How to configure TLS 1.2 on Microsoft SQL Server 2016 with Windows Server 2016

-1

I try to launch a website on Windows Server 2016 + SQL Server 2016 with TLS 1.2 ONLY.

Here under you can find my systeminfo :

Nom du système d’exploitation:              Microsoft Windows Server 2016 Standard
Version du système:                         10.0.14393 N/A version 14393
Fabricant du système d’exploitation:        Microsoft Corporation
Configuration du système d’exploitation:    Serveur membre
Type de version du système d’exploitation:  Multiprocessor Free
Propriétaire enregistré:                    Utilisateur Windows
Organisation enregistrée:
Identificateur de produit:                  00377-70516-32850-AA566
Date d’installation originale:              28/02/2018, 10:05:17
Heure de démarrage du système:              07/08/2019, 10:17:12
Fabricant du système:                       VMware, Inc.
Modèle du système:                          VMware Virtual Platform
Type du système:                            x64-based PC
Processeur(s):                              4 processeur(s) installé(s).
                                            [01] : Intel64 Family 6 Model 37 Stepping 1 GenuineIntel ~3096 MHz
                                            [02] : Intel64 Family 6 Model 37 Stepping 1 GenuineIntel ~3096 MHz
                                            [03] : Intel64 Family 6 Model 37 Stepping 1 GenuineIntel ~3096 MHz
                                            [04] : Intel64 Family 6 Model 37 Stepping 1 GenuineIntel ~3096 MHz
Version du BIOS:                            Phoenix Technologies LTD 6.00, 21/09/2015

SQL Server config : DATABASE

My SSMS config: SSMS

I read information about Microsoft: tls-1-2-support-for-microsoft-sql-server

I also installed the Microsoft SQL Server 2012 Native Client - QFE on the computer when the ASP.net Website is built.

I compile with Framework 4.6 and without any signature MD5 because you don't have to ! https://support.microsoft.com/en-us/help/3137281/fix-communication-that-uses-an-md5-hash-algorithm-fails-when-you-use-t

I modified the registery keys like this: TLS 1.2 enable TLS 1.0 and 1.1 disable SSL 2 and 3 disable

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000000

The result is here IISCrypto

When TLS 1.0 and 1.1 are enabled my website works perfectly. It is when I diactivate TLS 1.0 and 1.1 I have the issue.

Here under you can see the exception I got when I try "localhost":

Fournisseur SSL : Le client et le serveur ne peuvent pas communiquer car ils ne possèdent aucun algorithme commun.

  Description : Une exception non gérée s'est produite au moment de l'exécution de la requête Web actuelle. Contrôlez la trace de la pile pour plus d'informations sur l'erreur et son origine dans le code. 

 Détails de l'exception: System.Data.SqlClient.SqlException: Fournisseur SSL : Le client et le serveur ne peuvent pas communiquer car ils ne possèdent aucun algorithme commun.


Erreur source: 


 Une exception non gérée s'est produite lors de l'exécution de la requête Web actuelle. Les informations relatives à l'origine et l'emplacement de l'exception peuvent être identifiées en utilisant la trace de la pile d'exception ci-dessous.  

Trace de la pile: 

[SqlException (0x80131904): Fournisseur SSL : Le client et le serveur ne peuvent pas communiquer car ils ne possèdent aucun algorithme commun.
]

Or in english "The client and server cannot communicate, because they do not possess a common algorithm"

So that is this issue but the SQL Server I use supports TLS 1.2

I also tried to change my Global.asax

public class Global : System.Web.HttpApplication
    {

        private static readonly ILog _log = LogManager.GetLogger(typeof(Global));

        protected void Application_Start(object sender, EventArgs e)
        {
            XmlConfigurator.Configure();
            ...
            System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12;
            ....
        }

But it doesn't change anything.

So you have any idea about this issue ? Best Regards,

sql-server-2016
tls1.2
windows-server-2016
asked on Stack Overflow Aug 7, 2019 by Efficiensys • edited Aug 7, 2019 by Efficiensys

0 Answers

Nobody has answered this question yet.


User contributions licensed under CC BY-SA 3.0