TLS handshake times out when CRL URLs are blocked (no internet)

[jacqueskangforvia]

When running the SQL Connectivity Checker in a containerized environment with no internet access (outbound HTTP blocked), the TLS handshake phase is extremely slow (30+ seconds) and times out. This occurs even when setting TrustServerCertificate = true.

We are testing connectivity from Azure Container App to Azure SQL Database via private endpoint. It appears that this tool attempts to fetch from internet the CRL (Certificate Revocation List) for the certificate presented by Azure SQL logical server (e.g., http://www.microsoft.com/pkiops/crl/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2007.crl) which is blocked.

[2026.01.23 19:41:58.9401] Connect initiated (attempt # 3).
[2026.01.23 19:41:58.9401] PreLogin phase starting
[2026.01.23 19:41:58.9527]  DNS resolution took 12 ms, (10.250.117.5)
[2026.01.23 19:41:58.9593]   TCP connection open
[2026.01.23 19:41:58.9593]    Local endpoint is [::ffff:169.254.1.146]:47818
[2026.01.23 19:41:58.9593]    Remote endpoint is [::ffff:10.250.117.5]:1433
 
[2026.01.23 19:41:58.9593]  Building PreLogin message.
[2026.01.23 19:41:58.9593]   Adding PreLogin option Encryption [EncryptOff].
[2026.01.23 19:41:58.9593]   Adding PreLogin option TraceID
[2026.01.23 19:41:58.9594]    ConnectionID: C2E94E1F-08F1-4631-B98F-8BBBE999A51C
[2026.01.23 19:41:58.9594]    ActivityID: B5B1C026-2728-490B-92D8-6EFCE4E1EFBE
[2026.01.23 19:41:58.9594]    ActivitySequence: 0
[2026.01.23 19:41:58.9594]   Adding PreLogin option FedAuthRequired [FedAuthRequired].
[2026.01.23 19:41:58.9594]   Adding PreLogin message terminator.
[2026.01.23 19:41:58.9594]  Trying to send PreLogin.
[2026.01.23 19:41:58.9595]  PreLogin message sent.
[2026.01.23 19:41:58.9595]  Waiting for PreLogin response.
 
[2026.01.23 19:41:58.9595]  Receiving response:
[2026.01.23 19:41:58.9616]   Server requires encryption, enabling encryption:
[2026.01.23 19:41:58.9616]    Trust Server Certificate is set to False
[2026.01.23 19:41:58.9616]    Trying to authenticate using Tls12
[2026.01.23 19:41:58.9629]     Checking certificate validation results:
[2026.01.23 19:41:58.9630]     Certificate error: RemoteCertificateChainErrors
[2026.01.23 19:41:58.9630]     unable to get certificate CRL
[2026.01.23 19:41:58.9630]     unable to get certificate CRL
[2026.01.23 19:41:58.9630]    Cert details:
[2026.01.23 19:41:58.9631]     issued to CN=cr16.northeurope1-a.control.database.windows.net, O=Microsoft Corporation, L=Redmond, S=WA, C=US
[2026.01.23 19:41:58.9631]     valid from 1/16/2026 1:53:03 PM until 7/15/2026 1:53:03 PM
[2026.01.23 19:41:58.9631]     issued from CN=Microsoft Azure RSA TLS Issuing CA 07, O=Microsoft Corporation, C=US
[2026.01.23 19:41:58.9632]     thumbprint E191BAEA456729A409E3A08C7CFDF49E6D75A01A
[2026.01.23 19:42:13.9680]     valid: False
[2026.01.23 19:42:13.9685]     key usages: KeyEncipherment, DigitalSignature
[2026.01.23 19:42:13.9685]     intended purposes: TLS Web Client Authentication, TLS Web Server Authentication
[2026.01.23 19:42:13.9685]    Cert details:
[2026.01.23 19:42:13.9690]     issued to CN=Microsoft Azure RSA TLS Issuing CA 07, O=Microsoft Corporation, C=US
[2026.01.23 19:42:13.9690]     valid from 6/8/2023 12:00:00 AM until 8/25/2026 11:59:59 PM
[2026.01.23 19:42:13.9691]     issued from CN=DigiCert Global Root G2, OU=[www.digicert.com](https://www.digicert.com/), O=DigiCert Inc, C=US
[2026.01.23 19:42:13.9691]     thumbprint 3382517058A0C20228D598EE7501B61256A76442
[2026.01.23 19:42:14.2904]     valid: False
[2026.01.23 19:42:14.2906]     this cert is CertificateAuthority
[2026.01.23 19:42:14.2906]     key usages: CrlSign, KeyCertSign, DigitalSignature
[2026.01.23 19:42:14.2906]     intended purposes: TLS Web Server Authentication, TLS Web Client Authentication
[2026.01.23 19:42:14.2906]    Cert details:
[2026.01.23 19:42:14.2907]     issued to CN=DigiCert Global Root G2, OU=[www.digicert.com](https://www.digicert.com/), O=DigiCert Inc, C=US
[2026.01.23 19:42:14.2907]     valid from 8/1/2013 12:00:00 PM until 1/15/2038 12:00:00 PM
[2026.01.23 19:42:14.2907]     issued from CN=DigiCert Global Root G2, OU=[www.digicert.com](https://www.digicert.com/), O=DigiCert Inc, C=US
[2026.01.23 19:42:14.2907]     thumbprint DF3C24F9BFD666761B268073FE06D1CC8D4F82A4
[2026.01.23 19:42:14.2916]     valid: True
[2026.01.23 19:42:14.2916]     this cert is CertificateAuthority
[2026.01.23 19:42:14.2916]     key usages: CrlSign, KeyCertSign, DigitalSignature
[2026.01.23 19:42:28.9659] Enabling encryption operation was not completed and cancelled at client side after 30 seconds, it should be done under 5 seconds.
[2026.01.23 19:42:28.9660]  SNI timeout detected, PreLogin phase was not complete after 30025 milliseconds.
 
[2026.01.23 19:42:28.9661] Error
Exception:Enabling encryption operation was not completed and cancelled at client side after 30 seconds, it should be done under 5 seconds.
 
 
[2026.01.23 19:42:28.9678]  Disconnect initiated.
[2026.01.23 19:42:28.9679]  Disconnect done.

[jacqueskangforvia]

Result with TrustServerCertificate = $true:

[2026.01.23 19:01:14.5842] Connect initiated (attempt # 2).
[2026.01.23 19:01:14.5843] PreLogin phase starting
[2026.01.23 19:01:14.5979] DNS resolution took 13 ms, (10.250.117.5)
[2026.01.23 19:01:14.6035] TCP connection open
[2026.01.23 19:01:14.6035] Local endpoint is [::ffff:169.254.10.133]:42148
[2026.01.23 19:01:14.6035] Remote endpoint is [::ffff:10.250.117.5]:1433

[2026.01.23 19:01:14.6036] Building PreLogin message.
[2026.01.23 19:01:14.6036] Adding PreLogin option Encryption [EncryptOff].
[2026.01.23 19:01:14.6036] Adding PreLogin option TraceID
[2026.01.23 19:01:14.6036] ConnectionID: D2F25D0E-11C2-427F-8498-4BE84BD908A3
[2026.01.23 19:01:14.6036] ActivityID: 7998623A-5C84-4F5F-88E4-A29A5B049F67
[2026.01.23 19:01:14.6036] ActivitySequence: 0
[2026.01.23 19:01:14.6036] Adding PreLogin option FedAuthRequired [FedAuthRequired].
[2026.01.23 19:01:14.6036] Adding PreLogin message terminator.
[2026.01.23 19:01:14.6036] Trying to send PreLogin.
[2026.01.23 19:01:14.6038] PreLogin message sent.
[2026.01.23 19:01:14.6038] Waiting for PreLogin response.

[2026.01.23 19:01:14.6038] Receiving response:
[2026.01.23 19:01:14.6058] Server requires encryption, enabling encryption:
[2026.01.23 19:01:14.6058] Trust Server Certificate is set to True
[2026.01.23 19:01:14.6059] Trying to authenticate using Tls12
[2026.01.23 19:01:15.3825] Ignoring certificate validation results (due to trust certificate)
[2026.01.23 19:01:15.3826] Is authenticated: True
[2026.01.23 19:01:15.3826] Protocol: Tls12
[2026.01.23 19:01:15.3826] Cipher: Aes256 strength 256
[2026.01.23 19:01:15.3827] Hash: None strength 0
[2026.01.23 19:01:15.3827] Key exchange: DiffieHellman strength 0
[2026.01.23 19:01:15.3827] IsSigned: True
[2026.01.23 19:01:15.3827] Is Encrypted: True
[2026.01.23 19:01:15.3827] Local certificate is null.
[2026.01.23 19:01:15.3834] Remote cert was issued to CN=cr16.northeurope1-a.control.database.windows.net, O=Microsoft Corporation, L=Redmond, S=WA, C=US and is valid from 1/16/2026 1:53:03 PM until 7/15/2026 1:53:03 PM.
[2026.01.23 19:01:15.3834] Encryption enabled (took 30814 ms)
[2026.01.23 19:01:44.6043] Enabling encryption operation was not completed and cancelled at client side after 30 seconds, it should be done under 5 seconds.
[2026.01.23 19:01:44.6044] SNI timeout detected, PreLogin phase was not complete after 30020 milliseconds.

[jacqueskangforvia]

I even tried rebuild a TDSClient.dll with secondsToEnableEncryptionTimeout = 60
The client is happy now but then connection is reset by server probably due to handshake timeout

now I increased the timeout to 60s, new output:

[2026.01.23 20:30:30.8299] Connect initiated (attempt # 2).
[2026.01.23 20:30:30.8299] PreLogin phase starting
[2026.01.23 20:30:30.8593]  DNS resolution took 29 ms, (10.250.117.5)
[2026.01.23 20:30:30.8662]   TCP connection open
[2026.01.23 20:30:30.8662]    Local endpoint is [::ffff:169.254.8.227]:60318
[2026.01.23 20:30:30.8662]    Remote endpoint is [::ffff:10.250.117.5]:1433

[2026.01.23 20:30:30.8662]  Building PreLogin message.
[2026.01.23 20:30:30.8663]   Adding PreLogin option Encryption [EncryptOff].
[2026.01.23 20:30:30.8663]   Adding PreLogin option TraceID
[2026.01.23 20:30:30.8663]    ConnectionID: 847C8272-106F-4C07-A8D6-A3A769BA5E8A
[2026.01.23 20:30:30.8663]    ActivityID: C1F5BF79-6A56-4A9A-B1AB-8E9A752251E1
[2026.01.23 20:30:30.8663]    ActivitySequence: 0
[2026.01.23 20:30:30.8663]   Adding PreLogin option FedAuthRequired [FedAuthRequired].
[2026.01.23 20:30:30.8663]   Adding PreLogin message terminator.
[2026.01.23 20:30:30.8663]  Trying to send PreLogin.
[2026.01.23 20:30:30.8664]  PreLogin message sent.
[2026.01.23 20:30:30.8664]  Waiting for PreLogin response.

[2026.01.23 20:30:30.8664]  Receiving response:
[2026.01.23 20:30:30.8686]   Server requires encryption, enabling encryption:
[2026.01.23 20:30:30.8686]    Trust Server Certificate is set to True
[2026.01.23 20:30:30.8687]    Trying to authenticate using Tls12
[2026.01.23 20:31:00.8856]    Ignoring certificate validation results (due to trust certificate)
[2026.01.23 20:31:00.8857]    Is authenticated: True
[2026.01.23 20:31:00.8857]    Protocol: Tls12
[2026.01.23 20:31:00.8857]    Cipher: Aes256 strength 256
[2026.01.23 20:31:00.8857]    Hash: None strength 0
[2026.01.23 20:31:00.8857]    Key exchange: DiffieHellman strength 0
[2026.01.23 20:31:00.8857]    IsSigned: True
[2026.01.23 20:31:00.8857]    Is Encrypted: True
[2026.01.23 20:31:00.8857]    Local certificate is null.
[2026.01.23 20:31:00.8859]    Remote cert was issued to CN=cr16.northeurope1-a.control.database.windows.net, O=Microsoft Corporation, L=Redmond, S=WA, C=US and is valid from 1/16/2026 1:53:03 PM until 7/15/2026 1:53:03 PM.
[2026.01.23 20:31:00.8859]   Encryption enabled (took 30017 ms)
[2026.01.23 20:31:00.8860]  PreLogin response processed.
[2026.01.23 20:31:00.8860] PreLogin phase ended (took 30019 ms)
[2026.01.23 20:31:00.8860] WARNING: PreLogin phase should take less than 5 seconds

[2026.01.23 20:31:00.8860] Starting Login phase.
[2026.01.23 20:31:00.8860]  Building Login7 message.
[2026.01.23 20:31:00.8860]  Adding option HostName with value [ca-gptmpxn01-eun-dev-mes-02-chk--0000035-6c8f6ff6fc-z2htf]
[2026.01.23 20:31:00.8860]   Adding option ApplicationName with value [TDSSQLTestClient]
[2026.01.23 20:31:00.8860]   Adding option ServerName with value [sql-gptmpxn01-eun-dev-mes-01.database.windows.net]
[2026.01.23 20:31:00.8861]   Adding option Database with value [ORD]
[2026.01.23 20:31:00.8861]   Adding Entra Authentication options
[2026.01.23 20:31:00.8861]  Trying to send Login7.

[2026.01.23 20:31:00.8868] Error
Exception:Unable to write data to the transport connection: Connection reset by peer.
InnerException: Connection reset by peer


[2026.01.23 20:31:00.8888]  Disconnect initiated.
[2026.01.23 20:31:00.8888]  Disconnect done.

[jacqueskangforvia]

FYI I managed to disable CRL download by modifying this line, changed the last argument to false