Sql Server 2016:为SQL Server连接启用TLS 1.2

时间:2018-02-16 20:39:20

标签: java .net sql-server sql-server-2016 tls1.2

SQL server 2016正在windows 2012 R2上运行并且我应用了TLSv1.2支持的修补程序并重新启动了VM,https://support.microsoft.com/en-us/help/3135244/tls-1-2-support-for-microsoft-sql-server我确实看到使用{{}启用了TLS 1.2 1}} SQL Server VM上的工具

我们有Java 8 Web应用程序,并且我们强制Web应用程序仅使用TLS1.2使用JVM参数IISCrypto(如果我删除此JVM参数应用程序连接到sql server罚款),但我们虽然为SQL Server

启用了-Djdk.tls.client.protocols="TLSv1.2",但是会看到以下错误 
TLSv1.2

我们还有一个org.apache.commons.dbcp.SQLNestedException: Cannot create PoolableConnectionFactory (The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "Server chose TLSv1, but that protocol version is not enabled or not supported by the client.". ClientConnectionId:7564b6a1-60c0-4a24-8baa-7bd21f9512cf) Windows服务(在注册表中只启用了TLSv1.2),它也无法连接到.Net 2.0 

SQL Server 2016

但如果我在注册表中启用SSL3和TLS1.0,则System.Data.OleDb.OleDbException: [DBNETLIB][ConnectionOpen (SECCreateCredentials()).]SSL Security error. at System.Data.OleDb.OleDbConnectionInternal..ctor(OleDbConnectionString constr, OleDbConnection connection) at System.Data.OleDb.OleDbConnectionFactory.CreateConnection(DbConnectionOptions options, Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection owningObject) at System.Data.ProviderBase.DbConnectionFactory.CreateNonPooledConnection(DbConnection owningConnection, DbConnectionPoolGroup poolGroup) at System.Data.ProviderBase.DbConnectionFactory.GetConnection(DbConnection owningConnection) at System.Data.ProviderBase.DbConnectionClosed.OpenConnection(DbConnection outerConnection, DbConnectionFactory connectionFactory) at System.Data.OleDb.OleDbConnection.Open() Windows服务可以很好地连接到SQL Server 2016。

我怀疑,问题是SQL Server没有使用.Net 2.0虽然在SQL Server VM上启用了TLSv1.2,如果需要为SQL Server应用配置或补丁,有人可以帮助我吗?支持TLSv1.2

2 个答案:

答案 0 :(得分:4)

Microsoft Windows Server存储有关Windows Server支持的不同安全性增强通道协议的信息。此信息存储在以下注册表项中:

  

HKEY_LOCAL_MACHINE \ SYSTEM \ CURRENTCONTROLSET \控制\ SecurityProviders \ SCHANNEL \协议

通常,此键包含以下子项:

  

PCT 1.0,SSL 2.0,SSL 3.0,TLS 1.0 ......

每个密钥包含有关密钥协议的信息。可以在服务器上启用这些协议中的任何一个。为此,您需要在协议的服务器子项中创建新的DWORD值。您将DWORD值设置为“1”。

重要说明:在修改注册表之前备份注册表。然后,您可以在出现问题时还原注册表。

要启用TLS 1.x协议,请执行以下步骤:

单击“开始”,单击“运行”,键入regedt32或键入regedit,然后单击“确定”。 在注册表编辑器中,找到以下注册表项:

  

HKey_Local_Machine \ System \ CurrentControlSet \ Control \ SecurityProviders \ SCHANNEL \ Protocols \ TLS 1.x \ Server

在“编辑”菜单上,单击“添加值”。 在“数据类型”列表中,单击“DWORD”。 在“值名称”框中,键入“已启用”,然后单击“确定”。

注意如果存在此值,请双击该值以编辑其当前值。

在二进制编辑器中键入11111111,将新键的值设置为“1”。 单击确定。重启电脑。

希望这会有所帮助......

答案 1 :(得分:1)

检查相关证书。一个可能无效。

如果计算机验证其证书,请尝试:

用于禁用愚蠢加密的注册表脚本: 将其保存为.reg 

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

您必须调整.NET Framework。如果您实际使用.Net 2.0(旧!),则最后两个键应为

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001

以下是Chris Duck的.ps1来检查启用的加密

    <#
 .DESCRIPTION
   Outputs the SSL protocols that the client is able to successfully use to connect to a server.

 .NOTES

   Copyright 2014 Chris Duck
   http://blog.whatsupduck.net

   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at

     http://www.apache.org/licenses/LICENSE-2.0

   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.

 .PARAMETER ComputerName
   The name of the remote computer to connect to.

 .PARAMETER Port
   The remote port to connect to. The default is 443.

 .EXAMPLE
   Test-SslProtocols -ComputerName "www.google.com"

   ComputerName       : www.google.com
   Port               : 443
   KeyLength          : 2048
   SignatureAlgorithm : rsa-sha1
   Ssl2               : False
   Ssl3               : True
   Tls                : True
   Tls11              : True
   Tls12              : True
 #>
 function Test-SslProtocols {
   param(
     [Parameter(Mandatory=$true,ValueFromPipelineByPropertyName=$true,ValueFromPipeline=$true)]
     $ComputerName,

     [Parameter(ValueFromPipelineByPropertyName=$true)]
     [int]$Port = 443
   )
   begin {
     $ProtocolNames = [System.Security.Authentication.SslProtocols] | gm -static -MemberType Property | ?{$_.Name -notin @("Default","None")} | %{$_.Name}
   }
   process {
     $ProtocolStatus = [Ordered]@{}
     $ProtocolStatus.Add("ComputerName", $ComputerName)
     $ProtocolStatus.Add("Port", $Port)
     $ProtocolStatus.Add("KeyLength", $null)
     $ProtocolStatus.Add("SignatureAlgorithm", $null)

     $ProtocolNames | %{
       $ProtocolName = $_
       $Socket = New-Object System.Net.Sockets.Socket([System.Net.Sockets.SocketType]::Stream, [System.Net.Sockets.ProtocolType]::Tcp)
       $Socket.Connect($ComputerName, $Port)
       try {
         $NetStream = New-Object System.Net.Sockets.NetworkStream($Socket, $true)
         $SslStream = New-Object System.Net.Security.SslStream($NetStream, $true)
         $SslStream.AuthenticateAsClient($ComputerName,  $null, $ProtocolName, $false )
         $RemoteCertificate = [System.Security.Cryptography.X509Certificates.X509Certificate2]$SslStream.RemoteCertificate
         $ProtocolStatus["KeyLength"] = $RemoteCertificate.PublicKey.Key.KeySize
         $ProtocolStatus["SignatureAlgorithm"] = $RemoteCertificate.SignatureAlgorithm.FriendlyName
         $ProtocolStatus["Certificate"] = $RemoteCertificate
         $ProtocolStatus.Add($ProtocolName, $true)
       } catch  {
         $ProtocolStatus.Add($ProtocolName, $false)
       } finally {
         $SslStream.Close()
       }
     }
     [PSCustomObject]$ProtocolStatus
   }
 }
相关问题
最新问题