MSOLEDBSQL19 driver seems to ignore TrustServerCertificate=yes if SQL Server Force Encryption is yes

Mitch Gershonowitz 25 Reputation points
2023-06-29T16:59:55.2+00:00
  • Microsoft SQL Server 2019 with GDR 2101 (KB5021125) is installed on a Windows Server 2019 computer.
  • The SQL Server has a self-signed certificate and is configured with Force Encryption = yes.
  • A Windows Server 2012 R2 computer has Microsoft OLEDB Driver 19 for SQL Server installed (v19.3.1.0).
  • An application is running on this server that uses OLE DB to reach the SQL Server. The connection string is:

Provider=MSOLEDBSQL19;Server=STATENISLAND;Database=CATALOG;Trusted_Connection=yes;TrustServerCertificate=yes;Use Encryption for Data=Optional;

The connection fails with: "SSL Provider: The certificate chain was issued by an authority that is not trusted."

Yes, that is true, but I am specifying "TrustServerCertificate=yes;" in the connection string. It does connect OK if Force Encryption = no on the SQL Server but gives this certificate chain error if Force Encryption = yes.

Why is the driver ignoring the "TrustServerCertificate=yes" connection string parameter?

Note: On the W 2012R2 server, registry value: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\MSSQLServer\Client\SNI19.0\GeneralFlags\Flag2 = 0x1.

Thank you.

SQL Server | Other
0 comments No comments
{count} vote

Accepted answer
  1. Bernd 80 Reputation points
    2023-07-04T07:22:09.4633333+00:00

    I also think that the "Trust server certificate" (SSPROP_INIT_TRUST_SERVER_CERTIFICATE) property in "Microsoft OLE DB Driver 19 for SQL Server" does not work:

    It is impossible to open an encrypted connection to a sql server with this driver without using a server certificate. Thus this driver is less secure than the previous versions 18.x for this case.

    You can easily verify this problem by trying to connect to a sql server without a certificate using an udl-connection:

    With encryption set to "Mandatory" the connection will always fail, although "Trust server certificate" is set to "True" and the server does not enforce encryption.

    The documenation in this point is wrong:

    https://learn.microsoft.com/en-us/sql/connect/oledb/help-topics/data-link-pages?view=sql-server-ver16

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Anonymous
    2023-06-30T05:49:37.86+00:00

    Hi @Mitch Gershonowitz

    I think maybe your string is set wrong.

    According to the official documentation, "Add ;TrustServerCertificate=true to the connection string. This will force the client to trust the certificate without validation."

    For more details, you can refer to this documentation: https://learn.microsoft.com/en-us/troubleshoot/sql/database-engine/connect/certificate-chain-not-trusted?tabs=ole-db-driver-19.

    If the answer is helpful, please click Accept Answer and Up-Vote for the same. If you have any questions, please feel free to let me know.

    Best regards,

    Aniya


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.