locked
SQL Server SSL - Error when client sets encryption RRS feed

  • Question

  • Hi,

    When enforcing ssl through server, but not through client, we get  successful test.  When setting encryption through an ODBC connection or through the native client configuration resulting in a client-wide setting, I get failures stating the certificate is not issued by an authority that is not trusted.  Our security admin installed the certs on the sql server and the cert was issued from one of our certificate authorities.   I don't know too much about certificates, but can get more info from him if needed.

    Here is the successful test - note it says certificate validation was skipped....

    Machine generated alternative text:
SQL Server ODBC Data Source Test 
Test Results 
Microsoft SQL Server Native Client Version 1 1 00 6518 
Running connectivity tests 
Attempting connection 
Connection established 
Verifying option settings 
INFO: Data encryption was enforced by server or client 
machine4Vide 
INFO Connection was encrypted without server certificate 
validation 
Disconnecting from server 
TESTS COMPLETED SUCCESSFULLY'

    When enforcing in client ODBC settings, during test, fails.

    Machine generated alternative text:
SQL Server ODBC Data Source Test 
Test Results 
Microsoft SQL Server Native Client Version 1 1 00 6518 
Running connectivity tests 
Attempting connection 
[MicrosoftllSQL Server Native Client 1 1 01SSL Provider The 
certificate chain was issued by an authority that is not 
trusted 
[MicrosoftllSQL Server Native Client I I OLIient unable to 
establish connection 
TESTS FAILED!

    Microsoft SQL Server
    Native Client Version 11.00.6518

    Running connectivity
    tests...

    Attempting
    connection

    [Microsoft][SQL
    Server Native Client 11.0]SSL Provider: The certificate chain was issued by an
    authority that is not trusted.

    [Microsoft][SQL
    Server Native Client 11.0]Client unable to establish connection

    TESTS FAILED!

    If anyone knows how to get this working, please let me know.

    Thanks,

    Sam


    • Edited by ___Sam___ Thursday, June 22, 2017 3:44 PM
    Thursday, June 22, 2017 3:43 PM

Answers

  • Was able to sort this out. Turns out on this server, I had missed updating the registry entry with the thumbprint for the cert. Beyond that, the thumbprint needs to have no spaces and also be upper case.
    • Marked as answer by ___Sam___ Thursday, June 22, 2017 4:25 PM
    Thursday, June 22, 2017 4:18 PM