Share via

Impact on Azure SQL Database due to End of TLS1.0/1.1 Support

bamboo 21 Reputation points
2024-05-06T03:29:01.35+00:00

I am currently using Azure SQL Database without specifying a minimal TLS version, but will I be affected by the TLS 1.0/1.1 discontinuation on 10/31/2024 and will I be unable to connect with less than TLS 1.2?

Will the minimal version of TLS, which is not currently specified, be forced to be set to TLS 1.2 after 10/31/2024?

There is some documentation on blob storage and other information such as TLS1.2 or later is required, but I could not find it for Azure SQL Database.

Azure SQL Database
Accepted answer
  1. ShaktiSingh-MSFT 14,166 Reputation points Microsoft Employee
    2024-05-06T08:25:47.3733333+00:00

    Hi bamboo •,

    Welcome to Microsoft Q&A forum.

    As I understand, you want to know the impact of TLS support end on Azure SQL Database.

    The minimal Transport Layer Security (TLS) version setting allows customers to choose which version of TLS their SQL database uses. It's possible to change the minimum TLS version by using the Azure portal, Azure PowerShell, and the Azure CLI.

    Currently, we support TLS 1.0, 1.1, and 1.2. Setting a minimal TLS version ensures that newer TLS versions are supported. For example, choosing a TLS version 1.1 means only connections with TLS 1.1 and 1.2 are accepted, and connections with TLS 1.0 are rejected. After you test to confirm that your applications support it, we recommend setting the minimal TLS version to 1.2. This version includes fixes for vulnerabilities in previous versions and is the highest version of TLS that's supported in Azure SQL Database.

    Note:

    The default for the minimal TLS version is to allow all versions. After you enforce a version of TLS, it's not possible to revert to the default.

    For customers with applications that rely on older versions of TLS, we recommend setting the minimal TLS version according to the requirements of your applications. If application requirements are unknown or workloads rely on older drivers that are no longer maintained, we recommend not setting any minimal TLS version.

    For more information, see TLS considerations for SQL Database connectivity.

    After you set the minimal TLS version, customers who are using a TLS version lower than the minimum TLS version of the server will fail to authenticate, with the following error:

    Error 47072

    Login failed with invalid TLS version

    Note

    When you configure a minimum TLS version, that minimum version is enforced at the application layer. Tools that attempt to determine TLS support at the protocol layer might return TLS versions in addition to the minimum required version when run directly against the SQL Database endpoint.

    In the Azure portal, go to your SQL server resource. Under the Security settings, select Networking and then choose the Connectivity tab. Select the Minimum TLS Version desired for all databases associated with the server, and select Save.

    Screenshot of the Connectivity tab of the Networking settings for your logical server, minimal TLS version drop-down selected.

    Reference: https://learn.microsoft.com/en-us/azure/azure-sql/database/connectivity-settings?view=azuresql&tabs=azure-portal

    Hope this helps. Let us know if you have more queries.

    Thanks

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. ShaktiSingh-MSFT 14,166 Reputation points Microsoft Employee
    2024-05-07T05:06:07.8766667+00:00

    Thanks for providing the details.

    Please refer here:

    https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls

    https://github.com/dotnet/docs/issues/4675

    After you set the minimal TLS version, customers who are using a TLS version lower than the minimum TLS version of the server will fail to authenticate, with the following error:

    Error 47072 Login failed with invalid TLS version

    Transport Layer Security (TLS) is used by all drivers that Microsoft supplies or supports for connecting to databases in Azure SQL Database or Azure SQL Managed Instance. No special configuration is necessary. For all connections to a SQL Server instance, a database in Azure SQL Database, or an instance of Azure SQL Managed Instance, we recommend that all applications set the following configurations, or their equivalents:

    • Encrypt = On
    • TrustServerCertificate = Off

    Some systems use different yet equivalent keywords for those configuration keywords. These configurations ensure that the client driver verifies the identity of the TLS certificate received from the server.

    Refer: https://learn.microsoft.com/en-us/azure/azure-sql/database/connect-query-content-reference-guide?view=azuresql#tls-considerations-for-database-connectivity

    We also recommend that you disable TLS 1.1 and 1.0 on the client if you need to comply with Payment Card Industry - Data Security Standard (PCI-DSS).

    Non-Microsoft drivers might not use TLS by default. This can be a factor when connecting to Azure SQL Database or Azure SQL Managed Instance. Applications with embedded drivers might not allow you to control these connection settings. We recommend that you examine the security of such drivers and applications before using them on systems that interact with sensitive data. I will also check with the internal team on your ask.

    Thank you.

    0 comments