SSL error connection into SQL Server 2016 Standar on Windows Server 2016 Standard?

Question

Hello, we have Microsoft SQL Server 2016 Standard Edition (64-bit) on Windows Server 2016 Standard.

Application team end user is getting following connection error when connecting from Redhat 9 and OpenJDK-17:

ERROR org.hibernate.engine.jdbc.spi.SqlExceptionHelper - Cannot create PoolableConnectionFactory (The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "Certificates do not conform to algorithm constraints". ClientConnectionId:dd076007-a438-4bd4-9eb5-f5e7f62bbbf3)

Nov 22, 2024 4:28:38 PM org.apache.catalina.core.ApplicationDispatcher invoke

SEVERE: Servlet.service() for servlet [jsp] threw exception

java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: SHA1withRSA

at java.base/sun.security.provider.certpath.AlgorithmChecker.check(AlgorithmChecker.java:237)

at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1564)

at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:1493)

at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:1437)

at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)

at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)

at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)

at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)

App team end user mentions SQL Server might be using a certificate signed with the SHA1withRSA algorithm and Red Hat 9 has restrictions on the SHA1 algorithm when using the DEFAULT cryptographic policy and that SHA1 is a weak algorithm.

And is asking our DBA team...if we can confirm SQL Server is using certificates based on the SHA1 algorithm and can we update the certificates with more secure algorithms?

From our DBA team perspective am wondering where to start...is it correct to say that Certificates mentioned here that SQL Server uses by default are on the Windows OS level and that TLS v1.2 (including lower versions v1.0 & v1.1 are enabled by default)?...or something else/concept to consider to solve their connection issue?

Thanks in advance.

Answer 1

SQL Server uses whatever certificate you tell it use. If you don't give it a certificate, it will create a self-signed certificate. I don't know on the top of my head which algorithm it is created by.

In any case, it is better to install a certificate, and then make sure that all clients trust this certificate. If you produce one locally (cheap), you will need to distribute it to the clients. If you buy one, the client only needs to have the issuer's root certificate.

I suggest that you read https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/certificate-overview?view=sql-server-2016 and the topics that follow to get a better understanding.

Answer 2

Hi @techresearch7777777

SQL Server 2016 (13.x) and earlier versions use the SHA1 algorithm. However, the SHA1 algorithm and many older algorithms are deprecated beginning with SQL Server 2016 (13.x). For more information, see Deprecated Database Engine features in SQL Server 2016 (13.x).

You may have the following options:

• Create a new self-signed certificate or a third-party certificate that uses stronger encryption algorithms and configure SQL Server to use this new certificate.
• Upgrade to SQL Server 2017 (14.x) or a later version that uses a stronger hash algorithm (SHA256) for self-signed certificates.

Best regards,

Cosmog

---

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".