locked
SQL Server Log-in Packet Always Encrypted Even Without SSL Configuration? RRS feed

  • Question

  • Hi,

    Does SQL Server 2005 automatically encrypt log-in packets even when SSL is not configured on SQL Server side and the encryption is not requested from either client or server side?  Based on the following blog the answer seems to be yes but I just wanted to make sure.

    http://blogs.msdn.com/b/dataaccess/archive/2005/08/05/448401.aspx

    In addition, I also have a couple of related questions:

    1. Is the same feature also supported in SQL Server 2008 R2 and 2012?

    2. If the log-in packet encryption is automatic is there any way to turn it off?

    Thanks in advance for your assistance!

    Wei



    • Edited by WZ2607 Friday, March 1, 2013 6:51 PM
    Friday, March 1, 2013 6:30 PM

Answers

  • Hello Wei,

    No, it does not automatically encrypt packets, but it will automatically hash passwords used in a username/password combo (sql authentication). What the document is saying, is that if a client asks for encryption but no SSL certificate is installed to be used, SQL Server can generate its own and use that.

    1. Yes

    2. It's not automatic

    -Sean


    Sean Gallardy | Blog | Twitter

    Friday, March 1, 2013 7:29 PM

All replies

  • Hello Wei,

    No, it does not automatically encrypt packets, but it will automatically hash passwords used in a username/password combo (sql authentication). What the document is saying, is that if a client asks for encryption but no SSL certificate is installed to be used, SQL Server can generate its own and use that.

    1. Yes

    2. It's not automatic

    -Sean


    Sean Gallardy | Blog | Twitter

    Friday, March 1, 2013 7:29 PM
  • Thanks!

    Wei

    Friday, March 1, 2013 7:38 PM
  • "2. If the log-in packet encryption is automatic is there any way to turn it off?"

    "2. It's not automatic"

    Hmm, I interpret that blog post in a way so that login packets *are* automatically encrypted. Quote from the blog post:

    "For this reason, SQL Server 2005 can and will ensure that the login packet is encrypted even if encryption hasn't been explicitly turned on.  More precisely, unless either the client or the server requests encryption, the channel will not be encrypted beyond the login packet."


    Tibor Karaszi, SQL Server MVP | web | blog

    Sunday, March 3, 2013 4:08 PM
  • Thanks Tibor.  That was exactly why I assumed that SQL server 2005 automatically encrypts the login packet regardless whether the rest of SQL traffic is encrypted.   It also seems to be consistent with the following description from MSDN.   But there're different interpretations of this description (as with the blog) so I wanted to make sure.

    "Credentials (in the login packet) that are transmitted when a client application connects to SQL Server 2005 are always encrypted. SQL Server will use a certificate from a trusted certification authority if available. If a trusted certificate is not installed, SQL Server will generate a self-signed certificate when the instance is started, and use the self-signed certificate to encrypt the credentials."

    http://msdn.microsoft.com/en-us/library/ms189067%28SQL.90%29.aspx

    Monday, March 4, 2013 7:24 PM