java Sql Server 2016:为 SQL Server 连接启用 TLS 1.2
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/48834528/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Sql Server 2016: Enable TLS 1.2 for SQL Server Connection
提问by RanPaul
I've SQL server 2016running on windows 2012 R2and I applied the patch for TLSv1.2 support and rebooted the VM, https://support.microsoft.com/en-us/help/3135244/tls-1-2-support-for-microsoft-sql-serverI do see TLS 1.2 being enabled using IISCryptotool on the SQL Server VM
我已经SQL server 2016运行windows 2012 R2并应用了 TLSv1.2 支持补丁并重新启动了 VM,https://support.microsoft.com/en-us/help/3135244/tls-1-2-support-for-microsoft- sql-server我确实看到使用IISCryptoSQL Server VM 上的工具启用了 TLS 1.2
We have Java 8 web application and we've forced the web application to use only TLS1.2 using JVM argument -Djdk.tls.client.protocols="TLSv1.2"(If I remove this JVM argument application connects to sql server fine), but we are seeing below error though TLSv1.2is enabled for SQL server
我们有 Java 8 Web 应用程序,我们已经强制 Web 应用程序使用 JVM 参数仅使用 TLS1.2 -Djdk.tls.client.protocols="TLSv1.2"(如果我删除此 JVM 参数应用程序连接到 sql server 很好),但我们看到以下错误,尽管TLSv1.2已为 SQL server 启用
org.apache.commons.dbcp.SQLNestedException: Cannot create PoolableConnectionFactory (The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "Server chose TLSv1, but that protocol version is not enabled or not supported by the client.". ClientConnectionId:7564b6a1-60c0-4a24-8baa-7bd21f9512cf)
We also have a .Net 2.0windows service (only TLSv1.2 is enabled in registry) which is also failing to connect to SQL Server 2016
我们还有一个.Net 2.0Windows 服务(在注册表中仅启用了 TLSv1.2),它也无法连接到SQL Server 2016
System.Data.OleDb.OleDbException: [DBNETLIB][ConnectionOpen (SECCreateCredentials()).]SSL Security error.
at System.Data.OleDb.OleDbConnectionInternal..ctor(OleDbConnectionString constr, OleDbConnection connection)
at System.Data.OleDb.OleDbConnectionFactory.CreateConnection(DbConnectionOptions options, Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection owningObject)
at System.Data.ProviderBase.DbConnectionFactory.CreateNonPooledConnection(DbConnection owningConnection, DbConnectionPoolGroup poolGroup)
at System.Data.ProviderBase.DbConnectionFactory.GetConnection(DbConnection owningConnection)
at System.Data.ProviderBase.DbConnectionClosed.OpenConnection(DbConnection outerConnection, DbConnectionFactory connectionFactory)
at System.Data.OleDb.OleDbConnection.Open()
But if I enable SSL3 and TLS1.0 in the registry, .Net 2.0windows service connects to SQL Server 2016 fine.
但是如果我在注册表中启用 SSL3 和 TLS1.0,.Net 2.0Windows 服务就可以正常连接到 SQL Server 2016。
I suspect, the issue is SQL Server not using TLSv1.2though TLSv1.2is enabled on the SQL Server VM, Can someone please help me if there anymore config or patches needs to be applied for SQL Server to support TLSv1.2?
我怀疑,问题是 SQL ServerTLSv1.2虽然TLSv1.2在 SQL Server VM 上启用但没有使用,如果需要为 SQL Server 应用更多配置或补丁来支持,有人可以帮助我TLSv1.2吗?
回答by Murat Y?ld?z
Microsoft Windows Server stores information about different security-enhanced channel protocols that Windows Server supports. This information is stored in the following registry key:
Microsoft Windows Server 存储有关 Windows Server 支持的不同安全增强通道协议的信息。此信息存储在以下注册表项中:
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
Typically, this key contains the following subkeys:
通常,此键包含以下子键:
PCT 1.0, SSL 2.0, SSL 3.0, TLS 1.0 ...
PCT 1.0、SSL 2.0、SSL 3.0、TLS 1.0 ...
Each key holds information about the protocol for the key. Any one of these protocols can be enabled at the server. To do this, you create a new DWORDvalue in the server subkey of the protocol. You set the DWORDvalue to "1".
每个密钥都包含有关密钥协议的信息。可以在服务器上启用这些协议中的任何一种。为此,您在协议的服务器子项中创建一个新的 DWORD 值。您将 DWORD 值设置为“1”。
Important: Back up the registry before you modify it. Then, you can restore the registry if a problem occurs.
重要:在修改注册表之前备份注册表。然后,如果出现问题,您可以恢复注册表。
To enable the TLS 1.x protocol follow these steps:
要启用 TLS 1.x 协议,请执行以下步骤:
Click Start, click Run, type regedt32 or type regedit, and then click OK. In Registry Editor, locate the following registry key:
单击开始,单击运行,键入 regedt32 或键入 regedit,然后单击确定。在注册表编辑器中,找到以下注册表项:
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\TLS 1.x\Server
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.x\Server
On the Edit menu, click Add Value. In the Data Type list, click DWORD. In the Value Name box, type Enabled, and then click OK.
在编辑菜单上,单击添加值。在数据类型列表中,单击 DWORD。在“值名称”框中,键入“启用”,然后单击“确定”。
Note If this value is present, double-click the value to edit its current value.
注意 如果此值存在,请双击该值以编辑其当前值。
Type 11111111 in Binary Editor to set the value of the new key equal to "1". Click OK. Restart the computer.
在二进制编辑器中键入 11111111 以将新键的值设置为等于“1”。单击确定。重新启动计算机。
Hope this helps...
希望这可以帮助...
回答by toornt
Check the involved certificates. One may be invalid.
检查涉及的证书。一个可能无效。
If the machines validate their certificates, try:
如果机器验证了它们的证书,请尝试:
Registry Script for disabling stupid encryptions: Save this as .reg
用于禁用愚蠢加密的注册表脚本:将其另存为 .reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001
You'll have to adjust your .NET Framework. If you are actually using .Net 2.0 (old!) the last two Keys should be
您必须调整您的 .NET Framework。如果您实际上使用的是 .Net 2.0(旧!)最后两个键应该是
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
Here is a .ps1 by Chris Duck to check enabled encryptions
这是 Chris Duck 的 .ps1 文件,用于检查启用的加密
<#
.DESCRIPTION
Outputs the SSL protocols that the client is able to successfully use to connect to a server.
.NOTES
Copyright 2014 Chris Duck
http://blog.whatsupduck.net
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
.PARAMETER ComputerName
The name of the remote computer to connect to.
.PARAMETER Port
The remote port to connect to. The default is 443.
.EXAMPLE
Test-SslProtocols -ComputerName "www.google.com"
ComputerName : www.google.com
Port : 443
KeyLength : 2048
SignatureAlgorithm : rsa-sha1
Ssl2 : False
Ssl3 : True
Tls : True
Tls11 : True
Tls12 : True
#>
function Test-SslProtocols {
param(
[Parameter(Mandatory=$true,ValueFromPipelineByPropertyName=$true,ValueFromPipeline=$true)]
$ComputerName,
[Parameter(ValueFromPipelineByPropertyName=$true)]
[int]$Port = 443
)
begin {
$ProtocolNames = [System.Security.Authentication.SslProtocols] | gm -static -MemberType Property | ?{$_.Name -notin @("Default","None")} | %{$_.Name}
}
process {
$ProtocolStatus = [Ordered]@{}
$ProtocolStatus.Add("ComputerName", $ComputerName)
$ProtocolStatus.Add("Port", $Port)
$ProtocolStatus.Add("KeyLength", $null)
$ProtocolStatus.Add("SignatureAlgorithm", $null)
$ProtocolNames | %{
$ProtocolName = $_
$Socket = New-Object System.Net.Sockets.Socket([System.Net.Sockets.SocketType]::Stream, [System.Net.Sockets.ProtocolType]::Tcp)
$Socket.Connect($ComputerName, $Port)
try {
$NetStream = New-Object System.Net.Sockets.NetworkStream($Socket, $true)
$SslStream = New-Object System.Net.Security.SslStream($NetStream, $true)
$SslStream.AuthenticateAsClient($ComputerName, $null, $ProtocolName, $false )
$RemoteCertificate = [System.Security.Cryptography.X509Certificates.X509Certificate2]$SslStream.RemoteCertificate
$ProtocolStatus["KeyLength"] = $RemoteCertificate.PublicKey.Key.KeySize
$ProtocolStatus["SignatureAlgorithm"] = $RemoteCertificate.SignatureAlgorithm.FriendlyName
$ProtocolStatus["Certificate"] = $RemoteCertificate
$ProtocolStatus.Add($ProtocolName, $true)
} catch {
$ProtocolStatus.Add($ProtocolName, $false)
} finally {
$SslStream.Close()
}
}
[PSCustomObject]$ProtocolStatus
}
}
