Encryption and certificate validation in OLE DB

Applies to: SQL Server Azure SQL Database Azure SQL Managed Instance Azure Synapse Analytics Analytics Platform System (PDW)

Download OLE DB driver

SQL Server always encrypts network packets associated with logging in. If no certificate has been provisioned on the server when it starts up, SQL Server generates a self-signed certificate, which is used to encrypt login packets.

Self-signed certificates don't guarantee security. The encrypted handshake is based on NT LAN Manager (NTLM). It's highly recommended you provision a verifiable certificate on SQL Server for secure connectivity. Transport Security Layer (TLS) can be made secure only with certificate validation.

Applications may also request encryption of all network traffic by using connection string keywords or connection properties. The keywords are "Encrypt" for OLE DB when using a provider string with IDbInitialize::Initialize, or "Use Encryption for Data" for ADO and OLE DB when using an initialization string with IDataInitialize. Encryption may also be configured on the client machine in the registry using the Force Protocol Encryption option. For more information, see Registry settings. By default, encryption of all network traffic for a connection requires a certificate being provisioned on the server. By setting your client to trust the certificate on the server, you might become vulnerable to man-in-the-middle attacks. If you deploy a verifiable certificate on the server, ensure you change the client settings about trusting the certificate to FALSE.

For information about connection string keywords, see Using connection string keywords with OLE DB driver for SQL Server.

To enable encryption to be used when a certificate hasn't been provisioned on the server, the Force Protocol Encryption and the Trust Server Certificate client registry settings can be set. In this case, encryption uses a self-signed server certificate without validation if no verifiable certificate has been provisioned on the server.

Encryption and certificate validation behavior

Application settings never reduce the level of security set in the registry, but may strengthen it. For more information, see Registry settings. For example, if Force Protocol Encryption isn't set for the client, an application may request encryption itself. To guarantee encryption even when a server certificate hasn't been provisioned, an application may request encryption and enable TrustServerCertificate. However, if TrustServerCertificate isn't enabled in the client configuration, a provisioned server certificate is still required.

Version 19 of the OLE DB Driver for SQL Server introduces breaking changes in the encryption related APIs. For more information, see Encryption property changes.

Major version 19

The following table describes the evaluation of the encryption settings:

Force Protocol Encryption client setting Connection string/connection attribute Encrypt/Use Encryption for Data Resulting encryption
0 No/Optional Optional
0 Yes/Mandatory (default) Mandatory
0 Strict Strict
1 No/Optional Mandatory
1 Yes/Mandatory (default) Mandatory
1 Strict Strict
2 Ignored Strict

The following table describes the resulting encryption and validation:

Encryption Trust Server Certificate client setting Connection string/connection attribute Trust Server Certificate Result
Optional N/A N/A Encryption only occurs for LOGIN packets.
Mandatory 0 Ignored Encryption occurs only if there's a verifiable server certificate, otherwise the connection attempt fails.
Mandatory 1 No (default) Encryption occurs only if there's a verifiable server certificate, otherwise the connection attempt fails.
Mandatory 1 Yes Encryption always occurs, but may use a self-signed server certificate.
Strict N/A N/A Encryption occurs only if there's a verifiable server certificate, otherwise the connection attempt fails.

Caution

The preceding table only provides a guide on the system behavior under different configurations. For secure connectivity, ensure that the client and server both require encryption (for server-side configuration, see Configure encryption settings in SQL Server). Also ensure that the server has a verifiable certificate, and that the TrustServerCertificate setting on the client is set to FALSE.

Note

Starting from version 19.2 of the OLE DB driver, TDS 8.0 connections can be configured to use TLS 1.3. For more information, see TLS 1.3 support.

Major version 18 with new authentication methods

For versions 18.x.x, to improve security, when the new Authentication or Access Token connection string keywords (or their corresponding properties) are used, the driver overrides the default encryption value by setting it to yes. Overriding happens at data source object initialization time. If encryption is set before initialization via any means, the value is respected and not overridden.

Note

In ADO applications and in applications that obtain the IDBInitialize interface through IDataInitialize::GetDataSource, the Core Component implementing the interface explicitly sets encryption to its default value of no. As a result, the new authentication properties/keywords respect this setting and the encryption value isn't overridden. Therefore, it is recommended that these applications explicitly set Use Encryption for Data=true to override the default value.

To improve security, the new authentication methods respect the TrustServerCertificate setting (and its corresponding connection string keywords/properties) independently of the client encryption setting. As a result, server certificate is validated by default. The driver determines whether to validate the server certificate as follows:

Trust Server Certificate client setting Connection string/connection attribute Trust Server Certificate Certificate validation
0 No (default) Yes
0 Yes Yes
1 No (default) Yes
1 Yes No

The following table describes the evaluation of the encryption settings:

Force Protocol Encryption client setting Connection string/connection attribute Encrypt/Use Encryption for Data Resulting encryption
0 No (default) No
0 Yes Yes
1 No (default) Yes
1 Yes Yes

The following table describes the resulting encryption and validation:

Resulting encryption Certificate validation Result
No No Encryption only occurs for LOGIN packets.
No Yes Encryption occurs for LOGIN packets only if there's a verifiable server certificate, otherwise the connection attempt fails.
Yes No Encryption of all network traffic always occurs, but may use a self-signed server certificate.
Yes Yes Encryption of all network traffic occurs only if there's a verifiable server certificate, otherwise the connection attempt fails.

Major version 18 with legacy authentication methods

The following table describes the encryption and validation outcome for legacy authentication methods:

Force Protocol Encryption client setting Trust Server Certificate client setting Connection string/connection attribute Encrypt/Use Encryption for Data Connection string/connection attribute Trust Server Certificate Result
0 N/A No (default) N/A Encryption only occurs for LOGIN packets.
0 N/A Yes No (default) Encryption of all network traffic occurs only if there's a verifiable server certificate, otherwise the connection attempt fails.
0 N/A Yes Yes Encryption of all network traffic always occurs, but may use a self-signed server certificate.
1 0 Ignored Ignored Encryption of all network traffic occurs only if there's a verifiable server certificate, otherwise the connection attempt fails.
1 1 No (default) N/A Encryption of all network traffic always occurs, but may use a self-signed server certificate.
1 1 Yes No (default) Encryption of all network traffic occurs only if there's a verifiable server certificate, otherwise the connection attempt fails.
1 1 Yes Yes Encryption of all network traffic always occurs, but may use a self-signed server certificate.

See also

OLE DB Driver for SQL Server Features
Initialization and authorization properties
Connection string keywords
Major version differences
Registry settings