Windows 11 22h2 update breaking connections to legacy SQL Servers?

Question

We've got a legacy SQL server (2008 R2 SP3) running in our environment right now (I know - plans are in place to migrate to 2019 and eventually SQL Azure, but these things move slowly) and everything was fine with it until I installed the Windows 11 22h2 update this morning. Now it's throwing this error in SSMS 19 (latest):

A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - An existing connection was forcibly closed by the remote host.) (Microsoft SQL Server, Error: 10054)

Nothing can connect to this database from my machine now - not Toad, not my local build of my app connecting through EF Core, not even oldschool ODBC connections in Windows itself (though that throws a different error - SQLState 08001 SQL Server Error 18).

I'm leaning towards this probably being TLS related somehow, I know that we don't have the TLS 1.2 patch on our SQL Server install yet but I can't exactly install it mid-day on a production environment just because I can't work. I can connect to SQL 2019 servers as well. Anybody have any thoughts on what changed in 22h2, that I might be able to disable to get myself back up and running?

Answer 1

The answer most likely is updating your Cipher Suite, Windows 22H2 changed the default TLS Cipher Suites. The following were removed from the default "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA" per article https://learn.microsoft.com/en-us/windows/win32/secauthn/tls-cipher-suites-in-windows-11

I ran into the same issue, so I just updated the SSL Cipher Suite per instructions https://support.microsoft.com/en-us/topic/update-to-add-new-cipher-suites-to-internet-explorer-and-microsoft-edge-in-windows-548427db-ed06-5521-fe8b-d525ab573022. The list I used was the one that was used for Windows prior to the 22H2 (22621.819) update. TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_NULL_SHA256,TLS_RSA_WITH_NULL_SHA,TLS_PSK_WITH_AES_256_GCM_SHA384,TLS_PSK_WITH_AES_128_GCM_SHA256,TLS_PSK_WITH_AES_256_CBC_SHA384,TLS_PSK_WITH_AES_128_CBC_SHA256,TLS_PSK_WITH_NULL_SHA384,TLS_PSK_WITH_NULL_SHA256

Disclaimer: Please be advised that this response is to answer the question that was given and obviously does not follow best practice procedures. Microsoft disabled this encryption for a reason. If you are like me and have older servers that need to keep running while you come up with a long-term solution to discontinue them then the above solution will keep you operational.

Answer 2

Hi @Ryan Waddell ,

For better troubleshooting, I would like to confirm with you what SQL Server version you are using. You can check the compatibility of SQL Server with your operating system against this link.
Also, TLS 1.2 is more secure than previous versions. You can read this: KB3135244 - TLS 1.2 support for Microsoft SQL Server.

Best regards,
Seeya

---

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 3

I can't connect from Windows 11 to SQL 2005 on Windows Server 2003. Probably W11 connects but drops the connection due to TLS 1.0. On W10 there is no problem, only the problem is with W11 I tried editing the W11 registry key but it didn't help. What else can I do. Yes, I know W2003 is an old system, but it works. I will not update SQL due to bugs or strange policy in W11.