none
SSL Self Signed Fallback certificate RRS feed

  • Question

  • I have a large number of client machines running SQLExpress as their offline database to be used when disconnected from the network.  When the machines are scanned with Nessus, they come back with a vulnerability related to the SSL Self Signed Fallback certificate.  I know how to solve this manually by using Sql Server Configuration Manager, but is there a way to push this out to all the machines via group policy or another mechanism so that I don't have to touch every client machines separately?
    Friday, January 3, 2020 7:14 PM

Answers

  • I have a large number of client machines running SQLExpress as their offline database to be used when disconnected from the network.  When the machines are scanned with Nessus, they come back with a vulnerability related to the SSL Self Signed Fallback certificate.  I know how to solve this manually by using Sql Server Configuration Manager, but is there a way to push this out to all the machines via group policy or another mechanism so that I don't have to touch every client machines separately?

    Good day,

    You can do all the task using PowerShell

    You can use Microsoft sqlserver powershell command Set-SqlNetworkConfiguration for example, in order to sets the network configuration.

    In addition, there is a nice project (free open source created and managed by the community without any guarantee) which provide a module with over 500 SQL Server administration commands like "Set-DbaTcpPort". This might be very useful for you: https://dbatools.io/



    signature   Ronen Ariely
     [Personal Site]    [Blog]    [Facebook]    [Linkedin]

    • Marked as answer by joeychez Friday, January 10, 2020 7:05 PM
    Saturday, January 4, 2020 5:59 PM
    Moderator

All replies

  • I have a large number of client machines running SQLExpress as their offline database to be used when disconnected from the network.  When the machines are scanned with Nessus, they come back with a vulnerability related to the SSL Self Signed Fallback certificate.  I know how to solve this manually by using Sql Server Configuration Manager, but is there a way to push this out to all the machines via group policy or another mechanism so that I don't have to touch every client machines separately?

    Good day,

    You can do all the task using PowerShell

    You can use Microsoft sqlserver powershell command Set-SqlNetworkConfiguration for example, in order to sets the network configuration.

    In addition, there is a nice project (free open source created and managed by the community without any guarantee) which provide a module with over 500 SQL Server administration commands like "Set-DbaTcpPort". This might be very useful for you: https://dbatools.io/



    signature   Ronen Ariely
     [Personal Site]    [Blog]    [Facebook]    [Linkedin]

    • Marked as answer by joeychez Friday, January 10, 2020 7:05 PM
    Saturday, January 4, 2020 5:59 PM
    Moderator
  • Hi joeychez,

    Here are some similar threads and Microsoft support article which might help:

    SSL Self Signed Fall Back Certificate

    SSL Self Signed Fallback 1024 bit certificate

    Error message when you use SSL for connections to SQL Server

    Best Regards,

    Amelia


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Monday, January 6, 2020 3:17 AM
  • Hi :-)

    I might be mistaken but I think these links present how to implement the solution manually but my understanding is that the OP know this part and he is looking for a way to do it on multiple instances on different machines. For this I think the solution is using a script (PowerShell for example).

    >> "I know how to solve this manually by using Sql Server Configuration Manager, but is there a way to push this out to all the machines"


    signature   Ronen Ariely
     [Personal Site]    [Blog]    [Facebook]    [Linkedin]

    Monday, January 6, 2020 6:49 AM
    Moderator
  • Ronen

    Correct, I'm looking for a group policy or Powershell script to push this out to a large number of machines.  I haven't done a lot of Powershell, so any example code well help out a lot.

    Thanks

    Tuesday, January 7, 2020 3:37 PM
  • Me Too :-)

    I always solve what I need when if fit PowerShell using PowerShell but I will not consider myself as PowerShell expert 🙄

    Anyway, I usually do not like to provide full code and I prefer the OP (you in this case) to learn and therefore guide him is better the provide code for copy/paste.

    Did you checked the links I gave you? 
    According to my short read these should give you a way to the solution


    signature   Ronen Ariely
     [Personal Site]    [Blog]    [Facebook]    [Linkedin]

    Tuesday, January 7, 2020 11:04 PM
    Moderator
  • Yes, I've checked the links and started to work with them to see if I can get them to work.
    Wednesday, January 8, 2020 3:36 PM