locked
ARRA HITECH ACT Data In Motion communication requirement, does SQL Server 2008 support TLS 1.0? RRS feed

  • Question

  • My company has had me going through the HHS Secretary guidelines for proper handling of PHI information to be in compliance with the technical requirements in the ARRA HITECH Act (See http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf ) On page 42472, column 3, the guideline specifies that PHI data in motion needs to be protected by using TLS 1.0--SSL 3.0 is not supported because some of the encryption algorithms do not meet gov't standards.  The documentation makes no distinction that I can see about whether the communication is exclusively across the Internet, or whether data in motion on the company's internal network must also be encrypted.  If it does, I read this as SQL Server needs to support TLS 1.0 for encrypted connections. 

    All the documentation I have found on SQL Server 2008 indicates connection encryption can be set up using SSL 3.0, but there is no indication on TLS 1.0.  To me, this raises a host of questions, and I am hoping someone has answers that I just haven't found yet.  Are there registry / machine.config settings which will allow SQL Server 2008 connection encryption to support TLS 1.0 as per the gov't requirements (http://csrc.nist.gov/publications/nistpubs/800-52/SP800-52.pdf )?  If so, can someone post them?  If not, what are my alternatives?

    Rgds,

    Jim Grinwald

    Dart Chart Systems
    Tuesday, November 17, 2009 3:53 PM

Answers

All replies

  • Hi James,

    Take a look at this blog posting that I wrote up a while back: http://blogs.msdn.com/sql_protocols/archive/2007/06/30/ssl-cipher-suites-used-with-sql-server.aspx.  In short, the cipher suite used by SQL Server is negotiated by the OS and is not influenced by SQL Server itself.  However, assuming that you're using one of the recent versions of Windows, you should have TLS1.1 and 1.0 available.

    Thanks,
    Il-Sung.
    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by James Grinwald Wednesday, November 18, 2009 2:37 PM
    Wednesday, November 18, 2009 2:52 AM
  • Hi Il-Sung,

    Thank you very much for the information.  It has the depth / detail I have been looking for.

    Thanks again,

    Jim Grinwald
    Wednesday, November 18, 2009 2:39 PM