TLS 1.2 Implementation Validation
I have a validation question regarding implementation of TLS 1.2.
What tools, scripts, processes, etc.. can be used to validate that TLS 1.2 is working when clients, webserver, and SQL Servers are communicating between each other?
Do I need to perform network packet sniffing, run traces, use process explorer? Is there a verbose option somewhere that can be turned on with logs reviewed?
Note: if it makes a difference, the SQL Servers involved run a variety of versions: 2008R2, 2012, and 2014.
sql-server tls-1.2
edited Jan 23 '18 at 22:11
RDFozz
9,82731430
asked Jan 23 '18 at 20:39
user3344488user3344488
1
bumped to the homepage by Community♦ 20 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
I have a validation question regarding implementation of TLS 1.2.
What tools, scripts, processes, etc.. can be used to validate that TLS 1.2 is working when clients, webserver, and SQL Servers are communicating between each other?
Do I need to perform network packet sniffing, run traces, use process explorer? Is there a verbose option somewhere that can be turned on with logs reviewed?
Note: if it makes a difference, the SQL Servers involved run a variety of versions: 2008R2, 2012, and 2014.
sql-server tls-1.2
edited Jan 23 '18 at 22:11
RDFozz
9,82731430
asked Jan 23 '18 at 20:39
user3344488user3344488
1
bumped to the homepage by Community♦ 20 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
I have a validation question regarding implementation of TLS 1.2.
What tools, scripts, processes, etc.. can be used to validate that TLS 1.2 is working when clients, webserver, and SQL Servers are communicating between each other?
Do I need to perform network packet sniffing, run traces, use process explorer? Is there a verbose option somewhere that can be turned on with logs reviewed?
Note: if it makes a difference, the SQL Servers involved run a variety of versions: 2008R2, 2012, and 2014.
sql-server tls-1.2
edited Jan 23 '18 at 22:11
RDFozz
9,82731430
asked Jan 23 '18 at 20:39
user3344488user3344488
1
I have a validation question regarding implementation of TLS 1.2.
What tools, scripts, processes, etc.. can be used to validate that TLS 1.2 is working when clients, webserver, and SQL Servers are communicating between each other?
Do I need to perform network packet sniffing, run traces, use process explorer? Is there a verbose option somewhere that can be turned on with logs reviewed?
Note: if it makes a difference, the SQL Servers involved run a variety of versions: 2008R2, 2012, and 2014.
sql-server tls-1.2
sql-server tls-1.2
edited Jan 23 '18 at 22:11
RDFozz
9,82731430
asked Jan 23 '18 at 20:39
user3344488user3344488
1
edited Jan 23 '18 at 22:11
RDFozz
9,82731430
asked Jan 23 '18 at 20:39
user3344488user3344488
1
edited Jan 23 '18 at 22:11
RDFozz
9,82731430
edited Jan 23 '18 at 22:11
RDFozz
9,82731430
edited Jan 23 '18 at 22:11
RDFozz
9,82731430
9,82731430
asked Jan 23 '18 at 20:39
user3344488user3344488
1
asked Jan 23 '18 at 20:39
user3344488user3344488
1
asked Jan 23 '18 at 20:39
user3344488user3344488
1
1
bumped to the homepage by Community♦ 20 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
bumped to the homepage by Community♦ 20 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
First, see Aaron Bertrand's answer on TLS 1.2 with older SQL Server, and/or Aaron's SentryOne blog post.
If you're talking about the normal SQL Server connection encryption (SQL Server Configuration manager, Force Encrypt yes), with modern SQL Server, then there are two steps:
- select encrypt_option, count(*) from sys.dm_exec_connections GROUP BY encrypt_option
- If there are any FALSE results, you have unencrypted connections. Fix that.
- If there are 100% TRUE or NULL results, continue.
- With buy-in from and in coordination with your IT Security team, download Microsoft Message Analyzer, Microsoft's Windows packet sniffer, and watch some connections. You're looking for the ClientHello and ServerHello messages, within which you can see cipher suites offered and which one happened to be accepted.
- It's a combination of registry and group policy changes to adjust that at the Windows OS level of your SQL Server installations.
WATCH OUT FOR THIRD PARTY SOFTWARE
Lots of it does NOT support TLS of ANY kind, much less TLS 1.2, either in the application, or, much more often, during one or more parts of the installation and/or upgrade process. The vendor will be clueless if you ask beforehand, and just as clueless watching it happen in front of them.
answered Jan 24 '18 at 4:17
Anti-weakpasswordsAnti-weakpasswords
1,454612
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "182"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fdba.stackexchange.com%2fquestions%2f196058%2ftls-1-2-implementation-validation%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
First, see Aaron Bertrand's answer on TLS 1.2 with older SQL Server, and/or Aaron's SentryOne blog post.
If you're talking about the normal SQL Server connection encryption (SQL Server Configuration manager, Force Encrypt yes), with modern SQL Server, then there are two steps:
- select encrypt_option, count(*) from sys.dm_exec_connections GROUP BY encrypt_option
- If there are any FALSE results, you have unencrypted connections. Fix that.
- If there are 100% TRUE or NULL results, continue.
- With buy-in from and in coordination with your IT Security team, download Microsoft Message Analyzer, Microsoft's Windows packet sniffer, and watch some connections. You're looking for the ClientHello and ServerHello messages, within which you can see cipher suites offered and which one happened to be accepted.
- It's a combination of registry and group policy changes to adjust that at the Windows OS level of your SQL Server installations.
WATCH OUT FOR THIRD PARTY SOFTWARE
Lots of it does NOT support TLS of ANY kind, much less TLS 1.2, either in the application, or, much more often, during one or more parts of the installation and/or upgrade process. The vendor will be clueless if you ask beforehand, and just as clueless watching it happen in front of them.
answered Jan 24 '18 at 4:17
Anti-weakpasswordsAnti-weakpasswords
1,454612
add a comment |
First, see Aaron Bertrand's answer on TLS 1.2 with older SQL Server, and/or Aaron's SentryOne blog post.
If you're talking about the normal SQL Server connection encryption (SQL Server Configuration manager, Force Encrypt yes), with modern SQL Server, then there are two steps:
- select encrypt_option, count(*) from sys.dm_exec_connections GROUP BY encrypt_option
- If there are any FALSE results, you have unencrypted connections. Fix that.
- If there are 100% TRUE or NULL results, continue.
- With buy-in from and in coordination with your IT Security team, download Microsoft Message Analyzer, Microsoft's Windows packet sniffer, and watch some connections. You're looking for the ClientHello and ServerHello messages, within which you can see cipher suites offered and which one happened to be accepted.
- It's a combination of registry and group policy changes to adjust that at the Windows OS level of your SQL Server installations.
WATCH OUT FOR THIRD PARTY SOFTWARE
Lots of it does NOT support TLS of ANY kind, much less TLS 1.2, either in the application, or, much more often, during one or more parts of the installation and/or upgrade process. The vendor will be clueless if you ask beforehand, and just as clueless watching it happen in front of them.
answered Jan 24 '18 at 4:17
Anti-weakpasswordsAnti-weakpasswords
1,454612
add a comment |
First, see Aaron Bertrand's answer on TLS 1.2 with older SQL Server, and/or Aaron's SentryOne blog post.
If you're talking about the normal SQL Server connection encryption (SQL Server Configuration manager, Force Encrypt yes), with modern SQL Server, then there are two steps:
- select encrypt_option, count(*) from sys.dm_exec_connections GROUP BY encrypt_option
- If there are any FALSE results, you have unencrypted connections. Fix that.
- If there are 100% TRUE or NULL results, continue.
- With buy-in from and in coordination with your IT Security team, download Microsoft Message Analyzer, Microsoft's Windows packet sniffer, and watch some connections. You're looking for the ClientHello and ServerHello messages, within which you can see cipher suites offered and which one happened to be accepted.
- It's a combination of registry and group policy changes to adjust that at the Windows OS level of your SQL Server installations.
WATCH OUT FOR THIRD PARTY SOFTWARE
Lots of it does NOT support TLS of ANY kind, much less TLS 1.2, either in the application, or, much more often, during one or more parts of the installation and/or upgrade process. The vendor will be clueless if you ask beforehand, and just as clueless watching it happen in front of them.
answered Jan 24 '18 at 4:17
Anti-weakpasswordsAnti-weakpasswords
1,454612
First, see Aaron Bertrand's answer on TLS 1.2 with older SQL Server, and/or Aaron's SentryOne blog post.
If you're talking about the normal SQL Server connection encryption (SQL Server Configuration manager, Force Encrypt yes), with modern SQL Server, then there are two steps:
- select encrypt_option, count(*) from sys.dm_exec_connections GROUP BY encrypt_option
- If there are any FALSE results, you have unencrypted connections. Fix that.
- If there are 100% TRUE or NULL results, continue.
- With buy-in from and in coordination with your IT Security team, download Microsoft Message Analyzer, Microsoft's Windows packet sniffer, and watch some connections. You're looking for the ClientHello and ServerHello messages, within which you can see cipher suites offered and which one happened to be accepted.
- It's a combination of registry and group policy changes to adjust that at the Windows OS level of your SQL Server installations.
WATCH OUT FOR THIRD PARTY SOFTWARE
Lots of it does NOT support TLS of ANY kind, much less TLS 1.2, either in the application, or, much more often, during one or more parts of the installation and/or upgrade process. The vendor will be clueless if you ask beforehand, and just as clueless watching it happen in front of them.
answered Jan 24 '18 at 4:17
Anti-weakpasswordsAnti-weakpasswords
1,454612
answered Jan 24 '18 at 4:17
Anti-weakpasswordsAnti-weakpasswords
1,454612
answered Jan 24 '18 at 4:17
Anti-weakpasswordsAnti-weakpasswords
1,454612
answered Jan 24 '18 at 4:17
Anti-weakpasswordsAnti-weakpasswords
1,454612
1,454612
add a comment |
add a comment |
Thanks for contributing an answer to Database Administrators Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fdba.stackexchange.com%2fquestions%2f196058%2ftls-1-2-implementation-validation%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
