We help IT Professionals succeed at work.

Disabling TLS 1.0 and SSL 3.0 causes SQL 2014 services to not start.

Jonathan Robles
Jonathan Robles asked
on
Hey guys,

I am having an issue after a security scan. It appears that if we disable TLS 1.0 and SSL 3.0 on our SQL server the SQL services fail to start. Does anyone have any confirmation directly from Microsoft that would explain this? The only thing closest to a response was from a stack exchange article.

http://dba.stackexchange.com/questions/93127/sql-server-service-won-t-start-after-disabling-tls-1-0-and-ssl-3-0
Comment
Watch Question

Top Expert 2013

Commented:
Have you enabled a TLS1.1 or 1.2?

Author

Commented:
Yes. But the services fail to start.
Top Expert 2013

Commented:
I would try to update the SQL to the latest service pack available. However, if there is nothing on their publicly available information that says that they support TLS1.1 or greater there is no guarantee it will work
Has anyone come up with a solution for this. I have  two web servers that are running sql 2008 and 2014 ,when I  enabled TLS 1.1 and higher the services would not start. I cant find any documentation from Microsoft stating they support TLS 1.1 or higher for sql. IIS works fine. It only seems to break Sql. Also it broke auto-discovery for exchange 2007.
Commented:
Hi Edwardsr80. Unfortunately SQL only communicates across TLS 1.0. Microsoft has confirmed this. If you disable TLS 1.0 the SQL services will not start. Sorry.
Ok wow, so that puts me in a tough spot. I have a web server that also uses sql that can be accessed from the outiside through my firewall. If I enable TLS 1.0 I automatically fail PCI. I can dispute it but not sure if it's secure to keep 1.0. Is there any official documentation from Microsoft. I thought about moving the sql server to another server. But if the iis server has TLS 1.0 disable I would assume it would be the same result. As the sql  only receive communication via TLS 1.0. If you have any MS documentation that would be great. Microsoft recommends TLS 1.2 but some products don't support it? that's  pretty ridiculous right ?

Author

Commented:
Our plan is to also create a SQL server on separate DMZ server and have it communicate over SSL. This should allow you to pass PCI Compliance.

As far as documentation, the link I provided was enough to convince higher ups regarding TLS 1.0.

To answer your question, SQL Server up to and including 2014 only support TLS 1.0 as of now. –  Mat Feb 17 at 15:56
But if your iis server that is being accessed from the outside has TLS 1.0 disabled. How will you talk to the sql server. Unless you can have the iis server TLS 1.0 disabled and communicate with the sql server using 1.2 or 1.1 I would think both servers would need to have 1.0 enabled to communicate. The reason I can't Dmz is the servers needs access to internal data. From other post it seems if you are connecting to a sql server and TLS 1.0 is disabled from the machine that accesses  sql  it will not work. Unless I am totally wrong and I can just have the sql server TLS 1.0 enabled and any server connecting to it can use 1.1 or higher. But I don't think that's the case.

Author

Commented:
Not sure dude. Not sure at all. I need to tinker with this.

Author

Commented:
Thanks
Separating the sql server was the only way to fix this issue.