Web Connection
TLS 1.2 changes to website and SQL Server
Gravatar is a globally recognized avatar based on your email address. TLS 1.2 changes to website and SQL Server
  Michael Hogan (Ideate Hosting)
  All
  Aug 26, 2017 @ 11:47am

I needed to secure one of my hosted websites to remove SSL 2.0, SSL 3.0 and TLS 1.0 for PCI compliance and the website was using SQL server (I normally use SQL for al lease my webconnect tables). I thought I should share some of the issues that came up.

First, since mainly I use RDP to access these servers, it's important to reset RDP security to use TLS 2.x before you turn off lower versions. Administrative Tools -> Remote Desktop Services -> RDP Host Configuration. Select your connection and go to 'Properties' and change the Security Layer to 'RDP Security Layer' from the default of 'Negotiate'. You should now be able to connect via RDP after you turn off TLS 1.0

Next, IISCRYPTO was useful for easily disabling the unwanted protocols. https://www.nartac.com/Products/IISCrypto. There are also registry edit guides you can use if you prefer getting your hands dirty.

Unknown to me, this change also limits the encryption used between applications on the same machine - assuming you are connecting via TCP localhost.

As a result, I found that my application could no longer connect to SQL Server 2008. In fact, even SSMS (SQL Server Management Studio) could not connect. There are several patches required for SQL Server 2014 and lower. They are documented here: https://blogs.msdn.microsoft.com/sqlreleaseservices/tls-1-2-support-for-sql-server-2008-2008-r2-2012-and-2014/ and also in MS KB3135244

Those patches allowed me to access the data through SSMS, but my VFP application still could not connect. I found I needed to install the TLS 1.2 compatible ODBC driver: ODBC Driver 11 for SQL Server (https://www.microsoft.com/en-us/download/details.aspx?id=36434) on all machines from which I expect to access the SQL tables.

Finally, I had to change the SQL Connection String to use the new driver: driver={ODBC Driver 11 for SQL Server};...

I hope this info will help others in securing their webconnect websites.

Gravatar is a globally recognized avatar based on your email address. re: TLS 1.2 changes to website and SQL Server
  Rick Strahl
  Michael Hogan (Ideate Hosting)
  Aug 27, 2017 @ 11:39pm

Interesting - I had no idea that some of the internal components rely on TLS connections. SQL Server? Where the heck does TLS figure in this I wonder.

Anyway thanks for posting...

+++ Rick ---

Gravatar is a globally recognized avatar based on your email address. re: TLS 1.2 changes to website and SQL Server
  Michael Hogan (Ideate Hosting)
  Rick Strahl
  Aug 28, 2017 @ 08:51am

Yes - a surprise to me as well. Apparently the ODBC drivers are using it to communicate with the server. This may be of help - https://blogs.sentryone.com/aaronbertrand/tls-1-2-support-read-first/

There's a useful matrix of SQL versions and the patches required.

© 1996-2017