This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 66%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDQ%3C/text%3E%3C/svg%3E)
According to https://learn.microsoft.com/en-us/openspecs/sql_server_protocols/ms-sstds/75e62f67-f057-4d46-82b3-6920fe0ebada ,
there are 4 options for ENCRYPTION filed. I want to know In what scenario, the ENCRYPTION field for client or server is ENCRYPT_NOT_SUP?
I like to create an environment that both server and client are on ENCRYPT_NOT_SUP, so I can capture the clear-text credential by using Wireshark.
Thanks!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 61%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
for ssl, there is tsl 1.0, 1.1, 1.2 and 1.3 the handshake decides on the highest version supported by both sides. the client tries for 1.3, but get back no support, then it tries 1.2, to min supported by the client. if no match, the handshake fails. there is no ssl unencrypted support.
if you want unencrypted use http or a ssl proxy which Wireshark supports.
Thanks Bruce for your response.
I am not sure if I understand your answer. ENCRYPT_NOT_SUP is part of TDS protocol, used by all version of TLS, 1.0/1.1/1.2/1.3.
I am not worries the handshake process about how the TLS fail back from 1.3 to 1.0.
My goal is to setup an environment that both Server and Client are communicate on ENCRYPT_NOT_SUP. According to the link i provided in my post, if I can create this environment, I should be able to capture the credential in clear-text.
I want to limit the test environment to using TDS protocol for client to connect to SQL server, I don't want to use HTTP or any proxy for man-in-the-middle.
no connection can be made with ENCRYPT_NOT_SUP. encryption is required for ssl. if you don't want an encrypted TDS, then disable encryption in the connect string.
note: for TDS you can only capture the credentials in clear text if using standard security and no ssl. if using trusted connection, the challenge/response is encrypted separate from the ssl.