SQL based application errors out when trying to access SQL over network

RamyA 0 Reputation points
2023-04-27T19:48:55.15+00:00

I have a legacy SQL-based app running within a VM. When it tries to access SQL server (using SQL authentication), the following message appears in the Event Viewer on the SQL server machine (Windows 11): "An TLS 1.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The TLS connection request has failed. The SSPI client process is sqlservr". The application within the VM worked fine when the SQL Server was on a Windows 10 machine, but broke when I moved SQL Server to Windows 11. Pulling out my hair trying to figure out what went wrong.

SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
13,364 questions
Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
8,991 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Erland Sommarskog 107.2K Reputation points
    2023-04-27T20:16:09.6366667+00:00

    TLS 1.0 is very old and mouldy. Sometimes things go wrong in the software world, because you don't do anything. You would need to upgrade the VM and the app , so that it uses TLS 1.2.

    0 comments No comments

  2. AniyaTang-MSFT 12,421 Reputation points Microsoft Vendor
    2023-04-28T03:15:07.3666667+00:00

    Hi @RamyA

    You can check if your Windows 11 has TLS 1.0 enabled.

    I agree with Erland's suggestion. Earlier versions of TLS may have some vulnerabilities, and it may be better to use a new version of TLS.

    Best regards,

    Aniya

    0 comments No comments

  3. Limitless Technology 44,126 Reputation points
    2023-04-28T14:43:04.1933333+00:00

    Hello,

    I imagine that you have already checked the TLS1.0 enablement in Windows 11, so I propose an alternative path of investigation that can be useful.

    The answer most likely is updating your Cipher Suite, Windows 22H2 changed the default TLS Cipher Suites. The following were removed from the default "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA" per article https://learn.microsoft.com/en-us/windows/win32/secauthn/tls-cipher-suites-in-windows-11

    I ran into the same issue, so I just updated the SSL Cipher Suite per instructions https://support.microsoft.com/en-us/topic/update-to-add-new-cipher-suites-to-internet-explorer-and-microsoft-edge-in-windows-548427db-ed06-5521-fe8b-d525ab573022. The list I used was the one that was used for Windows prior to the 22H2 (22621.819) update:

    TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_NULL_SHA256,TLS_RSA_WITH_NULL_SHA,TLS_PSK_WITH_AES_256_GCM_SHA384,TLS_PSK_WITH_AES_128_GCM_SHA256,TLS_PSK_WITH_AES_256_CBC_SHA384,TLS_PSK_WITH_AES_128_CBC_SHA256,TLS_PSK_WITH_NULL_SHA384,TLS_PSK_WITH_NULL_SHA256

    Additionally if you want to configure SQL to use more robust TLS 1.2, you can check the next article: https://support.microsoft.com/en-us/topic/kb3135244-tls-1-2-support-for-microsoft-sql-server-e4472ef8-90a9-13c1-e4d8-44aad198cdbe

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments