我在SQL server 2016
上运行windows 2012 R2
并且我应用了TLSv1.2支持补丁并重新启动了虚拟机,https://support.microsoft.com/en-us/help/3135244/tls-1-2-support-for-microsoft-sql-server我确实看到在SQL Server VM上使用IISCrypto
工具启用了TLS 1.2
我们有Java 8 Web应用程序,我们强制Web应用程序仅使用TLS1.2使用JVM参数-Djdk.tls.client.protocols="TLSv1.2"
(如果我删除此JVM参数应用程序连接到sql server罚款),但我们看到下面的错误虽然启用了TLSv1.2
SQL服务器
org.apache.commons.dbcp.SQLNestedException: Cannot create PoolableConnectionFactory (The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "Server chose TLSv1, but that protocol version is not enabled or not supported by the client.". ClientConnectionId:7564b6a1-60c0-4a24-8baa-7bd21f9512cf)
我们还有一个.Net 2.0
Windows服务(只有TLSv1.2在注册表中启用),它也无法连接到SQL Server 2016
System.Data.OleDb.OleDbException: [DBNETLIB][ConnectionOpen (SECCreateCredentials()).]SSL Security error.
at System.Data.OleDb.OleDbConnectionInternal..ctor(OleDbConnectionString constr, OleDbConnection connection)
at System.Data.OleDb.OleDbConnectionFactory.CreateConnection(DbConnectionOptions options, Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection owningObject)
at System.Data.ProviderBase.DbConnectionFactory.CreateNonPooledConnection(DbConnection owningConnection, DbConnectionPoolGroup poolGroup)
at System.Data.ProviderBase.DbConnectionFactory.GetConnection(DbConnection owningConnection)
at System.Data.ProviderBase.DbConnectionClosed.OpenConnection(DbConnection outerConnection, DbConnectionFactory connectionFactory)
at System.Data.OleDb.OleDbConnection.Open()
但是,如果我在注册表中启用SSL3和TLS1.0,.Net 2.0
Windows服务可以很好地连接到SQL Server 2016。
我怀疑,问题是SQL Server没有使用TLSv1.2
虽然在SQL Server VM上启用了TLSv1.2
,如果有更多的配置或补丁需要应用于SQL Server以支持TLSv1.2
,有人可以帮助我吗?
Microsoft Windows Server存储有关Windows Server支持的不同安全性增强通道协议的信息。此信息存储在以下注册表项中:
HKEY_LOCAL_MACHINE \系统\ CurrentControlSet \控制\ SecurityProviders \ SCHANNEL \协议
通常,此键包含以下子项:
PCT 1.0,SSL 2.0,SSL 3.0,TLS 1.0 ......
每个密钥都包含有关密钥协议的信息。可以在服务器上启用这些协议中的任何一个。为此,您需要在协议的服务器子项中创建新的DWORD值。您将DWORD值设置为“1”。
重要说明:在修改注册表之前备份注册表。然后,您可以在出现问题时还原注册表。
要启用TLS 1.x协议,请执行以下步骤:
单击“开始”,单击“运行”,键入regedt32或键入regedit,然后单击“确定”。在注册表编辑器中,找到以下注册表项:
HKey_Local_Machine \ System \ CurrentControlSet \ Control \ SecurityProviders \ SCHANNEL \ Protocols \ TLS 1.x \ Server
在“编辑”菜单上,单击“添加值”。在“数据类型”列表中,单击“DWORD”。在“值名称”框中,键入“已启用”,然后单击“确定”。
注意如果存在此值,请双击该值以编辑其当前值。
在二进制编辑器中键入11111111,将新键的值设置为“1”。单击确定。重新启动计算机。
希望这可以帮助...
检查相关的证书。一个人可能无效。
如果计算机验证其证书,请尝试:
用于禁用愚蠢加密的注册表脚本:将其另存为.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001
您必须调整.NET Framework。如果你实际上使用.Net 2.0(旧!),最后两个键应该是
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
这是Chris Duck的.ps1来检查启用的加密
<#
.DESCRIPTION
Outputs the SSL protocols that the client is able to successfully use to connect to a server.
.NOTES
Copyright 2014 Chris Duck
http://blog.whatsupduck.net
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
.PARAMETER ComputerName
The name of the remote computer to connect to.
.PARAMETER Port
The remote port to connect to. The default is 443.
.EXAMPLE
Test-SslProtocols -ComputerName "www.google.com"
ComputerName : www.google.com
Port : 443
KeyLength : 2048
SignatureAlgorithm : rsa-sha1
Ssl2 : False
Ssl3 : True
Tls : True
Tls11 : True
Tls12 : True
#>
function Test-SslProtocols {
param(
[Parameter(Mandatory=$true,ValueFromPipelineByPropertyName=$true,ValueFromPipeline=$true)]
$ComputerName,
[Parameter(ValueFromPipelineByPropertyName=$true)]
[int]$Port = 443
)
begin {
$ProtocolNames = [System.Security.Authentication.SslProtocols] | gm -static -MemberType Property | ?{$_.Name -notin @("Default","None")} | %{$_.Name}
}
process {
$ProtocolStatus = [Ordered]@{}
$ProtocolStatus.Add("ComputerName", $ComputerName)
$ProtocolStatus.Add("Port", $Port)
$ProtocolStatus.Add("KeyLength", $null)
$ProtocolStatus.Add("SignatureAlgorithm", $null)
$ProtocolNames | %{
$ProtocolName = $_
$Socket = New-Object System.Net.Sockets.Socket([System.Net.Sockets.SocketType]::Stream, [System.Net.Sockets.ProtocolType]::Tcp)
$Socket.Connect($ComputerName, $Port)
try {
$NetStream = New-Object System.Net.Sockets.NetworkStream($Socket, $true)
$SslStream = New-Object System.Net.Security.SslStream($NetStream, $true)
$SslStream.AuthenticateAsClient($ComputerName, $null, $ProtocolName, $false )
$RemoteCertificate = [System.Security.Cryptography.X509Certificates.X509Certificate2]$SslStream.RemoteCertificate
$ProtocolStatus["KeyLength"] = $RemoteCertificate.PublicKey.Key.KeySize
$ProtocolStatus["SignatureAlgorithm"] = $RemoteCertificate.SignatureAlgorithm.FriendlyName
$ProtocolStatus["Certificate"] = $RemoteCertificate
$ProtocolStatus.Add($ProtocolName, $true)
} catch {
$ProtocolStatus.Add($ProtocolName, $false)
} finally {
$SslStream.Close()
}
}
[PSCustomObject]$ProtocolStatus
}
}