Solved

Mitigating POODLE on MS SQL Server

Posted on 2015-02-24
1
1,289 Views
Last Modified: 2015-02-25
Hi,

We have some Windows 2008 R2 servers that have had SSL completely disabled via the MS recommended registry change, and the subsequent Nessus scans bore that out as 443 was no longer being flagged for SSL POODLE.  

However, the MS SQL Server running on the same host does still flag that vulnerability during the Nessus scans. I don't seem to be able to get good results using the openssl binary or sslscan to check out the SQL Server port. I also attempted logging into the SQL Server using sqlcmd while running a capture with NetMonitor, and the output would lead me to believe it is not running. Looking at the capture output, I can see where the client attempts a TLS handshake with the client hello, and then there is a client key exchange, followed by an TLS application data packet. Those are the only TLS packets - there were no TLS packets from the server responding to the client so I would think that would indicate TLS/SSL is not being used by the SQL server.

BUT - why would sqlcmd attempt to initiate a TLS handshake if encryption was not enabled, and Tenable states this is not a false positive.

Can anyone help me clear this up. Is there a good, definitive method to determine if SSL is enabled on MS SQL Server? This is assuming SQL Server does not use the system wide SSL/TLS implementation.

Thank you,
Jud
0
Comment
Question by:jpetter
1 Comment
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 40630019
It is not only at the registry for OS level, but also consider configuring it at SQL side for enabling "ForceEncryption" which required you to install a certificate on the server. Likewise, to ensure "Force Protocol Encryption" also on the SQL Server clients, you must have a certificate on the server and the client must have the Trusted Root Authority updated to trust the server certificate. The server would have responded if client start the encryption request as shared. But first have to ensure the provisioning is right at both OS and SQL side.

For 2K8, http://www.mssqltips.com/sqlservertip/3299/how-to-configure-ssl-encryption-in-sql-server/
Still relevant though MS support stated 2K and 2K5 -http://support.microsoft.com/kb/316898
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
MSSQL: Replace text (typo) 7 34
T-SQL: Nested CASE Statements 4 25
SQL Field Length for Email Address 3 17
conditional join based on column 4 12
Encryption for Business Encryption (https://en.wikipedia.org/wiki/Encryption) ensures the safety of our data when sending emails. In most cases, to read an encrypted email you must enter a secret key that will enable you to decrypt the email. T…
In 2017, ransomware will become so virulent and widespread that if you aren’t a victim yourself, you will know someone who is.
Viewers will learn how to use the INSERT statement to insert data into their tables. It will also introduce the NULL statement, to show them what happens when no value is giving for any given column.
Viewers will learn how to use the SELECT statement in SQL to return specific rows and columns, with various degrees of sorting and limits in place.

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now