none
TSL / SSL Handshake in TDS 4.2 RRS feed

  • Question

  • I'm going through the TDS Protocol 4.2 OSD.  I'm trying to create a proxy server that routes communication back-and-forth between clients and MS SQL Server 2008.  I am able to parse the PRELOGIN packet but then run into trouble after that.  The clients have ENCRYPT_ON for the login credentials.  After the initial connection another PRELOGIN packet is sent to initiate the TSL/SSL handshake.  The documentation does not explain this handshaking process, and that's what I'm looking for. 

    Where do I find specs defining the TSL/SSL packet information so that I can decrypt the encrypted login information?

    Sunday, October 3, 2010 3:17 PM

Answers

  • Hi AJ8829,

     

    I think the following should answer both of your follow up questions.

     

    Section 3.2 Client Details [State Diagram] shows the TDS sequencing, which points to the PRELOGIN packet, and specifically Section 3.2.5.1 Sent Initial PRELOGIN Packet State details the sequencing rules.

     

    Encryption in the PRELOGIN sequence is detailed in Section 2.2.6.4 PRELOGIN:

    “This message stream is also used to wrap the SSL handshake payload if encryption is needed. In this scenario, where PRELOGIN message is transporting the SSL handshake payload, the packet data is simply the raw bytes of the SSL handshake payload”

     

    Further sequencing rules apply following Section 3.2.5.2, etc.  The actual encryption is done in the Windows TLS/SSL Layer (implemented in the Secure Channel security provider, “SChannel”), not TDS.  RFC 2246 defines the TSL/SSL standard (not a Microsoft protocol).

     

    Regarding SQL Server TLS/SSL version support, this Microsoft blog details SQL Server cipher suite support (TLS1.1, TLS1.0, SSL3.0, SSL2.0) and provides additional informative links,

     http://blogs.msdn.com/b/sql_protocols/archive/2007/06/30/ssl-cipher-suites-used-with-sql-server.aspx

     

    I hope this helps.

     

    Regards,

    Mark Miller

    Escalation Engineer

    US-CSS DSC PROTOCOL TEAM

     

    Thursday, October 7, 2010 7:34 PM

All replies

  • Hi AJ8829,

    Thanks for your question regarding TSL/SSL packet information and the [MS-SSTDS] specification.  One of the Open Specifications engineers will contact you shortly.

    Best regards,
    Tom Jebo
    Escalation Engineer
    Microsoft Open Specifications

    Sunday, October 3, 2010 4:14 PM
  • No update on this yet?
    Monday, October 4, 2010 6:28 PM
  • Hi AJ8829,

     

    TLS/SSL is not part of the Microsoft Open Specification documentation set.  TSL/SSL is defined in RFC 2246

     

    I hope this helps.

     

    Regards,

    Mark Miller

    Escalation Engineer

    US-CSS DSC PROTOCOL TEAM

    Tuesday, October 5, 2010 2:55 PM
  • Was hoping for a little more information than that.  Is there no particular structure that the encrypted data is put in?  I assume that after the packet header the rest of the data is encrypted according to RFC 2246?
    Tuesday, October 5, 2010 4:06 PM
  • Also, does this mean MS SQL Server 2008 only supports TLS 1.0?  Not 1.1 or 1.2?

    Thanks

    Tuesday, October 5, 2010 4:35 PM
  • Hi AJ8829,

     

    I think the following should answer both of your follow up questions.

     

    Section 3.2 Client Details [State Diagram] shows the TDS sequencing, which points to the PRELOGIN packet, and specifically Section 3.2.5.1 Sent Initial PRELOGIN Packet State details the sequencing rules.

     

    Encryption in the PRELOGIN sequence is detailed in Section 2.2.6.4 PRELOGIN:

    “This message stream is also used to wrap the SSL handshake payload if encryption is needed. In this scenario, where PRELOGIN message is transporting the SSL handshake payload, the packet data is simply the raw bytes of the SSL handshake payload”

     

    Further sequencing rules apply following Section 3.2.5.2, etc.  The actual encryption is done in the Windows TLS/SSL Layer (implemented in the Secure Channel security provider, “SChannel”), not TDS.  RFC 2246 defines the TSL/SSL standard (not a Microsoft protocol).

     

    Regarding SQL Server TLS/SSL version support, this Microsoft blog details SQL Server cipher suite support (TLS1.1, TLS1.0, SSL3.0, SSL2.0) and provides additional informative links,

     http://blogs.msdn.com/b/sql_protocols/archive/2007/06/30/ssl-cipher-suites-used-with-sql-server.aspx

     

    I hope this helps.

     

    Regards,

    Mark Miller

    Escalation Engineer

    US-CSS DSC PROTOCOL TEAM

     

    Thursday, October 7, 2010 7:34 PM