1

I am running SQL Server 2014 on Server 2012 R2. Both are updated and current. I did a clean install of both and nothing else. I then requested VPN access for an offsite vendor and our security group informed me that SSLv3 and TLSv1.0 needed to be disabled. (No idea how they got enabled, I have done nothing certificate related on this machine.)

I then ran IISCrypto and disabled the two protocols. Passed the security scan and proceeded, I thought everything was good to go. Now having a lot of issues getting the app server to connect to SQL. I think it would be better if I could just disable all of the TLS/SSL stuff on 1433. But when I check SQL Config Mgr Force Encryption = No and no certificates are loaded.

I also tried to disable everything in IISCrypto, but that broke RDP.

When I run this command:

nmap --script ssl-enum-ciphers localhost

Both 1433 ms-sql-s and 3389 ms-wbt-server have the SSL/TLS stuff, everything else just has the port/tcp open. I would like to know how to get SQL / 1433 to no longer show up as using SSL/TLS and RDP to still work. I do not want to load any certificates or use SQL encrypted. How do I get the flag to go away that is reporting that it's turned on.

Ty.
  • 31
  • 1
  • 2
  • 4
  • Even if you are not encrypting the entire connection, SQL Server still uses encryption for the initial username/password handshake. You cannot avoid this. If your app server is now having problems connecting, then you probably need to update the db driver on the app server. how is your app connecting to SQL Server? OLE DB? SQL Native Client? – StrayCatDBA Feb 22 '18 at 16:38
  • Yea. Anytime I disable TLS v1.0 the app stops working. I've patched SQL server up to the latest version and updated both ODBC and SQL Native Client on the app server. I've reached out to the vendor asking what protocol they are using. I can connect via ODBC with ODBC Driver 11 for SQL and SQL Native Client 11 from the app server. – Ty. Feb 23 '18 at 18:05

1 Answers1

1

Your security group probably means "disable SSLv3 and TLSv1.0 because they are old and have known vulnerabilities; use TLSv1.1 or newer instead." This is not the same as disabling all encryption. Check with them first, but I cannot believe they would want you forcing plain-text database connections.

Microsoft products like IIS, Terminal Services, and SQL Server use Windows' SCHANNEL library for doing TLS. You can configure it in the Registry by following the guide in KB187498. More information can be found on this article on the MSDN Unleashed blog.

bonsaiviking
  • 4,420
  • 17
  • 26
  • Yea, I've done that. Both manually and with IISCrypto. If I disable TLSv1.0 the app stops working. I guess I thought that the fact it was showing up with nmap that it meant I should have a SSL/TLS certificate loaded and encryption turned on, which isn't the case. – Ty. Feb 23 '18 at 18:08
  • 1
    @Ty. Then it's the client that doesn't support TLSv1.1 or newer. – bonsaiviking Feb 24 '18 at 02:54