Jonathan Robles
asked on
Disabling TLS 1.0 and SSL 3.0 causes SQL 2014 services to not start.
Hey guys,
I am having an issue after a security scan. It appears that if we disable TLS 1.0 and SSL 3.0 on our SQL server the SQL services fail to start. Does anyone have any confirmation directly from Microsoft that would explain this? The only thing closest to a response was from a stack exchange article.
http://dba.stackexchange.com/questions/93127/sql-server-service-won-t-start-after-disabling-tls-1-0-and-ssl-3-0
I am having an issue after a security scan. It appears that if we disable TLS 1.0 and SSL 3.0 on our SQL server the SQL services fail to start. Does anyone have any confirmation directly from Microsoft that would explain this? The only thing closest to a response was from a stack exchange article.
http://dba.stackexchange.com/questions/93127/sql-server-service-won-t-start-after-disabling-tls-1-0-and-ssl-3-0
chaau
Have you enabled a TLS1.1 or 1.2?
ASKER
Yes. But the services fail to start.
I would try to update the SQL to the latest service pack available. However, if there is nothing on their publicly available information that says that they support TLS1.1 or greater there is no guarantee it will work
Has anyone come up with a solution for this. I have two web servers that are running sql 2008 and 2014 ,when I enabled TLS 1.1 and higher the services would not start. I cant find any documentation from Microsoft stating they support TLS 1.1 or higher for sql. IIS works fine. It only seems to break Sql. Also it broke auto-discovery for exchange 2007.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Ok wow, so that puts me in a tough spot. I have a web server that also uses sql that can be accessed from the outiside through my firewall. If I enable TLS 1.0 I automatically fail PCI. I can dispute it but not sure if it's secure to keep 1.0. Is there any official documentation from Microsoft. I thought about moving the sql server to another server. But if the iis server has TLS 1.0 disable I would assume it would be the same result. As the sql only receive communication via TLS 1.0. If you have any MS documentation that would be great. Microsoft recommends TLS 1.2 but some products don't support it? that's pretty ridiculous right ?
ASKER
Our plan is to also create a SQL server on separate DMZ server and have it communicate over SSL. This should allow you to pass PCI Compliance.
As far as documentation, the link I provided was enough to convince higher ups regarding TLS 1.0.
To answer your question, SQL Server up to and including 2014 only support TLS 1.0 as of now. – Mat Feb 17 at 15:56
As far as documentation, the link I provided was enough to convince higher ups regarding TLS 1.0.
To answer your question, SQL Server up to and including 2014 only support TLS 1.0 as of now. – Mat Feb 17 at 15:56
But if your iis server that is being accessed from the outside has TLS 1.0 disabled. How will you talk to the sql server. Unless you can have the iis server TLS 1.0 disabled and communicate with the sql server using 1.2 or 1.1 I would think both servers would need to have 1.0 enabled to communicate. The reason I can't Dmz is the servers needs access to internal data. From other post it seems if you are connecting to a sql server and TLS 1.0 is disabled from the machine that accesses sql it will not work. Unless I am totally wrong and I can just have the sql server TLS 1.0 enabled and any server connecting to it can use 1.1 or higher. But I don't think that's the case.
ASKER
Not sure dude. Not sure at all. I need to tinker with this.
ASKER
Thanks
Separating the sql server was the only way to fix this issue.