TLS 1.0 disable and Delphi BDE

I'm not aware of such an option.

Afaik BDE is deprecated since 2000, when they introduced dbExpress as main database connector technology. It does also not support unicode. And if you didn't found and TLS option for higher versions, then I'm afraid there is no easy solution.

Just for curiosity: How do you enable TLS 1.0 transport encryption for BDE, I have never seen such an option..

Hi ste5an,
 >>>>> Afaik BDE is deprecated since 2000
  I know that. But the BDE work fine for now. The web application runs on a web server including MSSQL database, and We are currently using the native BDE driver "MSSQL" to connect  the MSSQL server which AP and DB is on the same server. If I  disable TLS 1.0 on the server, then the client which uses BDE  can't connect the server.
  I must connect MSSQL database via BDE and disable TLS 1.0 on the server.That is what I want.

  Thanks.

jeff

I must connect MSSQL database via BDE and disable TLS 1.0 on the server.

Without knowing your exact scenario, this sounds like a contradiction.

Thus I see only two options:

- Rewrite your code to drop BDE.
- Rewrite your app to use only local stored data, then you can still use BDE, cause then there is no transport encryption needed.

Hi ste5an,
  Thanks for your suggestion.If the AP and DB are on the different server, I can disable the TLS 1.0 on the AP server and   connect db server via BDE. It's another solution.
>>>>>- Rewrite your code to drop BDE.
  I should rewrite my code and drop BDE. That's true. In fact I'm looking for advice about Embarcadero  and Visual Studio. Have you moved your project to Visual Studio ? I think it's a hard time for me.

 Thanks.

jeff
 

Switching from Delph to C# is easy. The hard parts are learning different new libraries. But depending on the project, this can also be easier than it may look like.

What kind of project is it? How does the actual architecture looks like?

Hi ste5an,
 >>>>>>>Switching from Delph to C# is easy.
    Anyway, I should switch from Delphi to C#.

   Thanks.

  jeff

Please details: Windows version? Delphi version?
BDE does not know TLS..... BDE use Windows transport layer ... basically - if you set windows - you'll set BDE.
Agree with others .... I recommend to use ADO type of db connection.

Hi Sinisa Vuk,

   Windows version : windows server 2016
   Delphi vesion: Delphi 7
   
   The TLS 1.0 is enabled by default in windows server 2016. The server supports encryption through TLS 1.0, which was formally deprecated in March 2021 as a result of inherent security issues. So I must disable the TLS 1.0. But if I disable TLS 1.0, my system will can't connect SQL server via BDE.

    >>>>>>>>>>> I recommend to use ADO type of db connection.
   I know, now I should switch from Delphi to C#. But  it will took a long time for me.

   Thanks.

  jeff

Try to follow those directions to enable TLS 1.1 (or up) by default:
Enable TLS 1.2 or Enable TLS 1.1 manually.
Windows must be updated with latest updates/SPacks.
I had similar issues with Win7.

I still think your requirements are a contradiction. Using BDE on the one hand, but switching to actual TLS is not possible. Well, at least as you don't tell use, how you use BDE.

You also mentioned PCI-DSS: How did you verify the system safety three years ago?

Hi Sinisa Vuk,
  Even I disable  TLS 1.0 and enable TLS 1.1 & 1.2 on windows server 2016 and then update all of the service pack to latest Windows Service Packs, my system still can't connect SQL server via BDE. Unless I enable TLS 1.0. I am sure about that.

  Thanks for your help.

  jeff

Hi ste5an,
   I know that BDE is a very (very) old technology, but the system is very large and complex and I can't currently switch to another technology immediately. That's the problem. In the mean time, I must disable TLS 1.0 for the security issues on windows server 2016. TLS 1.0 is vulnerable to man-in-the-middle attacks, risking the integrity and authentication of data sent between a website and a browser. So why do you think my requirements are a contradiction?  
>>>>>>>Using BDE on the one hand, but switching to actual TLS is not possible
   I really don't know how about the relationship between the BDE and TLS 1.0, I just know when I disable TLS 1.0, my system will can't connect SQL server via BDE.

   Thanks.

jeff 

Sorry, I didn't phrase it correctly.

Requirements must be complete, error-free and consistent. I should have focused on consistency and being error-free.

Your problem is two-fold:

1) I'm not aware of TLS settings in BDE, only in the used drivers.
Here you need to look in the used drivers.

2) You're trying to get compatible with PCI-DSS 2018 rules, but use software is somewhat deprecated/outdated since 2000.
You can only use the TLS1.0 for customers/systems which where implemented before the 2018 deadline. The PCI-DSS requirements do not allow it for new systems.
When you have an allowed case, the you must run it in a safe and monitored way. The only safe way to protect TLS1.0 against Poodle (the actual MITM) is: you must use a separate, physical network which is not connected to the internet, where all devices are known and monitored.

Hi ste5an,
  There is no setting about TLS in the BDE (Borland Database Engine) configuration. I have no idea about the relationship between TLS 1.0 and BDE. I think it had come to a deadlock for now. I just hold the hope if someone can solve the problem.I must switch Delphi to C# as soon as I can.

  Thanks again.

jeff 

Please, install Fiddler first. With this tool you can track what is going on with TLS. Help me a lot.

Caveat: When your system must be PCI-DSS compliant, then you must take action now. I think you need to talk with your management.

Hi Sinisa Vuk,
   WOW, I never use Fiddler tool. Let me try it.

   Hope it can Help me a lot too.

    Thanks.

jeff
   

hmm, imho Fiddler is a network sniffer and development tool for http(s) only.

Hi,

    Anyway, I really appreciate for all of the help.

    Thanks.

  jeff