SQL 2014 (12.0.4213.0) service fails to start if TLS 1.0 is disabled

We need to disable TLS 1.0 for PCI requirements (IIS is also running on this machine, yes I know best practice is to have SQL on its own machine, but this is just how it is)

My understanding is that TLS 1.2 should work if we're higher than SQL 2014 CU6.  CU7 for example, as per https://support.microsoft.com/en-us/kb/3046038,  would result in build 12.0.2495.0, and we're at 12.0.4213.0 so we are higher than CU7 (right?)


Based on this:  https://support.microsoft.com/en-us/kb/3052404,  running the latest updates on SQL 2014 should allow TLS 1.2 to work. However, when we disable TLS 1.0, the SQL service fails to start.


Our current build is:
Microsoft SQL Server 2014 - 12.0.4213.0 (X64)  Jun  9 2015 12:06:16  Copyright (c) Microsoft Corporation  Web Edition (64-bit) on Windows NT 6.1 <X64> (Build 7601: Service Pack 1) (Hypervisor)



From what I can tell we have a SQL 2014 build that should support TLS 1.2.  Is there something further that has to be done to make this work?


SQL 2014 is running on a SQL 2008 R2 machine, I found this:

https://msdn.microsoft.com/en-us/library/ms143506(v=sql.120).aspx 
If you install SQL Server 2014 on Windows Server 2008 SP2, you can get the required update from here (https://support.microsoft.com/en-us/kb/956250)

But this machine doesn't have ASP.NET 3.5 installed (it has ASP.NET 4.5), so I don't think that would even apply (unless ASP.NET 3.5 is REQUIRED for SQL 2014??)
LVL 1
VasAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lcohanDatabase AnalystCommented:
Looks like you're out of luck and please see comments related to similar issue and exact same versions you have.

http://www.experts-exchange.com/questions/28652578/Disabling-TLS-1-0-and-SSL-3-0-causes-SQL-2014-services-to-not-start.html
VasAuthor Commented:
I actually did come across that post before posting this question, but it's from April and I wasn't sure what CU update was around at that time.

The exact error we're seeing in the logs the one in this article and it seems to indicated Microsoft does support TLS 1.2 with the appropriate updates:

https://support.microsoft.com/en-us/kb/3052404
lcohanDatabase AnalystCommented:
Hmm...sorry I missed that as it loks indeed that if you apply CU 8 - Build number: 12.0.2546.0 on the top of your build this may work however...I would be 100% sure it works before applying a CU in a production server because there's no mention that TLS 1.0 can stay disabled as far as I could see and Microsoft recommends that "We recommend that you test hotfixes before you deploy them in a production environment.".

They just mention that TLS 1.2 suport was fixed as per https://support.microsoft.com/en-us/kb/3052404
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

VasAuthor Commented:
Our current build is:

Microsoft SQL Server 2014 - 12.0.4213.0 (X64)

This has to be higher than CU 8 right?  (since CU 8 is Build number: 12.0.2546.0)
lcohanDatabase AnalystCommented:
argh....I fliped the numbers when I typed sorry again..looks like you're (at least) on 2008 SP1 so CU1 for 2008 SP1 which is Build number: 12.0.4416.0 should do it for you however, please test, test, test,....before deploying to prod servers as these can't be rolled back and you never know what else they may introduce.
VasAuthor Commented:
It's already on a production server, and all works great (just can't disable TLS 1.0 unfortunately)
lcohanDatabase AnalystCommented:
Therefor my point "They just mention that TLS 1.2 suport was fixed as per https://support.microsoft.com/en-us/kb/3052404" but not that you can disable TLS 1.0 unfortunately.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
VasAuthor Commented:
I found this article which claims it can work withouth TLS 1.0

http://robwillis.info/2015/08/disabling-tls-1-0-with-ms-sql-2014-services-wont-start/

Article links to some other patches.

To summarize:

" I have been able to test and confirm both CU1 for SQL 2014 SP1 and CU6 for SQL 2012 SP2 are fully functional. The CU packages can be found here:
https://support.microsoft.com/en-us/kb/3052404"

and then to resolve an issue with SQL Management Studio:

"install .Net 4.6 which can be found here:
https://www.microsoft.com/en-us/download/details.aspx?id=48130"


We'll try this tonight or tomorrow night.
Vitor MontalvãoMSSQL Senior EngineerCommented:
We'll try this tonight or tomorrow night.
Did you try it? How it was?
VasAuthor Commented:
We did finally try it and it didn't work, SQL still wouldn't start so the client ended up getting a 2nd server to run only SQL on.
Vitor MontalvãoMSSQL Senior EngineerCommented:
If didn't work why are you accepting a solution?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.