TLS 1.2 is a crytographic protocol of communication between computers.
The RFC link is below and more details on the protocol can be found on it.
https://tools.ietf.org/html/rfc5246#section-5
First of all you have to determine the tools that you would use to confirm TLS communication in your environment.
First I used netmon and wireshark to determine the communication. Both of them showed TLS 1.2 in the packet captures.
But microsoft message analyzer did not show TLS communication.It showed this.
If i look at a packet for RDP however I could see it using TLS 1.2.
Screenshot below is for an RDP session.
And that is how the communication between my IIS and SQL should have looked.
After a lot of searching and testing these were the things that were done to have servers communicate only on TLS 1.2.
1. Installing the right patches.
https://support.microsoft.com/en-us/help/3154520/support-for-tls-system-default-versions-included-in-the-net-framework
You can also upgrade the .net framework to 4.6 and above which is what I did.
2. Adding registry entries to disable protocols other than TLS 1.2.
3. Adding SQL certificate(pfx) in SQL server configuration manager to enable encrypted communications.
https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/enable-encrypted-connections-to-the-database-engine?view=sql-server-2017
After making the changes given above and restarting the servers. I was able to see the same behavior in Message Analyzer for the communication between our IIS and SQL.
Additional reading
https://blogs.perficient.com/2016/04/28/tsl-1-2-and-net-support/
Implications of turning off FIPS compliance policy.
https://blogs.technet.microsoft.com/secguide/2014/04/07/why-were-not-recommending-fips-mode-anymore/
Environment:
SQL 2016,Windows 2012 R2.
The RFC link is below and more details on the protocol can be found on it.
https://tools.ietf.org/html/rfc5246#section-5
First of all you have to determine the tools that you would use to confirm TLS communication in your environment.
First I used netmon and wireshark to determine the communication. Both of them showed TLS 1.2 in the packet captures.
But microsoft message analyzer did not show TLS communication.It showed this.
If i look at a packet for RDP however I could see it using TLS 1.2.
Screenshot below is for an RDP session.
And that is how the communication between my IIS and SQL should have looked.
After a lot of searching and testing these were the things that were done to have servers communicate only on TLS 1.2.
1. Installing the right patches.
https://support.microsoft.com/en-us/help/3154520/support-for-tls-system-default-versions-included-in-the-net-framework
You can also upgrade the .net framework to 4.6 and above which is what I did.
2. Adding registry entries to disable protocols other than TLS 1.2.
Windows
Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL
2.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL
2.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL
2.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL
3.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL
3.0\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL
3.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
1.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
1.0\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
1.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
1.1]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
1.1\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
1.1\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
1.2]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
1.2\Client]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
1.2\Server]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:000000003. Adding SQL certificate(pfx) in SQL server configuration manager to enable encrypted communications.
https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/enable-encrypted-connections-to-the-database-engine?view=sql-server-2017
After making the changes given above and restarting the servers. I was able to see the same behavior in Message Analyzer for the communication between our IIS and SQL.
Additional reading
https://blogs.perficient.com/2016/04/28/tsl-1-2-and-net-support/
Implications of turning off FIPS compliance policy.
https://blogs.technet.microsoft.com/secguide/2014/04/07/why-were-not-recommending-fips-mode-anymore/
Environment:
SQL 2016,Windows 2012 R2.
No comments:
Post a Comment