Tuesday, January 09, 2018

SQL Server on TLS 1.2: Checklist to disabling TLS 1.1 and 1.0

A common finding in security audits these days is the failure to conduct all communications via TLS 1.2. (Correspondingly, a common cause for sudden SQL Server application connectivity failures is a sysadmin's inadvisable, reckless deactivation of TLS 1.0 and 1.1 on a server. Been there.)

News August 2023TLS 1.0 and TLS 1.1 soon to be disabled in Windows, raising the importance of being aware of any outdated connection providers that are reliant on TLS 1.0 or 1.1. Make an effort to update to TLS 1.2 or 1.3.

Moving SQL Server connections to TLS 1.2 is not solely (or even mostly) a SQL server change. We need to get all application/vendor developers in the loop to make the transition to TLS 1.2, apply a lot of .NET version-specific patches, and more.

Disabling TLS 1.0 and 1.1 on the Windows Server that runs the SQL instance is definitely something a lot of security-sensitive folks are wanting to do (what's TLS anyway?), but they’re often hamstrung by the applications connecting to the SQL server, or by features inside SQL Server itself that have been configured to use legacy algorithms or version settings.

Contrary to some opinion out there, connections will not use the lowest common denominator allowed by the server and the application's client. Connections will use TLS 1.2 if possible. This is usually a limitation of the application connectivity client or .NET framework version. But if you want to prevent (and therefore break/expose) connections from using TLS 1.0 or TLS 1.1, you need to disable TLS 1.0 and 1.1. This is the only way to make sure you're sniffing out the insecure connections.

We definitely need to test this out in pre-production before any production changes. The list of things needed to get onboard with TLS 1.2 could be lengthy, but it’s a worthwhile endeavor. An initial checklist to consider:

  • If using SQL Server prior to 2016, patch SQL Server. Info here
  • Any clients that use the .NET framework and ADO.NET connectors will need to get up to .NET Framework 4.6 to use TLS 1.2. See the "Additional fixes needed for SQL Server to use TLS 1.2" in this same link as above. There are patches for other connectivity platforms like ODBC and JDBC as well that are needed for both the client and servers. 
    • The clients/webservers/appservers, and the SQL Server will ALL need these .NET patches. There are patches needed for frameworks starting with .NET Framework 3.5 for TLS 1.2, again see link above.
    • For example, SQL Server Database Mail still uses .NET Framework 3.5 SP1, which needs a specific patch to allow TLS 1.2. See above link for OS-specific links.
  • You need to change registry keys on the Windows Server.
    • On operating systems prior to Windows 8/Server 2012, to enable TLS 1.2 you need to add keys, and modify existing keys to disable TLS 1.0 and 1.1. 
    • Starting with Windows 8 and later and Windows Server 2012 and later, TLS 1.2 is already enabled, and you need to add registry keys to disable TLS 1.0 and 1.1.
    • Keys here
    • Or, you can use a free tool like Nartac IIS Crypto to manage the registry edits for you.
    • Note that a reboot is required to make the registry changes take effect.
  • Anything in SQL Server that is encrypted using MD5 algorithms should probably be changed anyway (certificates, database keys, and endpoints for example) but it’s definitely going to be required for TLS 1.2. In fact, starting with SQL Server 2016, all algorithms other than AES_128, AES_192, and AES_256 are deprecated.
  • SQLOLEDB will not receive support for TLS 1.2, so some connections using the OLEDB driver (as opposed to ODBC, Native Client, or ADO.NET) will need to be rewritten. should be replaced by the new MSOLEDBSQL OLEDB driver, released in 2018
    • The 'Microsoft.ACE.OLEDB.12.0' provider continues to work, apparently. 
    • Linked server connections using @provider='SQLOLEDB' will continue to work, because this actually uses the 'SQLNCLI' provider, the SQL Native Client. Edit: The SNAC is no longer maintained, this should also be migrated to either the new MSOLEDBSQL or the new ODBC drivers actively maintained.  The SQL Server Native Client (often abbreviated SNAC) has been removed from SQL Server 2022 and SQL Server Management Studio 19 (SSMS).
    • For ODBC connections, I recommend using the latest ODBC Driver for SQL Server, not the ODBC functionality of the SQLNCLI/SQLNCLI11 or SQL Native Client (deprecated).
  • For SSRS, we also need to make sure SSRS is using only HTTPS. Again the above .NET framework components need to be updated on the SSRS server and application servers. More info here.      
Update: Next up? SQL Server 2022 introduced support for Transport Layer Security (TLS) 1.3 when TDS 8.0 is used

How can you tell what version of TLS is currently used for client connections? See my companion blog post on this topic.

Edit: Updated for news about MSOLEDBSQL re: connection providers.

SQL Server on TLS 1.2: XEvent session to catch TLS in use

How can you tell what version of TLS is currently used for client connections? Unfortunately there isn't a handy queryable column in sys.dm_exec_connections, which would be ideal, though there is a Connect item requesting this there is a feedback item requesting this.

For now, you can detect the TLS version with an Extended Events session starting with Service Pack 1 for SQL Server 2016 and Service Pack 4 for SQL Server 2012. You'll see the event "trace" in the channel Debug, which returns information from the SQL Network Interface (SNI) layer. (Note that the Debug Channel is not checked/displayed by default in the SSMS Extended Events search dialogue.)

See example below from SSMS.


Start your new XEvents session, then look for captured SSL Handshake events (function_name = Ssl:Handshake), which will contain the protocol, cipher, cipher strength, hash algorithm, and hash strength.

See example below.


Unfortunately, this event does not capture any other information about the login except for the Peer IP Address at the end of the "text" field, what you see in the screenshot above. Application and client information hasn't been exchanged yet with the SQL Server, so other fields are not populated. You can filter out the other SQL Network Interface (SNI) noise with a filter on your Extended Events session, to find successful and failed handshakes and their protocol.

See sample TSQL script to create the session below.

CREATE EVENT SESSION [tls] ON SERVER

ADD EVENT sqlsni.trace(

    WHERE ([sqlserver].[like_i_sql_unicode_string]([text],N'%Handshake%')))
You could for example set up a lightweight xevent session to look for TLS 1.0 and TLS 1.1 activity:

CREATE EVENT SESSION [tls] ON SERVER
ADD EVENT sqlsni.trace(
    WHERE (([sqlserver].[like_i_sql_unicode_string]([text],N'%Handshake%TLS1.0%'))
 OR ([sqlserver].[like_i_sql_unicode_string]([text],N'%Handshake%TLS1.1%'))
--OR ([sqlserver].[like_i_sql_unicode_string]([text],N'%Handshake%TLS1.2%'))
))
ALTER EVENT SESSION [tls] ON SERVER
ADD TARGET package0.ring_buffer(SET max_events_limit=(100000),max_memory=(10240))
 WITH (MAX_MEMORY=10240 KB,STARTUP_STATE=ON)
GO
ALTER EVENT SESSION tls ON SERVER STATE = START;


What should I do to get my SQL Server only using TLS 1.2, and why? See my companion blog post on this topic.