SQL Server TLS and certificates created with ECC algorithm

Question

SQL Server TLS and certificates created with ECC algorithm

Scott Duncan 31

We've got encrypted connections enabled for several SQL Servers. The certificates are due for renewal & our security guy is asking if SQL Server supports the ECC algorithm for the certificate (sha384ECDSA).

So the question is - does SQL Server support use of certificates created using the sha384ECDSA signature algorithm for enabling connection encryption? Or does it not matter, because that's all handled at the Windows level (or subsystem therein)?

The closest I can find to an answer is "The TLS encryption is performed within the protocol layer and is available to all supported SQL Server clients." from https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/enable-encrypted-connections-to-the-database-engine?view=sql-server-ver15#transport-layer-security-tls. Presumably this means it doesn't matter what algorithm is used for the certificate, as long as Windows supports it.

Scott Duncan 31 Reputation points

2021-06-25T00:51:24.28+00:00

I'm hoping to do a test in the next few days (just waiting on a certificate to be issued).

Interestingly, on an unrelated SQL 2012 on Windows 2012 R2 system, I'm trying to get https connections configured for SSRS using a certificate with ECC 384-bit cipher - with no luck. Neither SSRS nor SSCM can see the certificate. Windows should be able to handle it as it has the required patch installed. Will be trying with a cert using RSA cipher from the same CA later on.
Scott Duncan 31 Reputation points

2021-06-29T19:25:00.82+00:00

To get things working for SQL 2012 SSRS on Windows 2012, the certificate had to be generated in a particular way to allow for the aged systems (exact details unknown). Still using ECC cipher though. It worked for SSRS but couldn't see the certificate when trying to configure TLS for the database engine (which was not originally being done anyway, but apparently you can use the same certificate for both SSRS https & database engine TLS).

In the modern world, the ECC certificate generated for use by SQL 2019 on Windows 2019 for database engine connections worked just fine.
Cris Zhan-MSFT 6,661 Reputation points

2021-06-30T01:25:46.453+00:00

Hi,
Have a nice day! Thank you for coming back and sharing these detailed and useful information.

Best Regards,

Accepted answer

0 additional answers

Your answer

Scott Duncan 31 Reputation points

2021-06-25T00:51:24.28+00:00

I'm hoping to do a test in the next few days (just waiting on a certificate to be issued).

Interestingly, on an unrelated SQL 2012 on Windows 2012 R2 system, I'm trying to get https connections configured for SSRS using a certificate with ECC 384-bit cipher - with no luck. Neither SSRS nor SSCM can see the certificate. Windows should be able to handle it as it has the required patch installed. Will be trying with a cert using RSA cipher from the same CA later on.
Scott Duncan 31 Reputation points

2021-06-29T19:25:00.82+00:00

To get things working for SQL 2012 SSRS on Windows 2012, the certificate had to be generated in a particular way to allow for the aged systems (exact details unknown). Still using ECC cipher though. It worked for SSRS but couldn't see the certificate when trying to configure TLS for the database engine (which was not originally being done anyway, but apparently you can use the same certificate for both SSRS https & database engine TLS).

In the modern world, the ECC certificate generated for use by SQL 2019 on Windows 2019 for database engine connections worked just fine.
Cris Zhan-MSFT 6,661 Reputation points

2021-06-30T01:25:46.453+00:00

Hi,
Have a nice day! Thank you for coming back and sharing these detailed and useful information.

Best Regards,

Answer 1

Hi,

> Or does it not matter, because that's all handled at the Windows level (or subsystem therein)?

SQL Server relies on the SChannel library of Windows to determine what cipher suite to use for SSL/TLS encryption. A series of cryptographic algorithms are defined in the SChannel library for TLS/SSL key exchange, encryption and message verification. The operating systems of SQL Server server and client server negotiate with each other through Schannel to decide which cipher suite to use. The basic principles of consultation are as follows:

First, determine the highest level protocol(TLS/SSL) supported by both the client and SQL Server.
After deciding on the protocol, the client will provide a list to SQL Server, telling SQL Server all the cipher suites it supports.
SQL Server finds the strongest cipher suite it supports in this list.

I think SQL Server supports the use of certificates created using the sha384ECDSA signature algorithm, you may need to ensure that the SQL Server you are using supports TLS 1.2.

Share via

SQL Server TLS and certificates created with ECC algorithm

0 additional answers

Your answer