SQL Server support for TLS 1.2 - Read This First!

SQL Server support for TLS 1.2 – Read This First!

Updated March 3, 2016

At the end of January, Microsoft announced that TLS 1.2 would now be supported in specific builds of SQL Server 2008, 2008 R2, 2012, and 2014. Personally, I was pleasantly surprised to see this support back-ported to 2008 and 2008 R2; I was convinced that those customers would just be urged to upgrade if TLS coverage was that important to them. So this is great news.

Before you rush out and deploy, though, there are a few issues you should be aware of.

  • UPDATE March 2, 2016 – if you were looking for the downloads to apply to 2008 or 2008 R2 after February 13th, you would have only found the patches for SQL Native Client (they have "SNAC" in the name). This was because the patches were pulled due to an issue involving sporadic service termination. This issue has been addressed, and the downloads have now been restored. Here is what had been posted on the official release services blog post on February 13th:

    Update: February 13, 2016: We have two customers that have reported unexpected service terminations for SQL Server 2008 and SQL Server 2008 R2 after installing the above updates. We are actively working on investigating the reported issues. Although the service terminations have not been conclusively correlated to this update, till the root cause is identified we are being proactive and disabling the downloads for both SQL Server 2008 and SQL Server 2008 R2. If you have an affected environment, please uninstall the installed update.

    Today, this update appeared, so it appears safe to go back into the water:

    Update: March 2, 2016: […] The following SQL Server database engine versions are affected by the intermittent service termination issue that is reported in KB3146034. For customers to protect themselves from the service termination issue, we recommend that they install the TLS 1.2 updates for Microsoft SQL Server that are mentioned in this article if their SQL Server version is listed in the following table.

    [For x86 and x64, the post lists 10.0.6543 and 10.50.6537. IA-64 builds are also listed.]

  • UPDATE February 22, 2016 – If you are running SQL Server 2014 and are on a CU path, new Cumulative Updates have been released for both RTM and SP1 that address the encrypted endpoint issues mentioned in KB #3135852.
  • UPDATE February 18, 2016 – If you are running SQL Server 2008 or 2008 R2, a problem has surfaced after the application of the latest updates. As a result, the downloads for those versions have been pulled, and a fix is being investigated. I missed an update to
  • If you are running SQL Server 2014, using encrypted endpoints for Availability Groups, Database Mirroring, or Service Broker, and are not eligible for the GDR updates (in other words, you are already at a build higher than 12.0.4219 for SP1 or 12.0.2271 for RTM), you should not rush out and deploy TLS 1.2. There is a known issue reported in KB #3135852 – for the CU branches of SQL Server 2014, this issue has been addressed in RTM CU #12 and SP1 CU #5 (see this post for more details). The Knowledge Base article doesn't currently address this point, because changes to KBs have a lot of red tape (the blog post has been updated to warn about this issue).
  • You might find that SQL Server Agent will not start after enabling only TLS 1.2. The fix, according to Amit Banerjee, is to install the updated SQL Server Native Client drivers for your operating system from KB #3135244. You should do that anyway.
  • Management Studio and other client tools might be unable to connect. Amit Banerjee (again!) tells us that the fix is to install the proper .NET framework hotfix, again from KB #3135244. You should do that anyway.
  • If you are trying to get IIS and SQL Server to communicate using only TLS 1.2 on the same box, you might have to abandon that plan and move IIS, at least according to this answer on dba.stackexchange (he also left some details on this post).
  • To avoid most of these issues, just update SQL Server Native Client, ODBC/JDBC, and .NET Framework hotfixes on all clients that will ever come into contact with SQL Server instances where TLS 1.2 is enabled. Or on all machines period. Again, you can get these fixes from KB #3135244.
Decision Matrix

It seems straightforward, but as of today, not all builds will enable you to rush out and convert to TLS 1.2 exclusively. Here is what I suggest for each set of builds (in addition to patching .NET Framework, SQL Server Native Client, ODBC, and JDBC on all machines):

SQL Server 2014 Service Pack 1
12.0.4416 => 12.0.4438 You are on a CU path. You should apply Cumulative Update #5.
12.0.4050 => 12.0.4218 You are on SP1 RTM or the SP1 GDR path. For full support now, install the SP1 GDR TLS 1.2 Update (12.0.4219). Though I would opt for Cumulative Update #5, and deploy that instead, especially if the encrypted endpoint issue above might affect you.
SQL Server 2014 RTM
12.0.2546 => 12.0.2563 You are on a CU path. You should apply Cumulative Update #12.
12.0.2342 => 12.0.2545 You are on a CU path but no TLS 1.2 support. You could add that support if you move to a later CU (CU #8, #9, #10, #11, or #12); I would recommend Cumulative Update #12.
12.0.2000 => 12.0.2270 You are on RTM or the RTM GDR path. For full support now, install the RTM GDR TLS 1.2 Update (12.0.2271). Though I would opt for Cumulative Update #12, and deploy that instead, especially if the encrypted endpoint issue above might affect you.
SQL Server 2012 Service Pack 3
11.0.6216 => 11.0.6518 You have full support for TLS 1.2.
11.0.6020 => 11.0.6215 Here, you have a choice; you can install the SP3 GDR TLS 1.2 Update (11.0.6216) or apply SP3 Cumulative Update #1 (11.0.6518). I prefer the cumulative update, personally, especially given Microsoft's new stance on CUs and the fact that you'll get more fixes for the same level of regression testing.
SQL Server 2012 Service Pack 2
11.0.5644 => 11.0.5644 You have full support for TLS 1.2.
11.0.5353 => 11.0.5643 For full support, apply SP2 Cumulative Update #10 (11.0.5644).
11.0.5058 => 11.0.5351 Here, you have a choice; you can install the SP2 GDR TLS 1.2 Update, when it is published again (11.0.5352), or apply SP2 Cumulative Update #10 (11.0.5644). I prefer the cumulative update, personally, especially given Microsoft's new stance on CUs and the fact that you'll get more fixes for the same level of regression testing.
SQL Server 2012 RTM & Service Pack 1
11.0.2100 => 11.0.5057 Your only choice for TLS 1.2 support is to move to Service Pack 2 or, preferably, Service Pack 3, and then apply the TLS update.
SQL Server 2008 R2 Service Pack 3
10.50.6000 => 10.50.6541 For full support, apply the SP3 TLS 1.2 Update (10.50.6542).
SQL Server 2008 R2 RTM, Service Pack 1, and Service Pack 2
10.50.1600 => 10.50.5999 Your only choice for TLS 1.2 support is to move to Service Pack 3 and then apply the TLS update.
SQL Server 2008 Service Pack 4
10.0.6000 => 10.0.6546 For full support, apply SP4 TLS 1.2 Update (10.0.6547).
SQL Server 2008 RTM, Service Pack 1, Service Pack 2, and Service Pack 3
10.0.1600 => 10.0.5999 Your only choice for TLS 1.2 support is to move to Service Pack 4 and then apply the TLS update.

Running 2008 or 2008 R2 on Itanium (IA-64)? See KB #3135244 for download links.

Don't see your build in any of the above ranges? Please let me know in the comments below.

Comments ( 32 )

                  • Kailas Nirukhe says:

                    Following is my SQL version
                    Microsoft SQL Server 2008 R2 (RTM) – 10.50.1600.1 (X64) Apr 2 2010 15:48:46 Copyright (c) Microsoft Corporation Standard Edition (64-bit) on Windows NT 6.0 (Build 6002: Service Pack 2)

                    Please guide me to enable TLS 1.2 which SP or TLS update needs to install
                    Thank you.

                    Kailas

                  • Rob says:

                    I have raised a Connect Item requesting the TLS version be exposed through SQL dmvs. This will hopefully make it a bit easier to track down those components, clients and applications using the old version of the protocol.
                    https://connect.microsoft.com/SQLServer/feedback/details/3134576

                  • Randall says:

                    The error I get is "No process is on the other end of the pipe. "

                  • Randall says:

                    I have Microsoft SQL Server 2008 R2 (SP3-OD) (KB3144114) – 10.50.6542.0 (X64) Feb 22 2016 18:07:23 Copyright (c) Microsoft Corporation Standard Edition (64-bit) on Windows NT 6.1 (Build 7600: ) (Hypervisor) after installing SP3 but when I shut down TLS 1.0 and reboot SQL Server does not start back up. Is there something else I need to do?

                  • Aaron Bertrand says:

                    I don't think a TLS update would prevent SQL Server from starting back up. You might want to post any errors you see in the event log to the MSDN forums or open a case with product support (though I don't know how much support you can still get for 2008 R2).

                  • dal says:

                    have SQL Server 2008 R2 SP2, not on the list. Do you have something for that SP?

                  • Aaron Bertrand says:

                    R2 SP2 is certainly in the list. And sorry, your only choice is to upgrade to SP3. Look for this text:

                    "Your only choice for TLS 1.2 support is to move to Service Pack 3 and then apply the TLS update."

                  • Jennifer says:

                    Sorry, it is "SSL Security error", not "SSL certification error".

                  • karthik says:

                    Team
                    I have sql server 2008 RTM, i got vulnerability to enable TLS 1.2 on port 1433
                    below are the details Product version: Microsoft SQL server 2008 (RTM) – 10.0.1600.22(x64) Product level: RTM Product Edition : Express edition(64bit)

                    1. SQl server 2008 RTM to SP4 , whether SP4 supports express edition 10.0.6000.29
                    2. Then I have to go for 10.0.6000 => 10.0.6547?

                    Thanks
                    karthik

                  • Jennifer says:

                    I have a Windows server 2008 r2, it has IIS 7.0 and SQL server 2012 installed. I have to disable TLS v1.0 to meet the company standard. I have followed the instruction above, installed SQL server 2012, sp3, CU3. and installed ODBC driver, SQL native client and .NET 4.5. But after I disable TLS v1.0. I got "SSL certification error" at open SQL connection line. Any body knows what else I should do. I have been doing research for days, still can't solve this problem. Please help.

                  • GB says:

                    Can you shed any light on how to update on SQL 2008 Express Edition, Version 10.3.5500.0?

                    We are running SQL on a Win 2012 box with IIS 7.5 and have not disabled TLS 1.0 yet…but we need to soon.

                    Any help would be appreciated.

                  • CK says:

                    Was recently surprised by all this during PCI scan.

                    Thank You so much for aggregating all this info!

                  • M says:

                    Has anyone has a SQL server stop working when installing a patch containing the TLS 1.2 fix? I did a couple test servers that have TLS 1.0 enabled in the registry, and I don't have issues. However, if I disable TLS 1.0, I can no longer connect (outdated .NET and SSMS).

                    If I am not specifically interested in using TLS 1.2 on existing servers, should it be relatively safe for me to deploy a CU containing the fix to all of my SQL Servers?

                  • Aaron Bertrand says:

                    If you can't patch *all* connecting clients, and aren't really interested in using TLS 1.2 in the first place, then stop disabling TLS 1.0. :-)

                    The updated builds of SQL Server make it *possible* for you to use TLS 1.2; they don't force it on you and nothing will stop working unless you do other things (like disable TLS 1.0 when it seems you are aware you need to keep using it).

                  • Seth says:

                    Hello,

                    Wondering if you have thoughts on this issue.

                    I have a server running Windows 2008 R2 Standard.

                    Also running SQL Server 2008 Standard.

                    I installed the SQL Patch to allow for TLS 1.2 (KB3144113)

                    Also I installed .Net 4.5 full install, then I installed the rollup (KB3099845) for .NET 4.5.2
                    When I disable TLS 1.0 and 1.1 I can no longer connect using SSMS.

                    The SQL Server service is started and running, so I know it is working properly with the TLS 1.2 patch.

                    But SSMS is not working.

                    I have verified and added the proper registry keys per MS web page here: https://support.microsoft.com/en-us/kb/3135244#bookmark-clientdl

                    After all that did not work, I installed .NET 4.6.1 and still am getting the same error.

                    SSMS will not connect, but SQL Server service is running fine.

                    Any ideas?

                    Thanks

                  • Chris Wood says:

                    Seth,

                    That's what I am seeing too. I upgraded my SQL2008R2 running on W2K8R2, disabled TLS 1.0 and had 3099845 installed. SQL runs but SSMS, on the server, cannot connect. I have told Microsoft this.

                    Chris

                  • Chris Wood says:

                    Just had the NF 3.5/2.0 fix 3106991 installed and now I can use SSMS, on the server, and it works. I tried to have the NF 4 hotfix installed but because of how NF 4 changed things it wouldn't install.
                    So the answer looks like you need all the NF fixes that apply.

                    Chris

                  • Seth says:

                    Thanks for the update.
                    I guess I can try one of the other .NET patches….but I am running 4.5.2
                    Hmmm….

                  • Seth says:

                    Very odd, but I installed the .NET framework 3.5/2.0 patch and that seems to have worked.
                    Don't know why, but I will take it.

                  • Aaron Bertrand says:

                    I think it may have to do with the fact that most versions of SSMS out there still have an inherent dependency on 3.5. Again, I think it's just a good idea to apply all the patches (that will let you), rather than play whack-a-mole.

                  • Chris Wood says:

                    Aaron,

                    The article mentions 3 hotfixes for NF 4.5/4.5.1/4.5.2 3099842/3099844 and 3099845. Are all of these needed to be installed?

                    Thanks

                    Chris

                  • Aaron Bertrand says:

                    I don't know specifically, but I would lean toward yes.

                  • Seth says:

                    On the one server I got things working on, no you don't install all 3.
                    Just the one specific to your environment.

                  • Aaron Bertrand says:

                    I suspect many have more than one framework installed, but yeah, if you don't have 4.5.2, there's clearly no need to install a 4.5.2 hotfix (and I'm not sure if the installer would even allow you to try). My point was more to not patch only one specific version of the framework because that's what your app is using now…

                  • JM says:

                    Hi Aaron
                    thank's for your article.
                    On a test machine, I installed the SP3 and the latest fix (security+hotfix) for SQL2008R2. So @@version is 10.50.6529.
                    Now, I installed what I've downloaded for TLS1.2 : SQL2008R2_SP3_COD_SNAC_x64_1033 (https://support.microsoft.com/en-us/hotfix/kbhotfix?kbnum=3098860&kbln=en-us).
                    In fact, it is only the sql native client … And when installed on the server hosting the SQL instances, the @@version is always 10.50.6529, and not 10.50.6537.
                    Is it ok ? Or the download is not the good one for SQL instances
                    Thank you for your help.

                  • Aaron Bertrand says:

                    Hi JM, please see my update to the post above; the 2008 and 2008 R2 downloads have been removed temporarily while they investigate an issue.

                  • JM says:

                    thank's Aaron for your reply and this update.

                    It seems that the TLS1.2 is causing many troubles …
                    I was starting a SQL Server patch campain (2008R2, 2012 and 2014) in my company, but now, I have too many doubts … :
                    – troubles with TLS1.2 on the server side (agent not starting, encrypted endpoints for Availability Groups problems, SSMS connection problemes, …)
                    – on the client side, SQL Server Native Client, ODBC/JDBC, and .NET Framework hotfixes updtates are required

                    But one question. How to know if TLS1.2 is enabled on my Windows or/and SQL Servers ? is it only the presence of the register keys in HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2 ? Is there an other parameter location for SQL Server ?

                    Is TLS1.2 enabled automatically for SQL Server when we install these patches ?

                    If (and only if !) none of my Windows server having SQL instances have these keys, does it mean that I could patch all may SQL Instances with the full latest SP/CU/TLS/security fixes without problem ? And without having to patch clients ?

                    I've seen that there were issues about SSRS configuration tools. I don't understand if it is in all cases with these patches, or only if TLS1.2 is enabled for SQL Server ?

                    I know, that's many questions, but I'm not very closed with the security topics …
                    Thank you in advance for your answers if you have enough time for me ;)

                    best regards
                    JM

                  • Aaron Bertrand says:

                    I don't think you can use TLS 1.2 without updating the clients as well (and in fact I think your connection strings must change). I don't know how to get SQL Server to tell you whether TLS 1.2 is actually being used unless you've completely disabled other encryption protocols and through Configuration Manager set the connections to require encryption over the relevant protocol (e.g. TCP/IP). Right now, sys.dm_exec_connections only tells you whether a connection is encrypted or not (encrypt_option), nothing more specific. A quick glance online pointed at tools that can look at network packets, like WireShark.

                  • Amit says:

                    Depending on the version of OS that you are running, TLS 1.2 is available by default. We have documented the registry keys required for SQL Server to use TLS 1.2 in KB3135244. The recommendation is to create these keys on any Windows Server 2008 R2 and above if you want SQL Server to use TLS 1.2. The patches that you will require are:
                    1. The appropriate SQL Server database engine patches from KB3135244
                    2. The client driver patches for SQL Server Native Client, Microsoft SQL Server ODBC Driver and ADO.NET. The patch download locations are also mentioned in KB3135244. Without these you will have issues like SSMS not being able to connect, Agent not starting etc.

                    If you want SQL Server to only use TLS 1.2, then you need to disable the SSL 3.0, TLS 1.0 and other protocol registry keys using instructions in https://technet.microsoft.com/en-us/library/dn786418.aspx

                    If you need TLS 1.2 on the clients, then you need to install the above mentioned client drivers on the client machines.

                  • JM says:

                    thank you Aaron and Amit for your answers.

                  • Scott says:

                    Hi Aaron, great article and very helpful. How about 10.51.2500.0 (SQL Server 2008 R2 SP1)?

                    Thank you!
                    Scott

                  • Aaron Bertrand says:

                    Scott, from the article:

                    SQL Server 2008 R2 RTM, Service Pack 1, and Service Pack 2
                    10.50.1600 => 10.50.5999 >> Your only choice for TLS 1.2 support is to move to Service Pack 3 and then apply the TLS update.

                    There is no difference between 10.50.2500 and 10.51.2500. Are you getting the latter from something other than SELECT @@VERSION;?

                  Leave A Comment

                  Your email address will not be published.