        : ea-freetds-1:1.5.1-1.el8.cloudlinux.x86_64        116/1226
update.1979674.4521078969.1701921532.log:[2025-05-13 10:34:52 +0000]      [/usr/local/cpanel/scripts/update-packages]    Cleanup          : ea-freetds-1:1.4.9-1.el8.cloudlinux.x86_64        886/1226
update.1979674.4521078969.1701921532.log:[2025-05-13 10:34:58 +0000]      [/usr/local/cpanel/scripts/update-packages]    Cleanup          : ea-freetds-libs-1:1.4.9-1.el8.cloudlinux.x86_6   1151/1226
update.1979674.4521078969.1701921532.log:[2025-05-13 10:34:58 +0000]      [/usr/local/cpanel/scripts/update-packages]    Running scriptlet: ea-freetds-libs-1:1.4.9-1.el8.cloudlinux.x86_6   1151/1226
update.1979674.4521078969.1701921532.log:[2025-05-13 10:35:07 +0000]      [/usr/local/cpanel/scripts/update-packages]    Verifying        : ea-freetds-1:1.5.1-1.el8.cloudlinux.x86_64       1149/1226
update.1979674.4521078969.1701921532.log:[2025-05-13 10:35:07 +0000]      [/usr/local/cpanel/scripts/update-packages]    Verifying        : ea-freetds-1:1.4.9-1.el8.cloudlinux.x86_64       1150/1226
update.1979674.4521078969.1701921532.log:[2025-05-13 10:35:07 +0000]      [/usr/local/cpanel/scripts/update-packages]    Verifying        : ea-freetds-libs-1:1.5.1-1.el8.cloudlinux.x86_6   1151/1226
update.1979674.4521078969.1701921532.log:[2025-05-13 10:35:07 +0000]      [/usr/local/cpanel/scripts/update-packages]    Verifying        : ea-freetds-libs-1:1.4.9-1.el8.cloudlinux.x86_6   1152/1226
update.1979674.4521078969.1701921532.log:[2025-05-13 10:35:40 +0000]      [/usr/local/cpanel/scripts/update-packages]   ea-freetds-1:1.5.1-1.el8.cloudlinux.x86_64
update.1979674.4521078969.1701921532.log:[2025-05-13 10:35:40 +0000]      [/usr/local/cpanel/scripts/update-packages]   ea-freetds-libs-1:1.5.1-1.el8.cloudlinux.x86_64

Daniel Muey

May 19, 2025 19:46
Edited

Does setting TDS_Version to 8.0 in the DSN allow them to talk?

Note: I can’t edit that format out, its like a backtick is stuck somewhere 🤔

cPRex Jurassic Moderator

May 19, 2025 19:47

Hey there! It does look like there were some changes in the recent freetds release:

https://github.com/FreeTDS/freetds/blob/Branch-1_5/NEWS.md#summary-of-changes-in-release-15

The one mentioning TLS says this:

"Support strict encryption for naked TLS (TDS 8.0);"

so this wouldn't be related to something on the cPanel side but in the package itself. Can you check and see if that could be the cause of your issues?

RickKukiela

May 19, 2025 21:13
Edited

Daniel Muey I'm connecting via PDO in PHP (outside of my tsql test). Are you referring to my connection string there? The only place I set that value is in my `~/.odbc.ini` file which has the following:

[CLIENTNAME]
Description             = MSSQL Server
Driver                  = FreeTDS
Database                = DBName
ServerName              = SERVER_ALIAS_IN_FREETDS.CONF
DMConnAttr              = SQL_ATTR_CONNECTION_TIMEOUT=10
TDS_Version             = 7.4

The freetds.conf file located at `/opt/cpanel/freetds/etc/freetds.conf` contains:

[global]
# TDS protocol version
tds version = auto

[SERVER_ALIAS_REFERENCED_IN_~/.odbc.ini]
encryption = require
port = 1433
host = IP_REMOVED_FROM_POST

When I have the TDS Version set to 7.4 in the odbc.ini file it works. When I have 8.0 set there, it does not.

May 19, 2025 21:17

cPRex I checked that link and it says it "added support" so by that nature it shouldn't be backward breaking. Even then, I currently have it encrypted and working on 7.4 by setting that new encryption value (see above) to "require" in my freetds.conf file. From what I understand, 8.0 has always required encryption by default, so it stands to reason that setting the new encryption setting to "require" would be the way it was set up to work previously.

At this point I really don't understand what is different with the encryption handshake between TDS 7.4 and 8.0 when both have "encryption=require" The handshake and encryption works correctly on 7.4. It's quite confusing that 8.0 is causing issues now when it previously did not.

May 20, 2025 15:14

Honestly I have no idea on that one as that would be a deeper issue than the cPanel software. It would be best to reach out to the freetds developers to see what specifically changed in that release.

FreeTDS was auto-updated on 5/13/25 and it broke TLS on 8.0 protocol for a critical integration

Comments

Didn't find what you were looking for?