TLS 1.2 support for Microsoft SQL Server

Introduction
This article provides information about the updates that Microsoft is releasing to enable TLS 1.2 support for SQL Server 2016, SQL Server 2008, SQL Server 2008 R2, SQL Server 2012, and SQL Server 2014. This article also lists supported client providers.

Several known vulnerabilities have been reported against SSL and earlier versions of Transport Layer Security (TLS). We recommend that you upgrade to TLS 1.2 for secure communication.

Important No known vulnerabilities have been reported for the Microsoft TDS implementation. This is the communication protocol that's used between SQL Server clients and the SQL Server database engine.

The Microsoft Schannel implementation of TLS 1.0 (regarding the known vulnerabilities that have been reported to Microsoft as of the publication date of this article) is summarized in Schannel implementation of TLS 1.0 in Windows security status update: November 24, 2015.
How to know whether you need this update
Use the following table to determine whether your current version of SQL Server already has support for TLS 1.2 or whether you have to download an update to enable TLS 1.2 support. Use the download links in the table to obtain the server updates that are applicable to your environment.

Note Builds that are later than those listed in this table also support TLS 1.2.

SQL Server releaseFirst build that supports TLS 1.2 Download link for earlier buildsAdditional information
SQL Server 2014 SP112.0.4439.1Cumulative Update 5 for SQL Server 2014 SP1KB 3052404 FIX: You cannot use the Transport Layer Security protocol version 1.2 to connect to a server that is running SQL Server 2014 or SQL Server 2012
SQL Server 2014 SP1 GDR12.0.4219.0SQL Server 2014 SP1 GDR TLS 1.2 Update
SQL Server 2014 RTM12.0.2564.0

Cumulative Update 12 for SQL Server 2014KB 3052404 FIX: You cannot use the Transport Layer Security protocol version 1.2 to connect to a server that is running SQL Server 2014 or SQL Server 2012
SQL Server 2014 RTM GDR12.0.2271.0SQL Server 2014 RTM GDR TLS 1.2 Update
SQL Server 2012 SP3 GDR11.0.6216.27SQL Server 2012 SP3 GDR TLS 1.2 Update
SQL Server 2012 SP311.0.6518.0Cumulative Update 1 for SQL Server 2012 SP3KB 3052404 FIX: You cannot use the Transport Layer Security protocol version 1.2 to connect to a server that is running SQL Server 2014 or SQL Server 2012
SQL Server 2012 SP2 GDR11.0.5352.0SQL Server 2012 SP2 GDR TLS 1.2 Update
SQL Server 2012 SP211.0.5644.2Cumulative Update 10 for SQL Server 2012 SP2KB 3052404 FIX: You cannot use the Transport Layer Security protocol version 1.2 to connect to a server that is running SQL Server 2014 or SQL Server 2012
SQL Server 2008 R2 SP310.50.6542.0SQL Server 2008 R2 SP3 TLS 1.2 Update
SQL Server 2008 R2 SP2 GDR (IA-64 only)10.50.4047.0SQL Server 2008 R2 SP2 GDR (IA-64) TLS 1.2 Update
SQL Server 2008 R2 SP2 (IA-64 only)10.50.4344.0SQL Server 2008 R2 SP2 (IA-64) TLS 1.2 Update
SQL Server 2008 SP410.0.6547.0SQL Server 2008 SP4 TLS 1.2 Update
SQL Server 2008 SP3 GDR (IA-64 only)10.0.5545.0SQL Server 2008 SP3 GDR (IA-64) TLS 1.2 Update
SQL Server 2008 SP3 (IA-64 only)10.0.5896.0SQL Server 2008 SP3 (IA-64) TLS 1.2 Update


Client component downloads

Use the following table to download the client components and driver updates that are applicable to your environment.

Client component /driverUpdate with TLS 1.2 support
ADO.NET - SqlClient (.NET Framework 4.5.2, 4.5.1, 4.5)Hotfix rollup 3099842 for the .NET Framework 4.5.2, 4.5.1, and 4.5 on Windows 8.1 and Windows Server 2012 R2

Hotfix rollup 3099844 for the .NET Framework 4.5.2, 4.5.1, and 4.5 on Windows 8 and Windows Server 2012

Hotfix rollup 3099845 for the .NET Framework 4.5.2 and the .NET Framework 4.5.1 on Windows 7 Service Pack 1/ Windows Vista and Windows Server 2008 R2/Windows Server 2008
ADO.NET - SqlClient (.NET Framework 4.0)Hotfix rollup 3106994 for the .NET Framework 4.0 in Windows

ADO.NET - SqlClient (.NET Framework 3.5/.NET Framework 2.0 SP2)Hotfix rollup 3106991 for the .NET Framework 2.0 SP2 in Windows Server 2008 R2 SP1 and Windows 7 SP1

Hotfix rollup 3106992 for the .NET Framework 2.0 SP2 on Windows Server 2012 and Windows 8

Hotfix rollup 3106993 for the .NET Framework 2.0 SP2 in Windows Server 2012 R2 and Windows 8.1

SQL Server Native Client (for SQL Server 2008 R2)SQL Server Native Client (x86 and x64)
SQL Server Native Client (for SQL Server 2008 R2)SQL Server 2008 R2 Native Client (IA-64)
SQL Server Native Client (for SQL Server 2008)SQL Server 2008 Native Client (x86 and x64)
SQL Server Native Client (for SQL Server 2008)SQL Server 2008 Native Client (IA-64)
SQL Server Native Client (for SQL Server 2012 and SQL Server 2014)Microsoft SQL Server 2012 Native Client - QFE
Microsoft ODBC Driver for SQL Server Microsoft ODBC Driver 11 for SQL Server - Windows
JDBC 6.0Microsoft JDBC Drivers 6.0 (Preview), 4.2, 4.1, and 4.0 for SQL Server
JDBC 4.1 and JDBC 4.2Microsoft JDBC Drivers 6.0 (Preview), 4.2, 4.1, and 4.0 for SQL Server
Additional fixes needed for SQL Server to use TLS 1.2
You have to install the following .NET hotfix rollups to enable SQL Server features like Database Mail and certain SSIS components that use .NET endpoints which require TLS 1.2 support like the Web Service task to use TLS 1.2.

Operating System.NET Framework versionUpdates with TLS 1.2 support
Windows 7 Service Pack 1, Windows 2008 R2 Service Pack 13.5 .1Support for TLS v1.2 included in the .NET Framework version 3.5.1
Windows 8 RTM, Windows 2012 RTM3.5Support for TLS v1.2 included in the .NET Framework version 3.5
Windows 8.1, Windows 2012 R2 SP13.5 SP1Support for TLS v1.2 included in the .NET Framework version 3.5 SP1 on Windows 8.1 and Windows Server 2012 R2

Frequently asked questions
Are TLS 1.1 and SSL 3.0 supported on SQL Server 2016?

Yes. SQL Server 2016 versions ship with TLS 1.0 to TLS 1.2 support. You have to disable TLS 1.0, 1.1, and SSL 3.0 if you want to use only TLS 1.2 for client-server communication.

Is TDS affected by known vulnerabilities?

No known vulnerabilities have been reported for the Microsoft TDS implementation. Because several standards-enforcement organizations are mandating the use of TLS 1.2 for encrypted communication channels, Microsoft is releasing the support for TLS 1.2 for the widespread SQL Server installation base.

How will the TLS 1.2 updates be distributed to customers?

This article provides download links for the appropriate server and client updates that support TLS 1.2.

Will SQL Server 2005 be supported for TLS 1.2?

TLS 1.2 support is offered only for SQL Server 2008 and later versions.

Are customers who are not using SSL/TLS affected if SSL 3.0 and TLS 1.0 are disabled on the server?

Yes. SQL Server encrypts the username and password during login even if a secure communication channel is not being used. This update is required for all SQL Server instances that are not using secure communications and that have all other protocols except TLS 1.2 disabled on the server.

Which versions of Windows Server support TLS 1.2?

Windows Server 2008 R2 and later versions support TLS 1.2.

What is the correct registry setting to enable TLS 1.2 for SQL Server communication?

The correct registry settings are as follows:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001 
These settings are required for both server and client computers. The DisabledByDefault and Enabled settings are required to be created on Windows 7 clients and Windows Server 2008 R2 servers. On Windows 8 and later versions of the client operating systems or Windows Server 2012 server and later versions of the server operating systems, TLS 1.2 should already be enabled. If you are implementing a deployment policy for Windows Registry which needs to be independent of the OS release, then we recommend adding the mentioned registry keys to the policy.

Which client drivers support TLS 1.2 for communication with the SQL Server database engine?

The "Client component downloads" table lists the supported clients.
Known issues
Issue 1

SQL Server Management Studio (SSMS), Report Server, and Report Manager don't connect to the database engine after you apply the fix for SQL Server 2008, 2008 R2, 2012, or 2014. Report Server and Report Manager fail and return the following error message:

The report server cannot open a connection to the report server database. A connection to the database is required for all requests and processing. (rsReportServerDatabaseUnavailable)

This issue occurs because SSMS, Report Manager, and Reporting Services Configuration Manager use ADO.NET, and ADO.NET support for TLS 1.2 is available only in the .NET Framework 4.6. For earlier versions of the .NET Framework, you have to apply a Windows update so that ADO.NET can support TLS 1.2 communications for the client. The Windows updates that enable TLS 1.2 support in earlier versions of .NET framework are listed in the table in the "How to know whether you need this update" section.

Issue 2

Reporting Services Configuration Manager reports the following error message even after client providers have been updated to a version that supports TLS 1.2:

Could not connect to server: A connection was successfully established to the server, but then an error occurred during the pre-login handshake.

Error message

To resolve this problem, manually create the following registry key on the system that hosts the Reporting Services Configuration Manager:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client : "Enabled"=dword:00000001

Issue 3

The encrypted endpoint communication that uses TLS 1.2 fails when you use encrypted communications for Availability Groups or Database Mirroring or Service Broker in SQL Server. An error message that resembles the following is logged in the SQL Error log:

Connection handshake failed. An OS call failed: (80090331) 0x80090331(The client and server cannot communicate, because they do not possess a common algorithm.). State 56.

For more information about this issue, see FIX: The encrypted endpoint communication with TLS 1.2 fails when you use SQL Server.

Issue 4

Various errors occur when you try to install SQL Server 2012 or SQL Server 2014 on a server that has TLS 1.2 enabled.

For more information, see FIX: Error when you install SQL Server 2012 or SQL Server 2014 on a server that has TLS 1.2 enabled.

Issue 5

An encrypted connection with Database Mirroring or Availability Groups does not work when you use a certificate after you disable all other protocols other than TLS 1.2. An error message that resembles the following is logged in the SQL Server Error log:

An encrypted connection with Database Mirroring or Availability Groups does not work when you use a certificate after you disable all other protocols other than TLS 1.2. You may notice one of the following symptoms:

Symptom 1:

An error message that resembles the following is logged in the SQL Server Error log:
Connection handshake failed. An OS call failed: (80090331) 0x80090331(The client and server cannot communicate, because they do not possess a common algorithm.). State 58.'
Symptom 2:

An error message that resembles the following is logged in Windows event log:
Log Name:      System
Source:        Schannel
Date:          <Date Time>
Event ID:      36888
Task Category: None
Level:         Error
Keywords:     
User:          SYSTEM
Computer:      ------------
Description:
A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1205.

Log Name:      System
Source:        Schannel
Date:          <Date Time>
Event ID:      36874
Task Category: None
Level:         Error
Keywords:     
User:          SYSTEM
Computer:      -----------
Description:
An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.

This issue occurs because Availability Groups and Database Mirroring require a certificate that does not use fixed length hash algorithms, such as MD5. Fixed length hashing algorithms are not supported in TLS 1.2.

For more information, see FIX: Communication using MD5 hash algorithm fails if SQL Server uses TLS 1.2.

Issue 6

The following SQL Server database engine versions are affected by the intermittent service termination issue that is reported in Knowledge Base article 3146034. For customers to protect themselves from the service termination issue, we recommend that they install the TLS 1.2 updates for Microsoft SQL Server that are mentioned in this article if their SQL Server version is listed in the following table.

SQL Server releaseAffected version
SQL Server 2008 R2 SP3 (x86 and x64)10.50.6537.0
SQL Server 2008 R2 SP2 GDR (IA-64 only)10.50.4046.0
SQL Server 2008 R2 SP2 (IA-64 only)10.50.4343.0
SQL Server 2008 SP4 (x86 and x64)10.0.6543.0
SQL Server 2008 SP3 GDR (IA-64 only)10.0.5544.0
SQL Server 2008 SP3 (IA-64 only)10.0.5894.0
Issue 7

Database Mail does not work with TLS 1.2. Database Mail fails with the following errors:
Microsoft.SqlServer.Management.SqlIMail.Server.Common.BaseException:
Mail configuration information could not be read from the database.
….

….Unable to start mail session.
For additional information refer to the section titled Additional fixes needed for SQL Server to use TLS 1.2 in this article.

Common errors that you may experience when TLS 1.2 updates are missing on the client or the server

Issue 1

System Center Configuration Manager (SCCM) can't connect to SQL Server after the TLS 1.2 protocol is enabled on SQL Server. In this situation, you receive the following error message:

TCP Provider: An existing connection was forcibly closed by the remote host

This issue may occur when SCCM uses a SQL Server Native Client driver that does not have a fix. To resolve this issue, download and install the Native client fix that's listed in the Client Components downloads section of this article. For example: https://www.microsoft.com/en-us/download/details.aspx?id=50402

You can find out which driver SCCM is using to connect to SQL Server by viewing the SCCM log, as in the following example:

[SQL Server Native Client 11.0]TCP Provider: An existing connection was forcibly closed by the remote host.~~  $$<Configuration Manager Setup><08-22-2016 04:15:01.917+420><thread=2868 (0xB34)> *** [08001][10054][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection  $$<Configuration Manager Setup><08-22-2016 04:15:01.917+420><thread=2868 (0xB34)> *** Failed to connect to the SQL Server, connection type: SMS ACCESS.  $$<Configuration Manager Setup><08-22-2016 04:15:01.917+420><thread=2868 (0xB34)> INFO: SQL Connection failed. Connection: SMS ACCESS, Type: Secure  $$<Configuration Manager Setup><08-22-2016 04:15:01.917+420><thread=2868 (0xB34)>Native Client 11.0]TCP Provider: An existing connection was forcibly closed by the remote host.~~  $$<Configuration Manager Setup><08-22-2016 04:15:01.917+420><thread=2868 (0xB34)> *** [08001][10054][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection  $$<Configuration Manager Setup><08-22-2016 04:15:01.917+420><thread=2868 (0xB34)> *** Failed to connect to the SQL Server, connection type: SMS ACCESS.  $$<Configuration Manager Setup><08-22-2016 04:15:01.917+420><thread=2868 (0xB34)> INFO: SQL Connection failed. Connection: SMS ACCESS, Type: Secure  $$<Configuration Manager Setup><08-22-2016 04:15:01.917+420><thread=2868 (0xB34)>

Properties

Article ID: 3135244 - Last Review: 11/09/2016 21:04:00 - Revision: 20.0

Microsoft SQL Server 2008 Developer, Microsoft SQL Server 2008 Enterprise, Microsoft SQL Server 2008 R2 Developer, Microsoft SQL Server 2008 R2 Enterprise, Microsoft SQL Server 2008 R2 Service Pack 2, Microsoft SQL Server 2008 R2 Service Pack 3, Microsoft SQL Server 2008 Service Pack 1, Microsoft SQL Server 2008 Service Pack 2, Microsoft SQL Server 2008 Service Pack 3, Microsoft SQL Server 2008 Service Pack 4, Microsoft SQL Server 2008 Standard, Microsoft SQL Server 2012 Developer, Microsoft SQL Server 2012 Enterprise, Microsoft SQL Server 2012 Enterprise Core, Microsoft SQL Server 2012 Service Pack 1, Microsoft SQL Server 2012 Service Pack 2, Microsoft SQL Server 2012 Service Pack 3, Microsoft SQL Server 2012 Standard, Microsoft SQL Server 2012 Web, Microsoft SQL Server 2014 Developer, Microsoft SQL Server 2014 Enterprise, Microsoft SQL Server 2014 Service Pack 1, Microsoft SQL Server 2014 Standard, Microsoft SQL Server 2016 Developer, Microsoft SQL Server 2016 Enterprise, Microsoft SQL Server 2016 Enterprise Core, Microsoft SQL Server 2016 Express, Microsoft SQL Server 2016 Standard, Microsoft SQL Server 2016 Web

  • kbqfe kbsurveynew kbexpertiseadvanced KB3135244
Feedback