TLS requirement for SQL Server

To address the TLS and cipher suite recommendations, follow these steps in order.

1. Verify SQL Server TLS 1.2 support

• Confirm that the SQL Server version and build support TLS 1.2 and that required updates are installed where applicable.
• SQL Server 2016, 2017, and 2019 on Windows ship with TLS 1.0–1.2 support; older versions (2008–2014) may require specific TLS 1.2 updates.
• If TLS 1.0 and 1.1 are disabled on the server, all clients must be able to use TLS 1.2; otherwise, connections will fail.

2. Check for TLS version mismatch Intermittent or failed connections with errors like “the client and server cannot communicate, because they do not possess a common algorithm” or generic SSL/TLS handshake failures are almost always due to TLS version or cipher mismatch.

• Ensure clients (drivers, runtimes) support TLS 1.2:
  • For .NET clients, use .NET Framework 4.6 or later and/or explicitly enable TLS 1.2.
  • For JDBC/Java clients, use a modern Microsoft JDBC driver and a Java runtime that supports TLS 1.2.
• If some clients are older and only support TLS 1.0/1.1, and those protocols are disabled on the server OS, those clients will fail to connect until upgraded.

3. Review custom cipher suite hardening / Group Policy Custom cipher suite policies can easily cause “no common algorithm” issues if misconfigured.

• On Windows servers and clients, check Group Policy:
  • Computer Configuration → Administrative Templates → Network → SSL Configuration Settings → SSL Cipher Suite Order.
  • Compare between a working server/client pair and a failing one to see if cipher suites differ.
• If TLS_DHE_* cipher suites are enabled and the peer does not fully support EMS or is non‑compliant, intermittent failures can occur. As a mitigation, TLS_DHE_* suites can be disabled via Group Policy or PowerShell as documented.

4. Ensure TLS 1.2–compatible cipher suites are available

• Use a tool such as IISCrypto or PowerShell to inspect which protocols and cipher suites are enabled on the SQL Server host and on client machines.
• Confirm that:
  • TLS 1.2 is enabled in Schannel on the server OS.
  • At least one strong TLS 1.2 cipher suite is enabled that is also supported by the clients.
• If cipher suites are overly restricted (for example, only a narrow set of modern ciphers enabled), older clients may not have any matching suite, causing handshake failure.

5. Avoid aggressive cipher restriction until TLS 1.2 is stable

• First, get stable connectivity using a standard, recommended set of TLS 1.2 cipher suites.
• Only after confirming that all client types can connect reliably should cipher suites be further tightened.
• Changes to cipher suite order or enabling/disabling suites should be done cautiously and preferably under guidance, because incorrect changes can break existing applications.

6. Diagnose “no matching cipher” situations If there is suspicion of a cipher mismatch:

• Capture a network trace and inspect the TLS Client Hello and Server Hello:
  • Client Hello lists all cipher suites the client offers.
  • Server Hello selects one; if there is no overlap, the server closes the connection without sending Server Hello.
• If a network trace is not available, check the function value under:
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002 to see which algorithms are configured.
• If no matching algorithms can be identified, Microsoft Support should be engaged, with network traces or BID traces as described in the advanced SSL troubleshooting guidance.

7. Be aware of TLS 1.2–specific SQL Server issues

• For Availability Groups/Database Mirroring using certificates, TLS 1.2 requires certificates that do not use fixed-length hash algorithms such as MD5. If MD5 is used, encrypted connections can fail with “they do not possess a common algorithm.”
• For older SQL Server versions (2008/2008 R2/early 2014), install the documented TLS 1.2 updates to avoid known issues such as intermittent service termination.

8. Operational checklist For each affected client–server pair:
9. Confirm SQL Server build supports TLS 1.2 and required updates are installed.
10. Confirm Windows Server version supports TLS 1.2 and that TLS 1.2 is enabled in Schannel.
11. Confirm client OS/runtime (Windows, .NET, Java, drivers) supports TLS 1.2 and has it enabled.
12. Compare cipher suite configuration (Group Policy / registry) between working and failing machines.
13. Temporarily relax overly strict cipher suite restrictions to validate that connectivity stabilizes.
14. If issues persist, capture a TLS handshake trace and analyze Client Hello/Server Hello for version and cipher overlap.

References:

• TLS 1.2 support for Microsoft SQL Server
• Basic guide to upgrading SQL Server and clients to TLS 1.2
• "Client unable to establish connection" error after implementing the cipher suite policies on a SQL Server machine
• SSL errors are reported after upgrading to TLS 1.2
• Applications experience forcibly closed TLS connection errors when connecting SQL Servers in Windows
• Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption
• Sql Server 2014 connectivity issue after Windows patch update - Microsoft Q&A
• how to fix issue om.microsoft.sqlserver.jdbc.TDSChannel enableSSL WARNING: TDSChannel ( ConnectionID:1 TransactionID:0x0000000000000000) SSL handshake failed: No appropriate protocol (protocol is disabled or cipher suites are inappropriate) - Microsoft Q&A
• The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "Unexpected rethrowing".), - SSL error - Microsoft Q&A
• Cannot connect to SQL Server - Microsoft Q&A
• Accessing SQL Server 2022 from Windows XP - Microsoft Q&A