Share via

Server is detected with Weak SSL/TLS Key Exchange on Port 1433 which is used by application SQLSRVR.EXE

Ankush Sanjay Harne 1 Reputation point
2022-07-13T09:47:48.43+00:00

The server is detected with Weak SSL/TLS Key Exchange on Port 1433 which is used by application SQLSRVR.EXE

This is with reference to the compliance request – 198121 regarding the Vulnerability 38863 - Weak SSL/TLS Key Exchange. Qualys is detecting this vulnerability as servers support key exchanges that are cryptographically weaker than recommended. Key exchanges should provide at least 224 bits of security, which translates to a minimum key size of 2048 bits for Diffie Hellman and RSA key exchanges.

Please check the application running on the ports on which this vulnerability is detected and Change the SSL/TLS server configuration to only allow strong key exchanges with a strong Key size of 2048 bits.

SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
12,914 questions

5 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. GORVAM SADDAR 10 Reputation points Microsoft Employee
    2023-02-09T14:35:05.8466667+00:00

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS To add this registry value, follow these steps:

    1. Click Start, click Run, type regedit in the Open box, and then click OK.
    2. Locate and then click the following subkey: *HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms*
    3. On the Edit menu, point to New, and then click Key.
    4. Type PKCS for the name of the Key, and then press Enter. Select the PKCS key.
    5. On the Edit menu, point to New, and then click DWORD Value.
    6. Type ClientMinKeyBitLength for the name of the DWORD, and then press Enter.
    7. Right-click ClientMinKeyBitLength, and then click Modify.
    8. In the Value data box, type the new minimum key length (in bits), and then click OK. Note You do not have to restart the computer after you add or change this registry entry for the change to take effect. However, you do have to restart the computer if you delete the entry.

    Important

    • All future security and non-security updates for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 require update
      2919355 to be installed. We recommend that you install update
      2919355 on your Windows RT 8.1-based, Windows 8.1-based, or Windows Server 2012 R2-based computer so that you receive future updates.
    • If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see
      Add language packs to Windows.

    Known issues in this security update

    How to obtain and install the update

    Method 1: Windows Update

    This update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see
    Get security updates automatically.

    Note For Windows RT 8.1, this update is available through Windows Update only.

    Method 2: Microsoft Update Catalog

    To get the stand-alone package for this update, go to the Microsoft Update Catalog website.

    More Information

    How to obtain help and support for this security update

    Help for installing updates:
    Support for Microsoft Update

    Security solutions for IT professionals:
    TechNet Security Troubleshooting and Support

    Help for protecting your Windows-based computer from viruses and malware:
    Virus Solution and Security Center

    1 person found this answer helpful.
  2. Tom Phillips 17,716 Reputation points
    2022-07-13T14:47:38.193+00:00

    You didn't tell us what version of SQL Server you are using.

    However, you need to update to using TLS 1.2 and disable TLS 1.1

    See:
    https://support.microsoft.com/en-us/topic/kb3135244-tls-1-2-support-for-microsoft-sql-server-e4472ef8-90a9-13c1-e4d8-44aad198cdbe

    0 comments
  3. Ankush Sanjay Harne 1 Reputation point
    2022-07-13T17:27:48.617+00:00

    Hey @Tom Phillips

    Thanks firstly,

    Please find version details:

    Microsoft SQL Server 2014 (SP3-GDR) (KB5014165) - 12.0.6169.19 (X64) Apr 21 2022 18:01:27 Copyright (c) Microsoft Corporation Enterprise Edition: Core-based Licensing (64-bit) on Windows NT 6.3 <X64> (Build 17763: )

    It would be great if you can share any reference blog or documents to fix this.

  4. Seeya Xi-MSFT 16,451 Reputation points
    2022-07-14T12:49:25.023+00:00

    Hi @Ankush Sanjay Harne ,

    Welcome to Microsoft Q&A!
    In January 2016, Microsoft announced support for TLS 1.2 encryption for SQL Server 2008, 2008 R2, 2012 and 2014. That announcement has since been updated to include support for SQL Server 2016 and 2017. Previously, Microsoft only supported SSL encryption in SQL Server, however given the spate of reported vulnerabilities against SSL, Microsoft now recommends that you move to TLS 1.2.

    Best regards,
    Seeya

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  5. MukeshAgarwal-MSFTE 0 Reputation points
    2023-09-26T08:22:46.1166667+00:00

    Steps to change the keyexchange algorithm:

    If the entries listed below may not exist in the registry by default then you need to create it manually. Use of key exchange algorithms should be controlled by configuring the cipher suite order.

     

    Diffie-Hellman:

    Added in Windows 10, version 1507 and Windows Server 2016.

     

    Registry path: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman

     

    To specify a minimum supported range of Diffie-Hellman key bit length for the TLS client, create a ClientMinKeyBitLength entry. After you've created the entry, change the DWORD value to the desired bit length. If not configured, 1024 bits will be the minimum.

     

    To specify a maximum supported range of Diffie-Hellman key bit length for the TLS client, create a ClientMaxKeyBitLength entry. After you've created the entry, change the DWORD value to the desired bit length.

     

    To specify the Diffie-Hellman key bit length for the TLS server default, create a ServerMinKeyBitLength entry. After you've created the entry, change the DWORD value to the desired bit length. If not configured, 2048 bits is the default.

     

    RSA:

    Added in Windows 10, version 1507 and Windows Server 2016.

     

    Registry path: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS

     

    To specify a minimum supported range of RSA key bit length for the TLS client, create a ClientMinKeyBitLength entry. After you've created the entry, change the DWORD value to the desired bit length. If not configured, 1024 bits is the minimum.

     

    To specify a maximum supported range of RSA key bit length for the TLS client, create a ClientMaxKeyBitLength entry. After you've created the entry, change the DWORD value to the desired bit length. On the server-side, the strength of the RSA key exchange is controlled by the specified server certificate.

     

    For more information on this, please refer to the article below-

    Transport Layer Security (TLS) registry settings | Microsoft Learn

    0 comments