This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SEC 5.5.1 and SQL Server configuration for TLS 1.2

Hello,

i want to update from SEC 5.5.0 to SEC 5.5.1 and I have fixed these Problems

with some SQL-Updates:

and the status quo is now:

 

But i don't know on which last screw i have to turn to fix the last problem.

It is necessary to make these registry settings on Windows Server 2016 Standard?

 

Required Registry settings

If not present create the following registry keys/values:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
    "DisabledByDefault"=dword:00000000
    "Enabled"=dword:00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server
    "DisabledByDefault"=dword:00000000
    "Enabled"=dword:0000000

 

Because there are not present in the moment:

Thank your for Answer.



This thread was automatically locked due to age.
Parents
  • Hello JoaSee,

    first of all (as other will also read this), it seems that it's mistakenly assumed that a TLS 1.2 connection to the database is a requirement for SEC 5.5.1 - it isn't.

    I think that the check doesn't take the OS version into account but simply and unconditionally verifies the existence of the mentioned keys (which do no harm if present in a higher version OS but are required for 2008).

    Though I think there's an error (copy/paste error) in the article:
    TLS 1.2\Server
    "DisabledByDefault"=dword:00000000
    "Enabled"=dword:0000000
    Zero means not enabled, an explicit Enabled=0 wouldn't make much sense, would it? And note there are only seven digits thus apparently the significant 1 hasn't been picked up.

    Christian

  • This is essentially the same post as I.  I raised a case two weeks ago.  And Sophos emailed me the link to the upgrade's instructions from 5.5.0.to 5.5.1 ..  Wouaw !!! I'm impressed !!!  Particularly when knowing I attached to the case all documents showing SQL Server version, Registry keys, and everything that shows clearly I have gone through these steps already.

    That said, with TLS 1.0 ON all other OFF, TLS 1.1 ON and all other OFF, TLS 1.2 ON and all other OFF, or any other combination, the install will still fail.

    In Microsoft explanations and examples, we often see "Enabled" value being 0xffffffff instead of 0x00000001.  Nartac software (and many others) sets to that reg key to 0xffffffff as well.  I have been using 0xffffffff to enable TLS 1.2 for years now. support.microsoft.com/.../how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc

    SQL 12 SP4 clearly support TLS 1.2.  So what the *** ?

    Finally, when a supplier ask users to play with registry keys, he is not up to basic standards.

  • Hello,

    i say thank you for this information.

     

     

    Greetings JoaSee

  • Nartac Software IIS Crypto can be downloaded here : https://www.nartac.com/Products/IISCrypto

     

    Support called me yesterday concerning this case.  We disabled TLS 1.0 and 1.1.  With values 0 and 1, and no "ffffffff".

    Everything blew up and the server froze in the end.

    Normaly, we do not need to disable TLS 1.0 and 1.1.  Programs written with competence will select TLS 1.2 by default and downgrade to 1.1 and 1.0 if need be.

    If we look at TLS event logs, SEC 5.5.1 do not behave as such, and select TLS 1.0.

Reply
  • Nartac Software IIS Crypto can be downloaded here : https://www.nartac.com/Products/IISCrypto

     

    Support called me yesterday concerning this case.  We disabled TLS 1.0 and 1.1.  With values 0 and 1, and no "ffffffff".

    Everything blew up and the server froze in the end.

    Normaly, we do not need to disable TLS 1.0 and 1.1.  Programs written with competence will select TLS 1.2 by default and downgrade to 1.1 and 1.0 if need be.

    If we look at TLS event logs, SEC 5.5.1 do not behave as such, and select TLS 1.0.

Children