Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The go-mssqldb driver supports multiple encryption modes and certificate validation strategies for connections to SQL Server and Azure SQL. This article explains each encryption mode, how to configure certificate validation, and when to use TDS 8.0 strict mode.
Choose a TLS configuration
Use this table to choose the safest option that fits your environment before you tune individual parameters.
| Scenario | Recommended settings | Why |
|---|---|---|
| Azure SQL or SQL Server 2022 and later versions, and you want the strongest default protection | encrypt=strict |
TDS 8.0 performs the TLS handshake before TDS negotiation and always validates the certificate. |
| The server certificate chains to a trusted public or corporate CA | encrypt=true |
Standard certificate validation is usually enough when the host name and trust chain are already correct. |
| The server uses a private CA that isn't in the system trust store | encrypt=true&certificate=/path/to/ca-cert.pem |
Adds the CA certificate to a custom trust pool and keeps normal chain validation. |
| The server uses a self-signed certificate and you want certificate pinning | encrypt=true&serverCertificate=/path/to/server.pem |
Compares the exact server certificate byte-for-byte instead of relying on a CA chain. |
| Local development or temporary test environments only | encrypt=true&TrustServerCertificate=true |
Keeps encryption on, but skips server identity validation. Don't use this setting in production. |
Encryption modes
Set the encrypt connection parameter to one of the following values:
| Value | Behavior |
|---|---|
strict |
TDS 8.0 encryption. The TLS handshake happens before the TDS connection negotiation. Requires SQL Server 2022 or Azure SQL. |
true or mandatory |
The connection is encrypted after the TDS prelogin handshake. |
false or optional |
Encryption is used only if the server requires it. This is the default when encrypt isn't specified. Azure SQL always requires encryption server-side, so connections to Azure SQL are encrypted regardless of this setting. |
disable |
No encryption. Not recommended for production. |
Example
Enable encryption in the connection string by using the encrypt parameter:
sqlserver://<user>:<password>@<server>:1433?database=AdventureWorks2025&encrypt=true
Certificate validation
When you enable encryption (encrypt=true or encrypt=strict), the driver validates the server certificate unless you set TrustServerCertificate=true. Two independent approaches exist for this validation.
Chain validation by using the certificate parameter
Provide a PEM or DER certificate file. The driver adds the certificate to a custom trust pool and performs standard X.509 chain validation against that pool:
sqlserver://<user>:<password>@<server>:1433?database=AdventureWorks2025&encrypt=true&certificate=/path/to/ca-cert.pem
Byte-level comparison by using the serverCertificate parameter
Note
The serverCertificate parameter was introduced in driver v1.9.6.
Provide a PEM or DER file containing the exact server certificate. The driver compares the server's certificate byte-for-byte against the provided file. The driver doesn't perform chain validation. This approach is useful for self-signed certificates:
sqlserver://<user>:<password>@<server>:1433?database=AdventureWorks2025&encrypt=true&serverCertificate=/path/to/server.pem
Host name override
By default, the driver validates that the certificate's Common Name (CN) or Subject Alternative Name (SAN) matches the server host name. Use hostnameincertificate to override the expected host name:
sqlserver://<user>:<password>@10.0.0.5:1433?database=AdventureWorks2025&encrypt=true&hostnameincertificate=<server>.domain.com
Skip certificate validation
Set TrustServerCertificate=true to skip all certificate validation. The connection is still encrypted, but the server identity isn't verified:
sqlserver://<user>:<password>@<server>:1433?database=AdventureWorks2025&encrypt=true&TrustServerCertificate=true
Caution
Setting TrustServerCertificate=true exposes the connection to adversary-in-the-middle attacks. Use this option only for development and testing.
TDS 8.0 strict mode
TDS 8.0 (strict encryption) performs the TLS handshake before any TDS protocol negotiation. This approach prevents an attacker from downgrading the entire connection. TDS 8.0 requires SQL Server 2022 or Azure SQL:
sqlserver://<user>:<password>@<server>:1433?database=AdventureWorks2025&encrypt=strict
In strict mode, the TrustServerCertificate parameter is ignored. Certificate validation always occurs, using the system trust store by default. You can supply certificate or serverCertificate for custom validation.
Minimum TLS version
Use the tlsmin parameter to enforce a minimum TLS version:
sqlserver://<user>:<password>@<server>:1433?database=AdventureWorks2025&encrypt=true&tlsmin=1.2
Valid values: 1.0, 1.1, 1.2, 1.3.
Encryption parameter summary
| Parameter | Default | Description |
|---|---|---|
encrypt |
false |
Encryption mode. Azure SQL always requires encryption server-side regardless of this setting. |
TrustServerCertificate |
Depends on encrypt |
Skip certificate validation when true. The default is false when encrypt is specified and true when encrypt is omitted. |
certificate |
- | PEM/DER file path for chain validation. |
serverCertificate |
- | PEM/DER file path for byte-level comparison. |
hostnameincertificate |
- | Override expected host name in certificate. |
tlsmin |
- | Minimum TLS version. |