If I have OpenText Application and SQL running in azure VM 2008 Windows OS, these two are old versions and can't be updated with TLS1.2 . Will it continue to work after 31st October with TLS1.0 / TLS 1.1. ? Is there any workaround you can SUGGEST

AnantAditya-3219 0

Hi TP,If I have OpenText Application and SQL running in azure VM 2008 Windows OS, these two are old versions and can't be updated with TLS1.2 . Will it continue to work after 31st October with TLS1.0 / TLS 1.1. ?

Is there any workaround you can SUGGEST

Mahesh Kurva 490 Reputation points Microsoft Vendor

2024-10-28T10:40:10.48+00:00

Hi @AnantAditya-3219,

Just checking in to see if the below answer helped. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

3 answers

hossein jalilian 7,760 Reputation points

2024-10-22T16:55:35.93+00:00

Thanks for posting your question in the Microsoft Q&A forum.

Microsoft is deprecating support for TLS 1.0 and 1.1 across Azure services. After October 31st, connections using these older TLS versions may fail and Windows Server 2008 does not natively support TLS 1.2. This poses a significant challenge for upgrading.

Older versions of SQL Server (2008/2008 R2) require updates to support TLS 1.2

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Mahesh Kurva 490 Reputation points Microsoft Vendor

2024-10-22T17:20:20.56+00:00
Hi @AA,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

In addition to @hossein jalilian,

I understand that your OpenText application and SQL are running on a Windows Server 2008 VM in Azure and that these versions cannot be updated to support TLS 1.2. Will they continue to function after October 31 with only TLS 1.0 and 1.1?

Unfortunately, after October 31, 2024, Azure will no longer support TLS 1.0 and TLS 1.1.
For more information, please refer the document: https://learn.microsoft.com/en-us/lifecycle/announcements/tls-support-ending-10-31-2024.

Is there any workaround you can SUGGEST

Here are a few potential workarounds:

If possible, consider upgrading your OpenText Application and SQL to versions that support TLS 1.2 or later. This is the most secure and recommended approach.

Implement a proxy or gateway that supports TLS 1.2. This proxy can handle the TLS 1.2 communication with Azure while maintaining TLS 1.0/1.1 communication with your older applications.

Hope this helps. Do let us know if you any further queries.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Please sign in to rate this answer.
AnantAditya-3219 0 Reputation points

2024-10-23T06:56:33.3933333+00:00

Hi Mahesh ,

Implement a proxy or gateway that supports TLS 1.2. This proxy can handle the TLS 1.2 communication with Azure while maintaining TLS 1.0/1.1 communication with your older applications.--- How we can implement this ? Can you please help me with any documentaion or summary

Mahesh Kurva 490 Reputation points Microsoft Vendor

2024-10-23T16:19:11.01+00:00

Hi @AA,

Thanks for the response.

How we can implement this ? Can you please help me with any documentaion or summary

Ensure HAProxy is installed on your server. You can typically install it using your package manager.

Set up HAProxy to handle incoming SSL connections and configure it to forward traffic to your application servers.

Restart HAProxy and test the setup to ensure everything is working correctly.

For more information, please refer the document: https://www.haproxy.com/documentation/haproxy-configuration-tutorials/ssl-tls/

I hope this information helps. Please do let us know if you have any further queries.

AnantAditya-3219 0 Reputation points

2024-10-24T07:50:45.05+00:00

Hi Mahesh ,

Apologies for so many questions but I have one doubt that although the application is in azure VM but it is using http connection (not https) , sql is also inside the VM . No azure interaction for this application is required.

Only interaction it does with another applications which are in azure VM via http .

Did it will be impacted?

Also does Azure out of support means disabling TLS1.0/1.1 in order to use TLS1.2?

Mahesh Kurva 490 Reputation points Microsoft Vendor

2024-10-24T12:59:19.96+00:00

Hi @AA,

Thanks for the response.

Did it will be impacted?

If your application and SQL are using HTTP connections within the Azure VM and do not interact with Azure services directly, the deprecation of TLS 1.0 and 1.1 by Azure should not impact your internal communications. However, if your application is using HTTP instead of HTTPS, then it is not secure and can be vulnerable to attacks. It is recommended to use HTTPS to secure your application.

Also does Azure out of support means disabling TLS1.0/1.1 in order to use TLS1.2?

Azure out of support for TLS 1.0 and 1.1 means that Azure services will no longer support these protocols. This does not mean that TLS 1.0 and 1.1 will be disabled on your VM. However, it is recommended to disable TLS 1.0 and 1.1 on your VM and use TLS 1.2 for secure communication.

I hope this information helps. Please do let us know if you have any further queries.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
TP 97,256 Reputation points

2024-10-22T17:40:40.0633333+00:00

Hi AA,

Your SQL Server instance should continue to work fine, however, one concern I have is the Windows Azure VM Guest Agent running in the VM(s). Once TLS 1.1 is blocked the agent will likely no longer be able to communicate with Azure infrastructure, so capabilities that depend on the agent will no longer function.

The above assumes client PCs are connecting directly to the VM's public/private IP address via TLS 1.1, and this is an instance of SQL Server running in your VM.

Is this Windows Server 2008 R2 SP1 or Windows Server 2008 (non-R2)? For R2 you should be able to get TLS 1.2 working if it isn't already.

Please click Accept Answer and upvote if the above was helpful.

Thanks.

-TP
Please sign in to rate this answer.
AnantAditya-3219 0 Reputation points

2024-10-22T18:33:13.09+00:00

Hi TP ,

TDSSNIClient initialization failed with error 0x139f, status code 0x80. Reason: Unable to initialize SSL support. The group or resource is not in the correct state to perform the requested operation.

The server was unable to initialize encryption because of a problem with a security library. The security library may be missing. Verify that security.dll exists on the system

Getting error after updating . Do you have idea?

AnantAditya-3219 0 Reputation points

2024-10-22T21:20:45.15+00:00

Hi TP,

I have enabled TLS1.2 in Azure server and SQL Server 2008 r2 . But whenever I try to open my application OpenText , getting 400 error.

TP 97,256 Reputation points

2024-10-23T07:08:46.39+00:00

I have enabled TLS1.2 in Azure server and SQL Server 2008 r2 . But whenever I try to open my application OpenText , getting 400 error.

Are you testing with a copy of your production VMs? For example, what I usually do for cases like this is take snapshot and work with copies of the VMs, then once I've verified that everything works okay, apply updates/config changes to production (after taking another backup).What is the configuration of your VM(s)? For example, is it one VM with OpenText and SQL Server on it, or two separate VMs, or something else? What version of SQL Server?

Is OpenText using IIS or some other web/application server? Are you able to make a non-OpenText request to IIS and have it complete okay?

Are you able to successfully connect to SQL Server using SSMS?

AnantAditya-3219 0 Reputation points

2024-10-23T07:38:18.0266667+00:00

We are using develpement enviroment. We have snapshot also available for the OS. Please find my response below.

For example, is it one VM with OpenText and SQL Server on it, or two separate VMs, or something else? What version of SQL Server?-- One VM with Open Text & SQL Server 2008 R2 SP3 now. As per your suggestion we updated it. Earlier it was SQL Server 2008 R2 SP1

Is OpenText using IIS or some other web/application server? Are you able to make a non-OpenText request to IIS and have it complete okay? --****Opentext uses Tomcat as Application server.

Are you able to successfully connect to SQL Server using SSMS?--- Yes

Now we are getting below error

Intermittent JDBC Connectivity issue - The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: SQL Server returned an incomplete response. The connection has been closed

TP 97,256 Reputation points

2024-10-25T05:22:56.2533333+00:00

One VM with Open Text & SQL Server 2008 R2 SP3 now. As per your suggestion we updated it. Earlier it was SQL Server 2008 R2 SP1

Since both OpenText and SQL Server on same VM, I don't see any reason (related to this deadline) to update SQL Server. Above I was referring to updating/enabling TLS 1.2 at the OS level, so that Windows Azure VM Guest extension would be able to communicate using TLS 1.2.To reiterate, since the application and SQL Server are running on same server, there is no concern in regards to TLS encryption. Further, I don't see any need to have encrypted connection between your app and SQL Server in your case, but if you already have it that way now I would leave it as is.

I suggest reverting the test VM back to how it was, next enable TLS 1.2 at OS level. Once you have that in place, I would optionally focus on getting tomcat configuration to accept incoming TLS 1.2 (if possible/reasonable). You likely will not need to update SQL Server.

IMPORTANT: I'm suggesting you get Tomcat to accept incoming TLS 1.2 to increase security, NOT because it will stop working at end of this month. If I understand your configuration correctly you are accepting connections to your Tomcat server via Azure Public IP address.

If my understanding is correct, this will not be affected by the TLS deadline. What will likely be affected is the VM guest extension running inside the VM, which is why I wanted you to make sure TLS 1.2 is enabled in the OS.

TP 97,256 Reputation points

2024-10-25T05:29:16.2233333+00:00

@AnantAnditya-3219 I read above in one of your comments that the server is accepting http connections? In other words, your Tomcat isn't using https at all? Is that correct? Please confirm.

If yes then there is nothing you need to change in regards to your Tomcat or SQL Server configuration in the VM. You can leave things as they are.

You do still need to make sure TLS 1.2 is enabled at OS level in the VM so that the VM extension will still function after the deadline.

Of course using http isn't secure, however, if you are only accessing it via private connection such as VPN or similar then the risk may be acceptable.

Thanks.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

If I have OpenText Application and SQL running in azure VM 2008 Windows OS, these two are old versions and can't be updated with TLS1.2 . Will it continue to work after 31st October with TLS1.0 / TLS 1.1. ? Is there any workaround you can SUGGEST

3 answers

Your answer