locked
SSL Client side configuration RRS feed

  • Question

  • Hello,

    In article Here, it mentions 2 client settings "Force Protocol Encryption Client Setting" and "Trust Server Certificate Client Setting". I found them in SSMS "Connection Properties" tab when I make connections to sql instance. 

    1.  I want to know if there is another place on client side that I can configure this 2 values?

    2. in the article above, I don't understand why it puts the values for connection string and above 2 values (client settings) in a same table? because I think the 2 client settings are for SSMS connections only, no matter what values they are, the connection string cannot make use of it (unless there are other places can configure the 2 same values that can be used by connection string).

    Thanks much.


    • Edited by PhotoHiker Friday, October 12, 2018 4:50 PM
    Thursday, October 11, 2018 8:01 PM

All replies

  • Hi PhotoHiker,

    >>1.  I want to know if there is another place on client side that I can configure this 2 values?
    You can find these two option in SQL Server Configuration Manager. Navigate to the SQL Server Client <version> Configuration page in SQL Server Configuration Manager, right-click and then select Properties.
     

    <<2. I don't understand why it puts the values for connection string and above 2 values (client settings) in a same table? because I think the 2 client settings are for SSMS connections only, no matter what values they are, the connection string cannot make use of it.
    These two values are not for SSMS connections only. To enable encryption when a certificate has not been provisioned on the server, the Force Protocol Encryption and the Trust Server Certificate options must be set in SQL Server Configuration Manager. An application can request encryption by setting the TrustServerCertificate and Encrypt keywords to true, guaranteeing that encryption takes place.  For more information, please refer to the documents from Connection String Syntax.

    Best Regards
    Puzzle
    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com

    • Proposed as answer by Ed Nygma Wednesday, October 24, 2018 8:02 AM
    Friday, October 12, 2018 7:29 AM
  • Hi Puzzle_Chen,

    Thanks for your replying.

    For the answer to question 1, I configured them in SSCM on client side. It gives a warning message "Any Changes made will be saved; however, they will not take effect until the service is stopped and restarted". What Service does it refer to? how to restart the Service? After the 2 client settings are configured in SSCM, how I can make use of it?

    For the answer to question 2, if an application doesn't set the TrustServerCertificate and Encrypt keywords in connect string, does the 2 client settings in SSCM take effect?

    Friday, October 12, 2018 2:33 PM

  • For the answer to question 1, I configured them in SSCM on client side. It gives a warning message "Any Changes made will be saved; however, they will not take effect until the service is stopped and restarted". What Service does it refer to? how to restart the Service? After the 2 client settings are configured in SSCM, how I can make use of it?

    For the answer to question 2, if an application doesn't set the TrustServerCertificate and Encrypt keywords in connect string, does the 2 client settings in SSCM take effect?

    1. The service it is referring to is SQL Server database engine service. You can restart it from the same SSCM tree. Select "SQL Server Services" and on the right, right-click the "SQL Server (XYZ)" and select 'restart'. 

    2. If the setting in SSCM has 'Yes' for those settings, the parameters in the client side connection string are ignored. 

    The link you posted in the first line of your question points back to this thread. Check the following article to understand what happens if you enable the SSCM side setting vs. the client connection string and which one takes precedence. 

    https://blogs.msdn.microsoft.com/sql_protocols/2009/10/19/selectively-using-secure-connection-to-sql-server/

    That being said, I would not set anything on the SQL Server (SSCM) since it takes effect globally. Instead, append the parameters in the client connection string so you have control over which clients can use encryption and which ones cannot. 


    Please remember to click "Mark as Answer" if my response answered your question or click "Vote as helpful" if it helped you in any way.

    • Proposed as answer by Ed Nygma Wednesday, October 24, 2018 8:02 AM
    Friday, October 12, 2018 3:36 PM
  • Thanks Mohsin_A_Khan.

    I revised the link in the first line of my original post. If you look at the article, you may not think it refers to SQL Server Database engine service because it's talking Client Settings. anyway, please let me know what you think.

    Friday, October 12, 2018 5:11 PM

  • I revised the link in the first line of my original post. If you look at the article, you may not think it refers to SQL Server Database engine service because it's talking Client Settings. anyway, please let me know what you think.

    That's a SQL Server side change (even though client setting) and would take effect only after a SQL Service restart.

    Please remember to click "Mark as Answer" if my response answered your question or click "Vote as helpful" if it helped you in any way.

    Friday, October 12, 2018 9:45 PM