Sql-server – TLS 1.2 Implementation Validation

sql servertls-1.2

I have a validation question regarding implementation of TLS 1.2.

What tools, scripts, processes, etc.. can be used to validate that TLS 1.2 is working when clients, webserver, and SQL Servers are communicating between each other?

Do I need to perform network packet sniffing, run traces, use process explorer? Is there a verbose option somewhere that can be turned on with logs reviewed?

Note: if it makes a difference, the SQL Servers involved run a variety of versions: 2008R2, 2012, and 2014.

Best Answer

First, see Aaron Bertrand's answer on TLS 1.2 with older SQL Server, and/or Aaron's SentryOne blog post.

If you're talking about the normal SQL Server connection encryption (SQL Server Configuration manager, Force Encrypt yes), with modern SQL Server, then there are two steps:

select encrypt_option, count(*) from sys.dm_exec_connections GROUP BY encrypt_option
- If there are any FALSE results, you have unencrypted connections. Fix that.
- If there are 100% TRUE or NULL results, continue.
With buy-in from and in coordination with your IT Security team, download Microsoft Message Analyzer, Microsoft's Windows packet sniffer, and watch some connections. You're looking for the ClientHello and ServerHello messages, within which you can see cipher suites offered and which one happened to be accepted.
- It's a combination of registry and group policy changes to adjust that at the Windows OS level of your SQL Server installations.

WATCH OUT FOR THIRD PARTY SOFTWARE

Lots of it does NOT support TLS of ANY kind, much less TLS 1.2, either in the application, or, much more often, during one or more parts of the installation and/or upgrade process. The vendor will be clueless if you ask beforehand, and just as clueless watching it happen in front of them.

Related Solutions

SSRS 2008 R2 – Using External Images with TLS 1.2

I ran into this issue when attempting to run images from IIS Server which was locked down to TLS1.1 and TLS1.2

The issue was two fold

I had to update the Registry to add the following keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001

per this article https://support.microsoft.com/en-us/help/3154519/support-for-tls-system-default-versions-included-in-the--net-framework

I also had to use the following Entry in the configuration file for Reporting Services

[Install Location]/Reporting Services/Bin/ReportingServicesService.exe.conf inside the runtime element

Default SQL Server 2016 Location: "C:\Program Files\Microsoft SQL Server\MSRS13.MSSQLSERVER\Reporting Services\ReportServer\bin\ReportingServicesService.exe.config"

<AppContextSwitchOverrides value="Switch.System.ServiceModel.DisableUsingServicePointManagerSecurityProtocols=false;Switch.System.Net.DontEnableSchUseStrongCrypto=false" />

After all of this all I had to do is restart the reporting service and it was fine

Note that i do have tls 1.1 and 1.2 locked down my SSRS and SQL Server (not sure if this is also a requirement for this fix)

My System Sql Server 2016 and Windows Server 2012 R2

Sql-server – Application Server is not able to connect to SQL Server database when TLS 1.2 or 1.1 is enabled

SQL Server 2012 does not support TLS 1.2 in all SPs or versions. See this table for CU and Hotfix minimum versions https://support.microsoft.com/en-us/help/3135244/tls-1-2-support-for-microsoft-sql-server

Best Answer

WATCH OUT FOR THIRD PARTY SOFTWARE

Related Solutions

SSRS 2008 R2 – Using External Images with TLS 1.2

Sql-server – Application Server is not able to connect to SQL Server database when TLS 1.2 or 1.1 is enabled

Related Question