Sql Server 2016: Enable TLS 1.2 for SQL Server Connection
I've SQL server 2016 running on windows 2012 R2 and I applied the patch for TLSv1.2 support and rebooted the VM, https://support.microsoft.com/en-us/help/3135244/tls-1-2-support-for-microsoft-sql-server I do see TLS 1.2 being enabled using IISCrypto tool on the SQL Server VM
We have Java 8 web application and we've forced the web application to use only TLS1.2 using JVM argument -Djdk.tls.client.protocols="TLSv1.2" (If I remove this JVM argument application connects to sql server fine), but we are seeing below error though TLSv1.2 is enabled for SQL server
org.apache.commons.dbcp.SQLNestedException: Cannot create PoolableConnectionFactory (The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "Server chose TLSv1, but that protocol version is not enabled or not supported by the client.". ClientConnectionId:7564b6a1-60c0-4a24-8baa-7bd21f9512cf)
We also have a .Net 2.0 windows service (only TLSv1.2 is enabled in registry) which is also failing to connect to SQL Server 2016
System.Data.OleDb.OleDbException: [DBNETLIB][ConnectionOpen (SECCreateCredentials()).]SSL Security error.
at System.Data.OleDb.OleDbConnectionInternal..ctor(OleDbConnectionString constr, OleDbConnection connection)
at System.Data.OleDb.OleDbConnectionFactory.CreateConnection(DbConnectionOptions options, Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection owningObject)
at System.Data.ProviderBase.DbConnectionFactory.CreateNonPooledConnection(DbConnection owningConnection, DbConnectionPoolGroup poolGroup)
at System.Data.ProviderBase.DbConnectionFactory.GetConnection(DbConnection owningConnection)
at System.Data.ProviderBase.DbConnectionClosed.OpenConnection(DbConnection outerConnection, DbConnectionFactory connectionFactory)
at System.Data.OleDb.OleDbConnection.Open()
But if I enable SSL3 and TLS1.0 in the registry, .Net 2.0 windows service connects to SQL Server 2016 fine.
I suspect, the issue is SQL Server not using TLSv1.2 though TLSv1.2 is enabled on the SQL Server VM, Can someone please help me if there anymore config or patches needs to be applied for SQL Server to support TLSv1.2 ?
Answer
Microsoft Windows Server stores information about different security-enhanced channel protocols that Windows Server supports. This information is stored in the following registry key:
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
Typically, this key contains the following subkeys:
PCT 1.0, SSL 2.0, SSL 3.0, TLS 1.0 ...
Each key holds information about the protocol for the key. Any one of these protocols can be enabled at the server. To do this, you create a new DWORDvalue in the server subkey of the protocol. You set the DWORDvalue to "1".
Important: Back up the registry before you modify it. Then, you can restore the registry if a problem occurs.
To enable the TLS 1.x protocol follow these steps:
Click Start, click Run, type regedt32 or type regedit, and then click OK. In Registry Editor, locate the following registry key:
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\TLS 1.x\Server
On the Edit menu, click Add Value. In the Data Type list, click DWORD. In the Value Name box, type Enabled, and then click OK.
Note If this value is present, double-click the value to edit its current value.
Type 11111111 in Binary Editor to set the value of the new key equal to "1". Click OK. Restart the computer.
Hope this helps...