SQL Server compatibility with New TLS Standards
Microsoft has recently revealed (without a lot of fanfare) that they will be investing in TLS 1.2 and phasing out SSL. It should be relevant to all editions of SQL Server.
UPDATE 2016-01-29 : Microsoft has announced official support for TLS 1.2 in 2008, 2008 R2, 2012, & 2014. Downloads and other info can be found in KB #3135244.
I blogged about a few of the issues that have been mentioned, as well as a warning if you are using encrypted endpoints in 2014:
- SQL Server support for TLS 1.2 – Read This First!
The post also points to the correct build to download (or other action) depending on @@version.
Whether this move will affect all existing versions, just 2014 and above, or just 2016, remains to be seen. The quote below seems to imply at least 2014 will be part of the work - and I suspect much of the investment will be in the client libraries, not in the engine, so it is feasible that it will work for any version that the next release of the ODBC/Native Client drivers will support.
I got this from a PowerPoint deck by Kevin Farlee of Microsoft, and was given permission to share the information, though I don't know how much of it has been redistributed at this point. Here is the exact quote from the deck:
Encryption in flight: Protects data between client and server against snooping & man-in-the-middle attacks. Upgrading to TLS 1.2 in CY 15, phasing out SSL.
Also if you look at KB #3052404, it seems there are patches to make it work with 2012 SP+ and 2014 (patches won't be required for 2016), but no indication there will be any back-porting to SQL Server 2005, 2008, or 2008 R2 (and frankly, I'd be quite surprised).
As in the other answers: you need a recent CU for TLS1.2. See:
FIX: You cannot use the Transport Layer Security protocol version 1.2 to connect to a server that is running SQL Server 2014 or SQL Server 2012:
- Cumulative Update 1 for SQL Server 2014 SP1
- Cumulative Update 8 for SQL Server 2014
- Cumulative Update 1 for SQL Server 2012 SP3
- Cumulative Update 10 for SQL Server 2012 SP2
After enabling only TLS 1.2 you will possibly encounter two errors:
- SQL Server 2014 Agent will not start. Solution: install SQL Server 2012 SNAC from the download link in KB3135244
- SQL Server Management Studio can't connect. Solution: Install the applicable .NET framework hotfix from KB3135244
Furthermore you have to update the SNAC/OBDC driver on all clients connecting to the SQL Server.
The complete list of SQL Server and Client Driver builds, along with download links, and other configuration changes that may be needed are contained in the following Microsoft Support Knowledge Base article:
TLS 1.2 support for Microsoft SQL Server
As of January 29th 2016, Microsoft SQL Server supports TLS 1.2 for:
- SQL Server 2008
- SQL Server 2008 R2
- SQL Server 2012; and
- SQL Server 2014
...and major client drivers like:
- Server Native Client
- Microsoft ODBC Driver for SQL Server
- Microsoft JDBC Driver for SQL Server
- ADO.NET (SqlClient).
Blog post by the SQL Server Engineering Team about the release:
TLS 1.2 Support for SQL Server 2008, 2008 R2, 2012 and 2014
List of builds that support TLS 1.2 along with the client and server component download locations (KB3135244):
TLS 1.2 support for Microsoft SQL Server (includes .NET fixes for DB Mail)
Note: The above has been updated since the initial release to address a defect in the original update that caused intermittent service termination when connecting to an instance of SQL Server 2008 or SQL Server 2008 R2. This is described in KB 3146034:
Intermittent service terminations occur after you install any SQL Server 2008 or SQL Server 2008 R2 versions from KB3135244