SQL Server 2014 Disable SSL/TLS

windows-server-2008 ssl sql-server nmap
9,713

Your security group probably means "disable SSLv3 and TLSv1.0 because they are old and have known vulnerabilities; use TLSv1.1 or newer instead." This is not the same as disabling all encryption. Check with them first, but I cannot believe they would want you forcing plain-text database connections.

Microsoft products like IIS, Terminal Services, and SQL Server use Windows' SCHANNEL library for doing TLS. You can configure it in the Registry by following the guide in KB187498. More information can be found on this article on the MSDN Unleashed blog.

Share:
9,713

Related videos on Youtube

dipanshu bahuguna
Author by

dipanshu bahuguna

Updated on September 18, 2022

Comments

  • dipanshu bahuguna
    dipanshu bahuguna almost 2 years

    I am running SQL Server 2014 on Server 2012 R2. Both are updated and current. I did a clean install of both and nothing else. I then requested VPN access for an offsite vendor and our security group informed me that SSLv3 and TLSv1.0 needed to be disabled. (No idea how they got enabled, I have done nothing certificate related on this machine.)

    I then ran IISCrypto and disabled the two protocols. Passed the security scan and proceeded, I thought everything was good to go. Now having a lot of issues getting the app server to connect to SQL. I think it would be better if I could just disable all of the TLS/SSL stuff on 1433. But when I check SQL Config Mgr Force Encryption = No and no certificates are loaded.

    I also tried to disable everything in IISCrypto, but that broke RDP.

    When I run this command:

    nmap --script ssl-enum-ciphers localhost

    Both 1433 ms-sql-s and 3389 ms-wbt-server have the SSL/TLS stuff, everything else just has the port/tcp open. I would like to know how to get SQL / 1433 to no longer show up as using SSL/TLS and RDP to still work. I do not want to load any certificates or use SQL encrypted. How do I get the flag to go away that is reporting that it's turned on.

  • dipanshu bahuguna
    dipanshu bahuguna over 6 years
    Yea, I've done that. Both manually and with IISCrypto. If I disable TLSv1.0 the app stops working. I guess I thought that the fact it was showing up with nmap that it meant I should have a SSL/TLS certificate loaded and encryption turned on, which isn't the case.
  • bonsaiviking
    bonsaiviking over 6 years
    @Ty. Then it's the client that doesn't support TLSv1.1 or newer.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

SQL Server error: the paging file is too small for this operation
Identify and disable weak cipher suites Windows server 2008 / IIS 7
JDBC (JTDS) SQL Server Connection Closed after SSL Authentication
How to obtain the Windows product id from registry from a remote machine
Component Services Error Log - SQL Server Distributed Replay Client
Manually create Private RSA Key from Text file? To be used with SSL for IIS7
SQL Server Timeout issues at random times causing performance degradation
MS SSAS 2008 and HTTP interface called msmdpump.dll
How to configure AD server for client TLS authentication
Can't connect to remote mssql server