How do I disable TLS 1.0 without breaking MS SQL & RDP on Windows Server 2008 R2?
If I simply disable it, RDP stops working along with MS SQL. Tried googling but I can't find a solution. Is this just not doable?
Asked
Active
Viewed 1,651 times
0
-
Did you enable TLS 1.2 to replace it? – Shane Madden Aug 10 '15 at 17:41
-
@Tomas Beblar: You wait for Microsoft to add support for it. Currently, all versions of SQL Server require TLS 1.0. http://dba.superfaq.net/questions/107820/sql-server-compatibility-with-new-tls-standards – Greg Askew Aug 10 '15 at 17:57
-
@GregAskew I see. So how do I get my e-commerce server PCI compliant? They don't allow TLS 1.0 – Tomas Beblar Aug 10 '15 at 22:09
-
The early TLS deprecation does not go into effect for 11 months, I think you have time. – Greg Askew Aug 10 '15 at 23:03
2 Answers
0
At the moment it seems not possible until Microsoft adds support for TLS 1.2 to the mentiones services.
I assume your "e-commerce server" is a webshop based in IIS. You could offload your SSL/TLS-Work to a frontend/reverse/accelerator-proxy like Squid or Nginx. The traffic flow will look as following:
Client --{SSL}-- proxy --{http}-- IIS
Mayby this Document will help you: nginx reverse proxy, ssl offloading, caching and pagespeed all in one.
Your advantages in this setup are:
- Offload SSL/TLS-Work to another machine
- SSL/TLS-Ciphers can be chosen on the proxy
- Encryption does not affect your IIS
- Cacheable content will be delivered from the proxy once it is cached and valid
But there are some disadvantages as well
- Your "e-commerce-app" does not know if it is reached over SSL or HTTP.
- Some testing and/or debugging should be done to avoid endless redirects between HTTP and HTTPS
Martin Seitl
- 236
- 2
- 8
-
Unfortunately, this will not work for me. I'm kinda bound by the hardware set up and existing infrastructure. – Tomas Beblar Aug 11 '15 at 17:04
-
If you have time take a look at Squid on Windows http://wiki.squid-cache.org/KnowledgeBase/Windows – Martin Seitl Aug 13 '15 at 09:15
0
As from Jan 29 2016 Microsoft has released TLS 1.2 Support for SQL Server 2008, 2008 R2, 2012 and 2014 server components and also for the client components.
Check the following article: https://blogs.msdn.microsoft.com/sqlreleaseservices/tls-1-2-support-for-sql-server-2008-2008-r2-2012-and-2014/
Regarding the RDP connection, BEFORE you disable TLS 1.0 you should make sure that the default security layer in RDP is set to Negotiate which supports both SSL (TLS 1.0) and the RDP Security Layer. If you set the security layer to SSL (TLS 1.0) and disable TLS 1.0 you will be unable to connect to RDP.
To check your settings, open Remote Desktop Session Host Configuration in Administrative Tools and double click RDP-Tcp under the Connections group. If it is set to SSL (TLS 1.0), make sure that you do not disable TLS 1.0 until after you set this to Negotiate or RDP Security Layer.
