Is there a way to change the SSL Protocol support in MSSQL express 2012 on windows 2008R2 ? I want to change the protocol from SSL3 to TLS (1.0,1.1,1.2), after hours of looking I cant find information on the subject.
Asked
Active
Viewed 7,525 times
3 Answers
3
In general, SQL Server is using Windows SChannel services for transport encryption. So you should be able to restrict protocols and ciphersuites by manipulating the SCHANNEL-related registry keys in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL.
For details, see KB245030 and the relevant section in Technet Documentation for the Server plattform.
But apparently, SQL Server itself (at least in 2008R2) is restricting the protocols it does negotiate to the insecure variants SSLv3 and TLS1.0 which, as bad as it sounds, likely is happening for compatibility reasons (client libraries must be able to cope with the protocols and encryption grades the server is offering).
This might have changed in SQL Server 2012, so it might be worth a try disabling SSL3 and TLS1.0, although an unbacked comment in the linked DBA.SE question is stating
SQL Server up to and including 2014 only support TLS 1.0 as of now.
the-wabbit
- 40,737
- 13
- 111
- 174
-
Well, Thats as not what I wanted to hear, but It's apparently the correct answer, I'll release the bounty for you in 24 hours. Thanks – Ba7a7chy Mar 26 '15 at 10:22
3
There is an update to 2012 and 2014 to support TLS 1.2 now. Available here: https://support.microsoft.com/en-us/kb/3052404
Stu2020
- 31
- 1
1
The answer to your question is "No, not directly". You can only make Schannel changes that effect the server "overall". So if you disable SSL 3.0 on the whole server, SQL Server 2012 will stop using it as well. That will leave SQL server only able to use TLS 1.0. You will also have to install a hot fix to get SQL Server to support beyond TLS 1.0. See this KB for that-> https://support.microsoft.com/en-us/kb/3052468
Michael Barber
- 165
- 2
- 3
- 10