It is possible to configure SQL Server encryption mode as Strict, rather than Mandatory. Unlike other versions of SQL Server and ODBC drivers where you could only specify whether you want the encryption or not, the choice has been changed from True/False, or yes/no to Optional/Mandatory/Strict. However I can't find what exactly is the Strict mode. Are there any additional checks, or how is it different from Mandatory? It seems to be applied only to SQL Server 2022 and ODBC Drivers 18.0. One thing I noticed is that it allows me to specify the hostname to expect in SQL Server cert and the path to the certificate itself. Does it force the connection to use TLS1.3? Are there any other changes?
Asked
Active
Viewed 181 times
1 Answers
1
I think it is already outlined in the question, but I'll mention it here:
- The strict mode supports TDS 8 protocol for communication between client and server, and this protocol is better aligned with TLS. The messages are always encrypted during the various phases of communication.
- Also it is compatible with TLS 1.3, however TLS 1.2 is also supported.
- The
encryptoption in connection string is no longer a binary yes/no or true/false, but can also accept optional/mandatory/strict where optional is the same as no/false and mandatory is yes or true. - The
TrustServerCertificateoption in connection string is ignored and certificate is always validated. - The strict mode is supported starting SQL Server 2022, ODBC driver 18 for SQL Server, and JDBC driver 11.2.
- The
ServerCertificateoption allows to specify a path to the certificate of the server. If it is missing the certificate is validated against a truststore. The Windows Certificate Trust Store is used for ODBC and Java truststore for JDBC. - The
HostNameInCertificateallows to specify a hostname to validate in certificate, but if the option is not specified, the actual server is checked.
Additional links:
username
- 249
- 1
- 4
- 18