Disabling TLS 1.0 and SSL 3.0 causes SQL 2014 services to not start.

Hey guys,

I am having an issue after a security scan. It appears that if we disable TLS 1.0 and SSL 3.0 on our SQL server the SQL services fail to start. Does anyone have any confirmation directly from Microsoft that would explain this? The only thing closest to a response was from a stack exchange article.

http://dba.stackexchange.com/questions/93127/sql-server-service-won-t-start-after-disabling-tls-1-0-and-ssl-3-0
Jonathan RoblesOwnerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

chaauCommented:
Have you enabled a TLS1.1 or 1.2?
Jonathan RoblesOwnerAuthor Commented:
Yes. But the services fail to start.
chaauCommented:
I would try to update the SQL to the latest service pack available. However, if there is nothing on their publicly available information that says that they support TLS1.1 or greater there is no guarantee it will work
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

edwardsr80Commented:
Has anyone come up with a solution for this. I have  two web servers that are running sql 2008 and 2014 ,when I  enabled TLS 1.1 and higher the services would not start. I cant find any documentation from Microsoft stating they support TLS 1.1 or higher for sql. IIS works fine. It only seems to break Sql. Also it broke auto-discovery for exchange 2007.
Jonathan RoblesOwnerAuthor Commented:
Hi Edwardsr80. Unfortunately SQL only communicates across TLS 1.0. Microsoft has confirmed this. If you disable TLS 1.0 the SQL services will not start. Sorry.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
edwardsr80Commented:
Ok wow, so that puts me in a tough spot. I have a web server that also uses sql that can be accessed from the outiside through my firewall. If I enable TLS 1.0 I automatically fail PCI. I can dispute it but not sure if it's secure to keep 1.0. Is there any official documentation from Microsoft. I thought about moving the sql server to another server. But if the iis server has TLS 1.0 disable I would assume it would be the same result. As the sql  only receive communication via TLS 1.0. If you have any MS documentation that would be great. Microsoft recommends TLS 1.2 but some products don't support it? that's  pretty ridiculous right ?
Jonathan RoblesOwnerAuthor Commented:
Our plan is to also create a SQL server on separate DMZ server and have it communicate over SSL. This should allow you to pass PCI Compliance.

As far as documentation, the link I provided was enough to convince higher ups regarding TLS 1.0.

To answer your question, SQL Server up to and including 2014 only support TLS 1.0 as of now. –  Mat Feb 17 at 15:56
edwardsr80Commented:
But if your iis server that is being accessed from the outside has TLS 1.0 disabled. How will you talk to the sql server. Unless you can have the iis server TLS 1.0 disabled and communicate with the sql server using 1.2 or 1.1 I would think both servers would need to have 1.0 enabled to communicate. The reason I can't Dmz is the servers needs access to internal data. From other post it seems if you are connecting to a sql server and TLS 1.0 is disabled from the machine that accesses  sql  it will not work. Unless I am totally wrong and I can just have the sql server TLS 1.0 enabled and any server connecting to it can use 1.1 or higher. But I don't think that's the case.
Jonathan RoblesOwnerAuthor Commented:
Not sure dude. Not sure at all. I need to tinker with this.
Jonathan RoblesOwnerAuthor Commented:
Thanks
edwardsr80Commented:
Separating the sql server was the only way to fix this issue.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft SQL Server

From novice to tech pro — start learning today.