The TDS protocol stream is not valid. Unexpected token TDS_COLMETADATA (0x81).

[RomainWilbert]

Driver version

8.2.1.jre8

SQL Server version

Microsoft SQL Server 2017 (RTM) - 14.0.1000.169 (X64)

Client Operating System

Windows

JAVA/JVM version

OpenJDK 8

Problem description

When I activate Column Encryption with Azure Key vault, sometimes when I query tables even with no encrypted column, I get errors from jdbc driver : "The TDS protocol stream is not valid. Unexpected token TDS_COLMETADATA (0x81)."

JDBC trace logs

Caused by: com.microsoft.sqlserver.jdbc.SQLServerException: The TDS protocol stream is not valid. Unexpected token TDS_COLMETADATA (0x81). at com.microsoft.sqlserver.jdbc.SQLServerConnection.terminate(SQLServerConnection.java:2670) at com.microsoft.sqlserver.jdbc.SQLServerConnection.terminate(SQLServerConnection.java:2658) at com.microsoft.sqlserver.jdbc.SQLServerConnection.throwInvalidTDSToken(SQLServerConnection.java:2647) at com.microsoft.sqlserver.jdbc.TDSReader.throwInvalidTDSToken(IOBuffer.java:6421) at com.microsoft.sqlserver.jdbc.TDSParser.throwUnexpectedTokenException(tdsparser.java:128) at com.microsoft.sqlserver.jdbc.TDSTokenHandler.onColMetaData(tdsparser.java:230) at com.microsoft.sqlserver.jdbc.TDSParser.parse(tdsparser.java:87) at com.microsoft.sqlserver.jdbc.TDSParser.parse(tdsparser.java:28) at com.microsoft.sqlserver.jdbc.SQLServerConnection$1ConnectionCommand.doExecute(SQLServerConnection.java:2754) at com.microsoft.sqlserver.jdbc.TDSCommand.execute(IOBuffer.java:7344) at com.microsoft.sqlserver.jdbc.SQLServerConnection.executeCommand(SQLServerConnection.java:2713) at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectionCommand(SQLServerConnection.java:2759) at com.microsoft.sqlserver.jdbc.SQLServerConnection.rollback(SQLServerConnection.java:2939) at com.zaxxer.hikari.pool.ProxyConnection.rollback(ProxyConnection.java:370) at com.zaxxer.hikari.pool.HikariProxyConnection.rollback(HikariProxyConnection.java) at org.hibernate.resource.jdbc.internal.AbstractLogicalConnectionImplementor.rollback(AbstractLogicalConnectionImplementor.java:116)

[ulvii]

Hi @RomainWilbert ,
The stack trace you posted does not seem to match 8.2.1 driver, please double check the driver version. #661 seems to be related and the issue is fixed as of 6.5.1 version of the driver.

[RomainWilbert]

Thanks for answering. When i update the driver, i get the following error :

java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at rx.exceptions.Exceptions.propagate(Exceptions.java:57) at rx.observables.BlockingObservable.blockForSingle(BlockingObservable.java:463) at rx.observables.BlockingObservable.single(BlockingObservable.java:340) at com.microsoft.azure.keyvault.implementation.KeyVaultClientBaseImpl.getKey(KeyVaultClientBaseImpl.java:1386)

[RomainWilbert]

Do i have to add the Azure Keyvault self-signed certificate to the cacerts file ?

[RomainWilbert]

Updating to openjdk:10-jdk resolved the issue

Any idea to resolve this issue with OpenJDK 8 ? I am not sure i can upgrade the JVM on my app.

[mprins]

Stacktrace indicates your certificate chain is incomplete or invalid, so yes you need to add to cacerts

[ulvii]

Hi @RomainWilbert ,
The error message was in #1273 too and you mentioned it disappeared after a while? In general, there can be multiple reasons for the error message, see this page for a similar question. In addition to @mprins suggestion, try updating to JDK8 u241, check if there is a difference in cacerts file for your JDK8 and JDK10 installations.

[RomainWilbert]

Hi @ulvii !
Yes it disappeared when I updated java version.
I am currently on OpenJDK 8, when i update to 10 it's fine. So i guess I have to copy cacerts file from OpenJDK 10 to 8 if i don't want to update java.

[ulvii]

Hi @RomainWilbert ,
Do you need further assistance on this?

[RomainWilbert]

I tried updating to OpenJDK 13 and the issue "PKIX path building failed" is still here.

Since i don't want to update evertime Microsoft changes its certificate, is there a way to disable certificate validation ?

[RomainWilbert]

@ulvii will this help me handle my issue : #1285 ?

[ulvii]

Hi @RomainWilbert ,
To narrow down the issue, could you confirm if it is resolved when you copy cacerts file from JDK 10 (the working version) to JDK 8 and JDK 13?

You can disable certificate validation by setting trustServerCertificate connection property to true, but this is not recommended practice.

The PR you mentioned is unrelated to your issue.

[RomainWilbert]

@ulvii I just figured out that the SSL issue was caused by my corporate proxy...everything works fine running on Azure...sorry for the noise !!