Sql Server 2016:为SQL Server连接启用TLS 1.2
[英]Sql Server 2016: Enable TLS 1.2 for SQL Server Connection
问题描述
I've SQL server 2016 running on windows 2012 R2 and I applied the patch for TLSv1.2 support and rebooted the VM, https://support.microsoft.com/en-us/help/3135244/tls-1-2-support-for-microsoft-sql-server I do see TLS 1.2 being enabled using IISCrypto tool on the SQL Server VM 
我在windows 2012 R2上运行了SQL server 2016 ,我应用了TLSv1.2支持补丁并重新启动了虚拟机, https://support.microsoft.com/en-us/help/3135244/tls-1-2- support-for-microsoft-sql-server我确实看到在SQL Server VM上使用IISCrypto工具启用了TLS 1.2
We have Java 8 web application and we've forced the web application to use only TLS1.2 using JVM argument -Djdk.tls.client.protocols="TLSv1.2" (If I remove this JVM argument application connects to sql server fine), but we are seeing below error though TLSv1.2 is enabled for SQL server 我们有Java 8 Web应用程序,我们强制Web应用程序只使用TLS1.2使用JVM参数-Djdk.tls.client.protocols="TLSv1.2" (如果我删除此JVM参数应用程序连接到sql server罚款),但我们看到下面的错误虽然为SQL服务器启用了TLSv1.2
org.apache.commons.dbcp.SQLNestedException: Cannot create PoolableConnectionFactory (The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "Server chose TLSv1, but that protocol version is not enabled or not supported by the client.". ClientConnectionId:7564b6a1-60c0-4a24-8baa-7bd21f9512cf)
We also have a .Net 2.0 windows service (only TLSv1.2 is enabled in registry) which is also failing to connect to SQL Server 2016 我们还有一个.Net 2.0 Windows服务(在注册表中只启用了TLSv1.2),它也无法连接到SQL Server 2016
System.Data.OleDb.OleDbException: [DBNETLIB][ConnectionOpen (SECCreateCredentials()).]SSL Security error.
at System.Data.OleDb.OleDbConnectionInternal..ctor(OleDbConnectionString constr, OleDbConnection connection)
at System.Data.OleDb.OleDbConnectionFactory.CreateConnection(DbConnectionOptions options, Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection owningObject)
at System.Data.ProviderBase.DbConnectionFactory.CreateNonPooledConnection(DbConnection owningConnection, DbConnectionPoolGroup poolGroup)
at System.Data.ProviderBase.DbConnectionFactory.GetConnection(DbConnection owningConnection)
at System.Data.ProviderBase.DbConnectionClosed.OpenConnection(DbConnection outerConnection, DbConnectionFactory connectionFactory)
at System.Data.OleDb.OleDbConnection.Open()
But if I enable SSL3 and TLS1.0 in the registry, .Net 2.0 windows service connects to SQL Server 2016 fine. 但是,如果我在注册表中启用SSL3和TLS1.0, .Net 2.0 Windows服务可以很好地连接到SQL Server 2016。
I suspect, the issue is SQL Server not using TLSv1.2 though TLSv1.2 is enabled on the SQL Server VM, Can someone please help me if there anymore config or patches needs to be applied for SQL Server to support TLSv1.2 ? 我怀疑,问题是SQL Server没有使用TLSv1.2虽然在SQL Server VM上启用了TLSv1.2 ,如果需要为SQL Server支持TLSv1.2而需要应用配置或补丁,有人可以帮助我吗?
2 个解决方案
解决方案1
4 2018-02-27 15:11:10
Microsoft Windows Server stores information about different security-enhanced channel protocols that Windows Server supports. Microsoft Windows Server存储有关Windows Server支持的不同安全性增强通道协议的信息。 This information is stored in the following registry key: 此信息存储在以下注册表项中:
HKey_Local_Machine\\System\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols
Typically, this key contains the following subkeys: 通常,此键包含以下子项:
PCT 1.0, SSL 2.0, SSL 3.0, TLS 1.0 ...
Each key holds information about the protocol for the key. 每个密钥都包含有关密钥协议的信息。 Any one of these protocols can be enabled at the server. 可以在服务器上启用这些协议中的任何一个。 To do this, you create a new DWORDvalue in the server subkey of the protocol. 为此,您需要在协议的服务器子项中创建新的DWORD值。 You set the DWORDvalue to "1". 您将DWORD值设置为“1”。
Important: Back up the registry before you modify it. 重要说明:在修改注册表之前备份注册表。 Then, you can restore the registry if a problem occurs. 然后,您可以在出现问题时还原注册表。
To enable the TLS 1.x protocol follow these steps: 要启用TLS 1.x协议,请执行以下步骤:
Click Start, click Run, type regedt32 or type regedit, and then click OK. 单击“开始”,单击“运行”,键入regedt32或键入regedit,然后单击“确定”。 In Registry Editor, locate the following registry key: 在注册表编辑器中,找到以下注册表项:
HKey_Local_Machine\\System\\CurrentControlSet\\Control\\SecurityProviders \\SCHANNEL\\Protocols\\TLS 1.x\\Server
On the Edit menu, click Add Value. 在“编辑”菜单上,单击“添加值”。 In the Data Type list, click DWORD. 在“数据类型”列表中,单击“DWORD”。 In the Value Name box, type Enabled, and then click OK. 在“值名称”框中,键入“已启用”,然后单击“确定”。
Note If this value is present, double-click the value to edit its current value. 注意如果存在此值,请双击该值以编辑其当前值。
Type 11111111 in Binary Editor to set the value of the new key equal to "1". 在二进制编辑器中键入11111111,将新键的值设置为“1”。 Click OK. 单击确定。 Restart the computer. 重新启动计算机。
Hope this helps... 希望这可以帮助...
解决方案2
1 2018-02-28 18:36:46
Check the involved certificates. 检查相关的证书。 One may be invalid. 一个人可能无效。
If the machines validate their certificates, try: 如果计算机验证其证书,请尝试:
Registry Script for disabling stupid encryptions: Save this as .reg 用于禁用愚蠢加密的注册表脚本:将其另存为.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001
You'll have to adjust your .NET Framework. 您必须调整.NET Framework。 If you are actually using .Net 2.0 (old!) the last two Keys should be 如果你实际上使用.Net 2.0(旧!),最后两个键应该是
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
Here is a .ps1 by Chris Duck to check enabled encryptions 这是Chris Duck的.ps1来检查启用的加密
<#
.DESCRIPTION
Outputs the SSL protocols that the client is able to successfully use to connect to a server.
.NOTES
Copyright 2014 Chris Duck
http://blog.whatsupduck.net
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
.PARAMETER ComputerName
The name of the remote computer to connect to.
.PARAMETER Port
The remote port to connect to. The default is 443.
.EXAMPLE
Test-SslProtocols -ComputerName "www.google.com"
ComputerName : www.google.com
Port : 443
KeyLength : 2048
SignatureAlgorithm : rsa-sha1
Ssl2 : False
Ssl3 : True
Tls : True
Tls11 : True
Tls12 : True
#>
function Test-SslProtocols {
param(
[Parameter(Mandatory=$true,ValueFromPipelineByPropertyName=$true,ValueFromPipeline=$true)]
$ComputerName,
[Parameter(ValueFromPipelineByPropertyName=$true)]
[int]$Port = 443
)
begin {
$ProtocolNames = [System.Security.Authentication.SslProtocols] | gm -static -MemberType Property | ?{$_.Name -notin @("Default","None")} | %{$_.Name}
}
process {
$ProtocolStatus = [Ordered]@{}
$ProtocolStatus.Add("ComputerName", $ComputerName)
$ProtocolStatus.Add("Port", $Port)
$ProtocolStatus.Add("KeyLength", $null)
$ProtocolStatus.Add("SignatureAlgorithm", $null)
$ProtocolNames | %{
$ProtocolName = $_
$Socket = New-Object System.Net.Sockets.Socket([System.Net.Sockets.SocketType]::Stream, [System.Net.Sockets.ProtocolType]::Tcp)
$Socket.Connect($ComputerName, $Port)
try {
$NetStream = New-Object System.Net.Sockets.NetworkStream($Socket, $true)
$SslStream = New-Object System.Net.Security.SslStream($NetStream, $true)
$SslStream.AuthenticateAsClient($ComputerName, $null, $ProtocolName, $false )
$RemoteCertificate = [System.Security.Cryptography.X509Certificates.X509Certificate2]$SslStream.RemoteCertificate
$ProtocolStatus["KeyLength"] = $RemoteCertificate.PublicKey.Key.KeySize
$ProtocolStatus["SignatureAlgorithm"] = $RemoteCertificate.SignatureAlgorithm.FriendlyName
$ProtocolStatus["Certificate"] = $RemoteCertificate
$ProtocolStatus.Add($ProtocolName, $true)
} catch {
$ProtocolStatus.Add($ProtocolName, $false)
} finally {
$SslStream.Close()
}
}
[PSCustomObject]$ProtocolStatus
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.