question

ScottDuncan-5496 avatar image
0 Votes"
ScottDuncan-5496 asked Criszhan-msft commented

SQL Server TLS and certificates created with ECC algorithm

We've got encrypted connections enabled for several SQL Servers. The certificates are due for renewal & our security guy is asking if SQL Server supports the ECC algorithm for the certificate (sha384ECDSA).

So the question is - does SQL Server support use of certificates created using the sha384ECDSA signature algorithm for enabling connection encryption? Or does it not matter, because that's all handled at the Windows level (or subsystem therein)?

The closest I can find to an answer is "The TLS encryption is performed within the protocol layer and is available to all supported SQL Server clients." from https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/enable-encrypted-connections-to-the-database-engine?view=sql-server-ver15#transport-layer-security-tls. Presumably this means it doesn't matter what algorithm is used for the certificate, as long as Windows supports it.

sql-server-general
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I'm hoping to do a test in the next few days (just waiting on a certificate to be issued).

Interestingly, on an unrelated SQL 2012 on Windows 2012 R2 system, I'm trying to get https connections configured for SSRS using a certificate with ECC 384-bit cipher - with no luck. Neither SSRS nor SSCM can see the certificate. Windows should be able to handle it as it has the required patch installed. Will be trying with a cert using RSA cipher from the same CA later on.

1 Vote 1 ·

To get things working for SQL 2012 SSRS on Windows 2012, the certificate had to be generated in a particular way to allow for the aged systems (exact details unknown). Still using ECC cipher though. It worked for SSRS but couldn't see the certificate when trying to configure TLS for the database engine (which was not originally being done anyway, but apparently you can use the same certificate for both SSRS https & database engine TLS).

In the modern world, the ECC certificate generated for use by SQL 2019 on Windows 2019 for database engine connections worked just fine.

1 Vote 1 ·

Hi,
Have a nice day! Thank you for coming back and sharing these detailed and useful information.

Best Regards,

0 Votes 0 ·

1 Answer

Criszhan-msft avatar image
0 Votes"
Criszhan-msft answered

Hi,

Or does it not matter, because that's all handled at the Windows level (or subsystem therein)?

SQL Server relies on the SChannel library of Windows to determine what cipher suite to use for SSL/TLS encryption. A series of cryptographic algorithms are defined in the SChannel library for TLS/SSL key exchange, encryption and message verification. The operating systems of SQL Server server and client server negotiate with each other through Schannel to decide which cipher suite to use. The basic principles of consultation are as follows:
1. First, determine the highest level protocol(TLS/SSL) supported by both the client and SQL Server.
2. After deciding on the protocol, the client will provide a list to SQL Server, telling SQL Server all the cipher suites it supports.
3. SQL Server finds the strongest cipher suite it supports in this list.

I think SQL Server supports the use of certificates created using the sha384ECDSA signature algorithm, you may need to ensure that the SQL Server you are using supports TLS 1.2.



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.