Sql-server – Sql server service wont start after disabling TLS 1.0 and SSL 3.0 on windows

sql serversslwindows

We have been hardening our servers for some time now and recently we disabled SSL 3.0 because of the poodle attack. When I did this on one of our test servers SQL Server failed to start up after the restart.

I have been able to reproduce this on Windows Server 2012 and Windows 7 by disabling TLS 1.0 and SSL 3.0 through the registry. I am using SQL Server 2012 on the server machine. On my windows 7 machine sql server 2012 and sql server 2005 will not start with those disabled.

These are the event log errors I get:

Application Logs:

(28/10/2014 8:38:54 AM) SQL Server could not spawn
FRunCM thread. Check the SQL Server error log and the Windows event
logs for information about possible related problems. (28/10/2014
8:38:54 AM) Could not start the network library because of an internal
error in the network library. To determine the cause, review the
errors immediately preceding this one in the error log. (28/10/2014
8:38:54 AM) TDSSNIClient initialization failed with error 0x80090331,
status code 0x1. (28/10/2014 8:38:54 AM) TDSSNIClient initialization
failed with error 0x80090331, status code 0x80.

System Logs

(28/10/2014 8:38:54 AM) The SQL Server (MSSQLSERVER)
service terminated with service-specific error %%-2146893007.
(28/10/2014 8:38:54 AM) A fatal error occurred while creating an SSL
server credential. The internal error state is 10013.

Done anyone know have we can keep SSL 3.0 and TLS 1.0 disabled and get SQLServer server to start?

Best Answer

The issue still remains if TLS 1.0 and SSL 3.0 are disabled. At the moment I don't see any way around this and maybe Microsoft needs to look into this for the future as TLS 1.0 is likely to be phased out over time.

The reason I had TLS 1.0 disabled was to mitigate the BEAST attack, as I found in some reading last night this was the wrong way to do this. To properly disable the BEAST attack on a server one should elevate a specific RC4 cipher so it is the one used with TLS 1.0. Unfortunately this raised another about the fact that the RC4 cipher is also vulnerable but that is another discussion.

I realize that I have not found an answer to the question. But my issue has been solve by keeping TLS 1.0 enabled in the registry.

Related Question