Selectively using secure connection to SQL Server
Secure connection to SQL Server can be enforced by different ways, e.g. forcing encryption by using “ForceEncryption” property under the Network Configuration in the server. But this setting will force all clients to use encryption and any client that is not able to use an encrypted connection will fail.
If you need to connect to SQL Server selectively here is how to achieve this:
You can take advantage of the two client settings, “Force Protocol Encryption” and “Trust Server Certificate” and two connection string parameters, “Encrypt” and “Trust Server Certificate”. The table below describes different combinations of these flags and the corresponding behavior.
Force Protocol Encryption client setting |
Trust Server Certificate client setting |
Connection string/connection attribute Encrypt/Use Encryption for Data |
Connection string/connection attribute Trust Server Certificate |
Result |
|
1. |
No |
N/A |
No (default) |
Ignored |
No encryption occurs. |
2. |
No |
N/A |
Yes |
No (default) |
Encryption occurs only if there is a verifiable server certificate, otherwise the connection attempt fails. |
3. |
No |
N/A |
Yes |
Yes |
Encryption always occurs; certificate is not validated by the client. |
4. |
Yes |
No |
Ignored |
Ignored |
Encryption occurs only if there is a verifiable server certificate, otherwise the connection attempt fails. |
5. |
Yes |
Yes |
No (default) |
Ignored |
Encryption always occurs, but certificate is not validated by the client. |
6. |
Yes |
Yes |
Yes |