Windows Enforcement of Authenticode Code Signing and Timestamping impact on SQL Server


Windows Enforcement of Authenticode Code Signing and Timestamping has recently announced a change where Windows (version 7 and higher) and Windows Server will no longer trust any code that is signed with a SHA-1 code signing certificate and that contains a timestamp value greater than January 1, 2016. More information about this announcement is documented here.

Recently customers have asked about the impact of the above policy on SQL Server Products.  SQL server utilizes SHA-1 in the following places that are not affected by this windows policy:

  1. CREATE CERTIFICATE, creates a SHA-1 self-signed certificate intended for use within SQL only as a package for an Asymmetric Key. It’s SHA-1 signature is never validated by Windows during encryption, decryption, signing, and signature validations done via T-SQL DDL and is not impacted by the changes mentioned for Windows.
  2. The initial login packet uses a SHA-1 self-signed certificate to protect the user name and password where SSL/TLS is not used.  We recommend using a certificate issued by a trusted root authority and utilizing this external certificate with SQL Server for any authentication scenario such as SSL/TLS.
  3. All the SQL Server binaries are dual signed SHA-256/ SHA-1 digital signature. This is in compliance with the guidance provided in the windows article mentioned above.

If you are using secure communications between the client and the SQL Server instance, then we recommend using the guidelines mentioned in our documentation for using a certificate for encrypted communications. We are also exploring the option of moving to a self-signed certificate which does not use SHA-1.

Comments (2)

  1. jwaters says:

    Scenario 2 seems to be very common - many apps use standard logins, and SSL/TLS certificates are not deployed.  It's not clear as to what functionality is impacted after Jan 1 2016. It would seem that there's no impact, as today is Jan 6th and there aren't widespread reports of issues.

  2. jwaters: There is no impact if you are not using a SSL/TLS certificate which is not using a SHA-1.

Skip to main content