locked
SQL Server Support for TLS 1.2 RRS feed

  • Question

  • Morning!

        I am not sure if I am making a rookie mistake, but we have recently been trying to be more "pci" compliant so have been hardening our web and database servers.  We have had no issue with connectivity to the web servers, but we have also been disabling tls1.0 and tls 1.1 and we have been having trouble communicating with sql server over tls 1.1/1.2  We have a bunch of different environments but we made sure to upgrade to the tls 1.2 supported versions

    SQL 2008 R2 10.50.6542

    SQL 2012 sp3 11.0.6594

    I have tried taking the latest native client on the web servers that communicate with the database servers, the .net patches say unapplicable I tried following along with these instructions (as well as 75 other links throughout bing :) ) we have tried with DB Servers that have legit certs as well as self signed certs with no difference in outcomes

    https://support.microsoft.com/en-us/help/3135244/tls-1.2-support-for-microsoft-sql-server

    and no matter what I have tried if I cannot communicate with SQL server unless TLS1.0 is enabled in the registry (on both the IIS Client and the DB Server side).  Anyone have any advice?

    Connection failed: 

    SQLState: '01000'

    SQL Server Error: 1

    [Microsoft][ODBC SQL Server Driver][DBNETLIB]ConnectionOpen 

    (SECCreateCredentials()).

    Connection Failed: 

    SQLState: '08001'

    SQL Server Error: 18

    [Microsoft][ODBC SQL Server Driver][DBNETLIB]SSL Security Error

    Thank you for any and all input!

    Tuesday, May 2, 2017 3:03 PM

All replies

  • Hi Jason,

    >>and no matter what I have tried if I cannot communicate with SQL server unless TLS1.0 is enabled in the registry (on both the IIS Client and the DB Server side).  Anyone have any advice?

    So it seems the issue only occur at client side(web server), have you tried enabling Use FIPS compliant algorithms setting as described in this article?

    If you have any other questions, please let me know.

    Regards,
    Lin

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Friday, May 19, 2017 5:12 AM
  • Yes we did actually try that.. it worked but broke other things (like ms deploy)  Also it is my understanding the MS is not recommending FIPS anymore as that standard is not keeping up with the industry.  And in implementation it looks like it is using TLS 1.0 anyway even though you state you have 1.2 open, I think it's over riding the registry entries.

    Friday, May 19, 2017 12:21 PM
  • Hi,

    We are currently experiencing the exact same issue as Jason.

    Using FIPS supports weaks ciphers.

    What other recommendations are there?

    Wednesday, May 31, 2017 5:07 AM