Sophos PureMessage version 4.0.4 also installs the CheckDBConnection test tool alongside the main components of PureMessage. This can be used to verify whether your Database is compatible with TLS 1.2.
This article explains all of the database connection checks that the CheckDBConnection tool makes. These checks are made to determine whether the system can connect to the Sophos database with TLS 1.2 and provide further information on the changes required to enable the use of TLS 1.2.
The information provided in this article is taken from the guidance provided from Microsoft: TLS 1.2 support for Microsoft SQL Server.
The following sections are covered:
Applies to the following Sophos products and versions PureMessage for Microsoft Exchange 4.0.4
The tool is extracted to the installation location of Sophos PureMessage. For PureMessage 4.0.4 the default location is:
CheckDBConnection.exe -s .\SOPHOS
CheckDBConnection.exe -s .\SOPHOS -t osce
CheckDBConnection.exe -s <DatabaseComputerName>\SOPHOS -t onfce
CheckDBConnection.exe -s <DatabaseComputerName.domain.com>\SOPHOS -t onfce
CheckDBConnection.exe -t osnf
The tool has two working mode. The default is checking the system for TLS 1.2 compatibility (system check mode). The second performs the database settings modification (apply mode: -a).
Requires the SQL Server instance name.
This parameter will perform the following three checks:
Note: Must be used alongside parameter -t s if the database cannot be detected or is not local.
Detects SQL Server instances.
all: Detect all instances installed SOPHOS: Detect SQL Server instance named SOPHOS
This parameter will return the following information on all instances or the SOPHOS instance:
SQL Server username
May be required to access your SQL Server. For example in the case of SQL Server mixed authentication.
Must be used with the -s and -p parameter.
SQL Server password
Must be used alongside the -s and -u parameter
o s n f c e
Performs a test of the environment using the values specified:
o: OS s: SQL n: SQL Native Client f: .NET Framework c: connection e: encrypted connection
Performs a check to determine the database connection settings can be created successfully to support TLS 1.2. Performs database settings modification after the successful check.
Using with –s parameter you can specify the SQL Server instance to use in the new database settings.
Note: This parameter must be used to complete the implementation of TLS 1.2. Note: If the certificate cannot be checked (for example, the validity cannot be checked), the connection settings will not be created unless the -c parameter is used.
Switch the Trust Server Certificate mode on. This parameter can be used in system check and apply mode too. Note: The certificate provided by the SQL Server will be trusted even if the certificate is not valid
The check determines whether the operating system supports the use of TLS 1.2 only. The operating system may still require updates to support TLS 1.2 as follows:
Required Registry settings
If not present create the following registry keys/values:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server "DisabledByDefault"=dword:00000000 "Enabled"=dword:0000000
TLS 1.0 and TLS 1.1 must be turned off from the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client "DisabledByDefault"=dword:00000001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client "Enabled"=dword:00000000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server "Enabled"=dword:00000000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client "DisabledByDefault"=dword:00000000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server "DisabledByDefault"=dword:00000000
Note: The server must be restarted after making the registry changes.
This check determines whether there is a .NET Framework updated required to use TLS 1.2.
The required update depends on the operating system in use. This can be found under the Client component downloads section in the Microsoft guidance article TLS 1.2 support for Microsoft SQL Server:
Note: The server may request a restart after installing the update.
This check determines whether the version of SQL Server used by the SOPHOS instance supports TLS 1.2.
The required update depends on the version of SQL Server in use. This can be found under the How to know whether you need this update section in the Microsoft guidance article TLS 1.2 support for Microsoft SQL Server:
Note: As we cannot validate the certificate, once upgraded the check will return '(!) SQL Server instance can be configured to use TLS 1.2'.
(!) SQL Server instance can be configured to use TLS 1.2
This check determines whether the TCP/IP protocol is enabled for the SQL Server Instance (by default SOPHOS). To enable TCP/IP:
This check determines whether there is an installed certificate that can be used with SQL Server. This will be either your own created certificate or one you have bought from a Certificate Authority. This is not something that can be provided by Sophos.
The following Microsoft article contains the certificate requirements and configuration options required to install the certificate:
The following Sophos article provides information on how you can create your own certificate:
In addition, you need to provide the SQL Server (<INSTANCENAME>) service Log On As account Read permissions to the certificate being used. The following steps use the default instance name SOPHOS:
This check determines whether the installed Native Client library supports TLS 1.2.
The required update depends on the version of SQL Server in use. This can be found under the Client component downloads section in the Microsoft guidance article below:
Note: If accessing the SQL Server Native Client (for SQL Server 2012 and SQL Server 2014) component link in the Microsoft article, the available msi downloads are listed as amd64 and x86. The amd64 download should be selected if you are installing to an x64 operating system.
Note: If more than one SQL Server Native Client library can be found, the tool will check the TLS 1.2 capabilities of the latest library.
Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.