Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


SSL encryption


SSL encryption

Author
Message
Imke Cronje
Imke Cronje
SSC Veteran
SSC Veteran (272 reputation)SSC Veteran (272 reputation)SSC Veteran (272 reputation)SSC Veteran (272 reputation)SSC Veteran (272 reputation)SSC Veteran (272 reputation)SSC Veteran (272 reputation)SSC Veteran (272 reputation)

Group: General Forum Members
Points: 272 Visits: 805
Hi Guys,

I am not too familiar with SSL encryption in SQL server. Can anyone please give me the pros and cons about enabling this feature.

I have already done a bit of reading on the topic but would like to hear a couple of opinions about it. Can this feature be enabled for one database on an instance only?

Please advise.

Regards
IC
Nadrek
Nadrek
Ten Centuries
Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)

Group: General Forum Members
Points: 1043 Visits: 2673
If by "SSL Encryption", you mean encryption of TCP connection to the SQL Server instance, then you'll need to generate a certificate using the Fully Qualified Domain Name (FQDN) (I use OpenSSL to generate these, and sign them with a CA that's loaded on the domain controller), load them on the SQL Server's host OS "Computer" store, and then use SQL Server Configuration Manager to select them (and, optionally, Force Encryption to on).

Personally, I like forcing encryption to be on; I feel much better when traffic's encrypted.

Pros:
You may have a fighting chance at some security recommendations or requirements for your industry.
You can give one more "good" answer on audits.
It's more difficult for attackers on your network to obtain possible sensitive information.

Cons:
To use packet sniffers to see SQL, you'll also need to load the certificate into the packet sniffer.
In some cases, users should use the FQDN to avoid certificate warnings, "server.domain.top" instead of "server"

For first pass validation:

SELECT encrypt_option, auth_scheme, count(*)
FROM sys.dm_exec_connections
GROUP BY encrypt_option, auth_scheme
ORDER BY encrypt_option, auth_scheme



Better validation involves packet sniffers; at this time I'm not sure how to extract precisely which cipher suite is being used.
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search