SQL Server 2014 enabling TLS 1.1 along with TLS 1.2

I have a Windows Server 2012 R2 which is a DC with SQL Server 2014 (Express) updated to the latest SP2 with CU10 12.2.5571.0 (testing environment). I disabled all protocols except TLS1.1 and TLS1.2 by setting the registry keys in the path:

HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols.

I initially enabled only TLS1.2 but I need also TLS1.1 for backward compatibility with a Java application which run on another machine of the same domain. In order to use TLS1.2 a specific JDBC driver is needed and a property must be provided to the JDBC url (see the discussion here).

In the meanwhile I want to let the application work with TLS1.1 so I re-enabled it. However the application can't connect to the database and it seems like TLS1.1 is not used by the SQL Server. In order to test the connection i tried the following commands:

1) openssl s_client -connect <Server IP>:1433 -ssl3

2) openssl s_client -connect <Server IP>:1433 -tls1_1

3) openssl s_client -connect <Server IP>:1433 -tls_1_2

The test 1) fails as expected (handshake failure) while the test 2) takes several time (about 30 seconds or more) to produce the response which is successful. The test 3) produce a successful output as expected.

I also tried using Management Studio from the client machine and the connection only works if TLS1.2 is enabled on both the client and server. Otherwise if only TLS1.1 is enable the following error is displayed:

A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - The client and server cannot communicate, because they do not possess a common algorithm.)

How can it possible ?

Do I need to force something on the Secure Channel ?

Why does the SQL Server doesn't allow TLS1.1 connections anymore ?

Thanks Ricardo but the problem is not related to cipher suites. The problem is related to the TLS protocol. If TLS1.2 is disabled I can't connect even by using SQL Management Studio (with sa account). I read in this support.centrestack.com/hc/en-us/articles/… that disabling SHA-1 algoritm imply disabling TLS1.1. So I tried re-enabling SHA but the connection still fails if TLS1.2 is disabled. So it seems like TLS1.1 doesn't work properly on newer SQL Server versions.

I renamed the Ciphers key so that all disabled ciphers were enabled again and I was able to connect with Management Studio even if TLS1.2 was disabled. Anyway the JDBC driver is still unable to connect to the same server. The same JDBC driver and application works if I put in the JDBC Url the address of an old SQL server. So it's definitively the latest SQL Server version that doesn't handle correctly the TLS1.1 connections.

Disabling SHA-1 does not disables TLS 1.1 that is incorrect. Renaming the ciphers key will affect ALL protocols! You wont be able to connect using... does not matter what tool you use because you disabled it at the OS level. Stop messing with the registry, specially if you dont fully understand those keys; please use IIS Crypto instead. Also, make sure you patched your SQL Server and added support for TLS 1.2 support.microsoft.com/en-us/help/3135244/…

As stated in the answer; protocol and algorithm are not the same thing: A protocol is used to negotiate a ciphers/algorithms, and to exchange keys.

The server is already at the latest patch level as weel as all the components including ODBC, .NET etc ... as stated in the post TLS1.2 works as soos as I use the right JDBC driver but the problem appears when TLS1.2 is disabled (The Java application only works in TLS1.1 ).

Renaming the ciphers key means that the default values are restored. There were no cipher keys before that I added them.