TLS 1.2 Support for SQL Server 2008, 2008 R2, 2012 and 2014

Microsoft is pleased to announce the release of (Transport Layer Security) TLS 1.2 support in all major client drivers and SQL Server releases. The updates made available on January 29th, 2016 provide TLS 1.2 support for SQL Server 2008, SQL Server 2008 R2, SQL Server 2012 and SQL Server 2014. The client drivers that have support for TLS 1.2 are SQL Server Native Client, Microsoft ODBC Driver for SQL Server, Microsoft JDBC Driver for SQL Server and ADO.NET (SqlClient).

The list of SQL Server server and client component updates along with their download locations that support TLS 1.2 is available in the KB Article below:

3135244 TLS 1.2 support for Microsoft SQL Server

You can use KB3135244 to download the appropriate server and client component applicable for your environment. The first build numbers that provides complete TLS 1.2 support in each major release is available in KB3135244 as well. The following tables lists the client driver/components and server components which have TLS 1.2 support. You will need to apply the necessary client component fixes on the server that hosts the SQL Server instance (eg. MS ODBC Driver, SQL Server Native Client) to ensure that the client components installed on the server also support TLS 1.2.

Client Components Server Components
SqlClient (.NET Framework 4.6) SQL Server 2014
SqlClient (.NET Framework 4.5.2, 4.5.1, 4.5) SQL Server 2012
SqlClient (.NET Framework 4.0) SQL Server 2008 R2
SqlClient (.NET Framework 3.5/a.k.a (.NET Framework 2.0 SP2) SQL Server 2008
MS ODBC Driver v11 (Windows)  
SQL Server Native Client (for SQL Server 2012 & 2014)  
SQL Server Native Client (for SQL Server 2008 R2)  
SQL Server Native Client (for SQL Server 2008)  
SQL Server Native Client (for SQL Server 2005)  
JDBC 6.0  
JDBC 4.2  

JDBC 4.1

 

You can use the PowerShell script from our tigertoolbox GitHub repository to determine which client drivers on your server and client machines require fixes.

Update: March 2, 2016: Please see known issue 6 for the intermittent service terminations that were reported after installing the update.

Update May 27, 2016: Additional fixes needed for SQL Server to use TLS 1.2 with Database Mail is available at KB3135244.

Known Issues

Issue 1

SQL Server Management Studio (SSMS), Report Server, and Report Manager don’t connect to the database engine after you apply the fix for SQL Server 2008, 2008 R2, 2012, or 2014. Report Server and Report Manager fail and return the following error message:

The report server cannot open a connection to the report server database. A connection to the database is required for all requests and processing. (rsReportServerDatabaseUnavailable)

This issue occurs because SSMS, Report Manager, and Reporting Services Configuration Manager use ADO.NET, and ADO.NET support for TLS 1.2 is available only in the .NET Framework 4.6. For earlier versions of the .NET Framework, you have to apply a Windows update so that ADO.NET can support TLS 1.2 communications for the client. The Windows updates that enable TLS 1.2 support in earlier versions of .NET framework are listed in the table in the “How to know whether you need this update” section of KB3135244.

Issue 2: Reporting Services fails to start

Reporting Services Configuration Manager reports the following error message even after client providers have been updated to a version that supports TLS 1.2:

Could not connect to server: A connection was successfully established to the server, but then an error occurred during the pre-login handshake.

Error message

To resolve this problem, manually create the following registry key on the system that hosts the Reporting Services Configuration Manager:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client : REG_DWORD=Enabled, “Enabled”=dword:00000001

Issue 3: Encrypted endpoint communication fails

The encrypted endpoint communication that uses TLS 1.2 fails when you use encrypted communications for Availability Groups or Database Mirroring or Service Broker in SQL Server. An error message that resembles the following is logged in the SQL Error log:

Connection handshake failed. An OS call failed: (80090331) 0x80090331(The client and server cannot communicate, because they do not possess a common algorithm.). State 56.

For more information about this issue, see FIX: The encrypted endpoint communication with TLS 1.2 fails when you use SQL Server.

(Update: February 22, 2016) Known Issue: If you are on a currently using Cumulative Update for SQL Server 2014 and need to use TLS 1.2 for encrypted endpoints for features like Availability Groups, Database Mirroring or Service Broker, then we recommend that you install Cumulative Update 1 for SQL Server 2014 Service Pack 1 or Cumulative Update 8 for SQL Server 2014 which adds support for this particular scenario. This is documented as a known issue in KB3135852.

Issue 4: Encrypted communication with DBM/AG fails

An encrypted connection with Database Mirroring or Availability Groups does not work when you use a certificate after you disable all other protocols other than TLS 1.2. An error message that resembles the following is logged in the SQL Server Error log:

Connection handshake failed. An OS call failed: (80090331) 0x80090331(The client and server cannot communicate, because they do not possess a common algorithm.). State 58.

There might be additional errors that you might encounter in the event logs associated with this issue as shown below.

Log Name:      System

Source:        Schannel

Date:          3/4/2016 2:09:28 AM

Event ID:      36888

Task Category: None

Level:         Error

Keywords:

User:          SYSTEM

Description:

A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1205.

Log Name:      System

Source:        Schannel

Date:          3/4/2016 2:09:28 AM

Event ID:      36874

Task Category: None

Level:         Error

Keywords:

User:          SYSTEM

Description:

An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.

This issue occurs because Availability Groups and Database Mirroring require a certificate that does not use fixed length hash algorithms, such as MD5. Fixed length hashing algorithms are not supported in TLS 1.2.

For more information, see FIX: Communication using MD5 hash algorithm fails if SQL Server uses TLS 1.2.

Issue 5: SQL Server Setup fails

SQL Server setup fails when TLS 1.2 is enabled

When you try to install Microsoft SQL Server 2012 or SQL Server 2014 on a server that has Transport Layer Security (TLS) version 1.2 enabled, you may encounter the following issues:

  • If the version of SQL Server that you’re trying to install doesn’t contain the fix to enable TLS 1.2 support, you receive the following error message:Wait on the Database Engine recovery handle failed. Check the SQL Server error log for potential causes.
  • If the version of SQL Server that you’re trying to install does contain the fix to enable TLS 1.2 support, you receive the following error message:A connection was successfully established with the server, but then an error occurred during the pre-login handshake. (provider: Named Pipes Provider, error: 0 – No process is on the other end of the pipe.)In both of these situations, the installation fails.Please refer KB3135769 for the workaround for the issue.

Issue 6: Intermittent Service Termination

The following SQL Server database engine versions are affected by the intermittent service termination issue that is reported in KB3146034. For customers to protect themselves from the service termination issue, we recommend that they install the TLS 1.2 updates for Microsoft SQL Server that are mentioned in this article if their SQL Server version is listed in the following table.

SQL Server release Affected version
SQL Server 2008 R2 SP3 (x86 and x64) 10.50.6537.0
SQL Server 2008 R2 SP2 GDR (IA-64 only) 10.50.4046.0
SQL Server 2008 R2 SP2 (IA-64 only) 10.50.4343.0
SQL Server 2008 SP4 (x86 and x64) 10.0.6543.0
SQL Server 2008 SP3 GDR (IA-64 only) 10.0.5544.0
SQL Server 2008 SP3 (IA-64 only) 10.0.5894.0


Issue 7: Database Mail does not work

Database Mail does not work with TLS 1.2

Database Mail fails with the following errors:

Agent Log:

Microsoft.SqlServer.Management.SqlIMail.Server.Common.BaseException:

Mail configuration information could not be read from the database.

….

….

Unable to start mail session.

See the section “Additional fixes needed for SQL Server to use TLS 1.2” in KB3135244.

Issue 8: SQL Server service does not start

You get the following error after disabling all other protocols except TLS 1.2 on the server while trying to start the SQL Server database engine service.

Error: 17182, Severity: 16, State: 1.
TDSSNIClient initialization failed with error 0x139f, status code 0x1. Reason: Initialization failed with an infrastructure error. Check for previous errors. The group or resource is not in the correct state to perform the requested operation.

Could not start the network library because of an internal error in the network library. To determine the cause, review the errors immediately preceding this one in the error log.

Error: 17120, Severity: 16, State: 1.
SQL Server could not spawn FRunCM thread. Check the SQL Server error log and the Windows event logs for information about possible related problems.

The above errors are reported because the SQL Server client driver fixes were not applied on the server. Please refer KB3135244 and apply the applicable client driver fixes on the server.

A recording of the TLS 1.2 session delivered the Security Virtual Chapter for PASS is available below.