Hello, i want to update from SEC 5.5.0 to SEC 5.5.1 and I have fixed these Problems with some SQL-Updates: and the status quo is now: But i don't know on which last screw i have to turn to fix the last problem. It is necessary to make these registry settings on Windows Server 2016 Standard? Required Registry settings If not present create the following registry keys/values: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server "DisabledByDefault"=dword:00000000 "Enabled"=dword:0000000 Because there are not present in the moment: Thank your for Answer.

-> Programs written with competence will select TLS 1.2 by default and downgrade to 1.1 and 1.0 if need be. We no longer want the ability to downgrade, that needs to be eliminated. This product needs a floor of TLS 1.2 and it shouldn't be this hard, especially for a security product.

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SEC 5.5.1 and SQL Server configuration for TLS 1.2

pc-service over 5 years ago

Hello,

i want to update from SEC 5.5.0 to SEC 5.5.1 and I have fixed these Problems

with some SQL-Updates:

and the status quo is now:

But i don't know on which last screw i have to turn to fix the last problem.

It is necessary to make these registry settings on Windows Server 2016 Standard?

Required Registry settings

If not present create the following registry keys/values:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server "DisabledByDefault"=dword:00000000 "Enabled"=dword:0000000

Because there are not present in the moment:

Thank your for Answer.

This thread was automatically locked due to age.

Parents

0 QC over 5 years ago

Hello JoaSee,

first of all (as other will also read this), it seems that it's mistakenly assumed that a TLS 1.2 connection to the database is a requirement for SEC 5.5.1 - it isn't.

I think that the check doesn't take the OS version into account but simply and unconditionally verifies the existence of the mentioned keys (which do no harm if present in a higher version OS but are required for 2008).

Though I think there's an error (copy/paste error) in the article:
TLS 1.2\Server"DisabledByDefault"=dword:00000000 "Enabled"=dword:0000000Zero means not enabled, an explicit Enabled=0 wouldn't make much sense, would it? And note there are only seven digits thus apparently the significant 1 hasn't been picked up.

Christian
Cancel
Vote Up 0 Vote Down

Cancel
0 Big_Buck over 5 years ago in reply to QC

This is essentially the same post as I. I raised a case two weeks ago. And Sophos emailed me the link to the upgrade's instructions from 5.5.0.to 5.5.1 .. Wouaw !!! I'm impressed !!! Particularly when knowing I attached to the case all documents showing SQL Server version, Registry keys, and everything that shows clearly I have gone through these steps already.

That said, with TLS 1.0 ON all other OFF, TLS 1.1 ON and all other OFF, TLS 1.2 ON and all other OFF, or any other combination, the install will still fail.

In Microsoft explanations and examples, we often see "Enabled" value being 0xffffffff instead of 0x00000001. Nartac software (and many others) sets to that reg key to 0xffffffff as well. I have been using 0xffffffff to enable TLS 1.2 for years now. support.microsoft.com/.../how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc

SQL 12 SP4 clearly support TLS 1.2. So what the *** ?

Finally, when a supplier ask users to play with registry keys, he is not up to basic standards.
Cancel
Vote Up 0 Vote Down

Cancel
0 pc-service over 5 years ago in reply to Big_Buck

Hello,

i say thank you for this information.

Greetings JoaSee
Cancel
Vote Up 0 Vote Down

Cancel
0 Big_Buck over 5 years ago in reply to pc-service

Nartac Software IIS Crypto can be downloaded here : https://www.nartac.com/Products/IISCrypto

Support called me yesterday concerning this case. We disabled TLS 1.0 and 1.1. With values 0 and 1, and no "ffffffff".

Everything blew up and the server froze in the end.

Normaly, we do not need to disable TLS 1.0 and 1.1. Programs written with competence will select TLS 1.2 by default and downgrade to 1.1 and 1.0 if need be.

If we look at TLS event logs, SEC 5.5.1 do not behave as such, and select TLS 1.0.
Cancel
Vote Up 0 Vote Down

Cancel
+1 Sean Davis over 3 years ago in reply to Big_Buck

-> Programs written with competence will select TLS 1.2 by default and downgrade to 1.1 and 1.0 if need be.

We no longer want the ability to downgrade, that needs to be eliminated. This product needs a floor of TLS 1.2 and it shouldn't be this hard, especially for a security product.
Cancel
Vote Up 0 Vote Down

Cancel
0 Big_Buck over 3 years ago in reply to Sean Davis

Yes. But keep in mind I have written this in 2018 ...

Paul Jr
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Big_Buck over 3 years ago in reply to Sean Davis

Yes. But keep in mind I have written this in 2018 ...

Paul Jr
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data