Let’s talk about TLS 1.2 Support for SQL Server. You may have seen the errors below when trying to start SQL Server after a reboot, or trying to connect to SQL Server:
The client and server cannot communicate, because they do not possess a common algorithm
A connection was successfully established with the server, but then an error occurred during the pre-login handshake. (provider: Shared Memory Provider, error – 0 – No process is on the other end of the pipe.) (Microsoft SQL Server, Error: 233)
TDSSNIClient initialization failed with error 0x80090331, status code 0x80. Reason: Unable to initialize SSL support. The client and server cannot communicate, because they do not possess a common algorithm
The reason for this is that you may have disabled SSL 3.0 or TLS 1.0 on either the client side or SQL Server machine. The default SCHANNEL Protocols for any Windows OS has nothing but a key disabling SSL 2.0 client side. If you see anything different, this has been a manual change, either by GPO or by another user:
Background information on SCHANNEL Protocols with SQL Server
If you are wondering why SSL matters at all, because “I’m not using SSL Certificates to bind my SQL Server or Reporting Services”, it still does! When connecting to SQL Server, your login information will always be encrypted, with or without your own SSL Certificate. SQL Server will use its self-signed certificate to encrypt login packets if encryption is not set on either the client or the server.
If you see in the registry that you have disabled TLS 1.0 or SSL 3.0, and you are having connectivity issues with SQL Server that points to SSL errors, you have a couple of options. Namely:
Since PCI Compliance rules have been published to disable TLS 1.0 and SSL 3.0, you may have been caught unaware of these changes made by your Security Admins. You might not be able to follow #1 above, and so your only option is to upgrade.
Follow the above article to upgrade both the client components, and SQL Server so that both sides are supported to communicate over TLS 1.2. If you are unsure of which client components need to be upgraded, follow my next article on this topic, and I will explain all about it.
One final note I would like to make is that you could very well have updated all components of SQL Server to support TLS 1.2, but still get the errors in this blog. The next piece of this puzzle is related to Cipher Suites, and I will discuss this in a later post.