patternsqlMinor
TLS when connecting to SQL Server using "encrypt=false"
Viewed 0 times
tlsconnectingsqlfalseusingwhenserverencrypt
Problem
I'm trying to configure SQL Server 2017 Express Edition to use TLS 1.2 encryption, and accept connections from a simple test JDBC program. I'm reasonably experienced with java and MSSQL, but not so much with encryption. I'm following Microsoft's documentation as much as is humanly possible.
I have a very simple JDBC test program, and my SQL Server still has "Force Encryption" set to "No".
When I connect to the server using the simple URL:
it fails with the dreaded:
When I append ";encrypt=false" to the URL, it connects fine.
But when I take a Wireshark network trace of that successful transaction (with "encrypt=false"), I still see what looks like a TLSv1.2 handshake in the trace. The "Info" in Wireshark for those records are:
What are these? Since I've specified "encrypt=false" I expected to see no TLS in the trace.
Thanks.
I have a very simple JDBC test program, and my SQL Server still has "Force Encryption" set to "No".
When I connect to the server using the simple URL:
jdbc:sqlserver://...\SQLEXPRESS:1433;databaseName=...;user=...;password=...it fails with the dreaded:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested targetWhen I append ";encrypt=false" to the URL, it connects fine.
But when I take a Wireshark network trace of that successful transaction (with "encrypt=false"), I still see what looks like a TLSv1.2 handshake in the trace. The "Info" in Wireshark for those records are:
- "Client Hello"
- "Server Hello, Certificate, Server Key Exchange, Server Hello Done"
- "Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message"
- "Change Cipher Spec, Encrypted Handshake Message"
- "Application Data"
What are these? Since I've specified "encrypt=false" I expected to see no TLS in the trace.
Thanks.
Solution
Encrypt=false indicates the client does not require encryption. TLS will still used when possible, encrypting login credentials at a minimum. Below is the relevant excerpt from the jdbc documentation when Encrypt=false is specified.The driver won't force the server to support TLS encryption. If the
server has a self-signed certificate, the driver initiates the TLS
certificate exchange. The TLS certificate won't be validated and only
the credentials (in the login packet) are encrypted.
If the server requires the client to support TLS encryption, the
driver will initiate the TLS certificate exchange. The TLS certificate
won't be validated, but the entire communication will be encrypted.
Context
StackExchange Database Administrators Q#322517, answer score: 5
Revisions (0)
No revisions yet.