Workplace Encounter: Effects of TLS 1.2

  • Br. Kenneth Igiri

    SSCarpal Tunnel

    Points: 4521

    Comments posted to this topic are about the item Workplace Encounter: Effects of TLS 1.2

    Br. Kenneth Igiri
    www.scribblingsage.com
    All nations come to my light, all kings to the brightness of my rising

  • Rob-1134588

    SSC Journeyman

    Points: 89

    Hi thanks for the article.

    What Windows & SQL Server version were you using?

  • gavin.harris 53577

    Valued Member

    Points: 65

    We are currently going through that pain at the moment. So I'd like to add to your list of issues for consideration

    Ensuring that the encryption certificate works for SQL, is in date and has a valid path - Requires Certificates plug-in for MMC
    Ensuring that the Server service account has read permissions on the encryption certificate - ditto
    Ensuring your users haven't over-written the compatible version of SQL Tools with an older, incompatible version or are just referencing one. - Check path variables and shortcut links
    Getting your users to track down all those connection strings in various spreadsheets/apps and updating them to use the right drivers
    Getting your BI Team to re-compile SSIS packages to be TLS 1.2 compatible
    Updating SSRS to use HTTPS port, configurating all your firewalls to allow that, and all your links to use it

    I have to add that creating an Extended Events session that tracks the trace event looking for function_name = SSL::Handshake helps a lot in later versions of SQL. Also having a test environment that models the infrastructure, not just individual VMs, systems or applications. Otherwise you'll find yourself testing in Production.

  • ken.trock

    SSCertifiable

    Points: 5147

    I had trouble with IISCrypto. Instead, we used Set-Ciphers and DetectCipherConfig Powershell scripts developed by someone at Microsoft. We had a lot of machines to do and these really helped. It's tough to know all the downstream connections so even though we put out a communique on this, we had folks coming out of the woodwork with spreadsheet, ODBC, SSIS and SSRS connection issues. These got solved by updates on their end.

    Ken

  • Br. Kenneth Igiri

    SSCarpal Tunnel

    Points: 4521

    Br. Kenneth Igiri - Wednesday, January 2, 2019 11:46 PM

    Comments posted to this topic are about the item Workplace Encounter: Effects of TLS 1.2

    Rob-1134588 - Thursday, January 3, 2019 2:39 AM

    Hi thanks for the article.

    What Windows & SQL Server version were you using?

    Windows 2012 R2, SQL Server 2016

    Br. Kenneth Igiri
    www.scribblingsage.com
    All nations come to my light, all kings to the brightness of my rising

  • Br. Kenneth Igiri

    SSCarpal Tunnel

    Points: 4521

    gavin.harris 53577 - Thursday, January 3, 2019 3:39 AM

    We are currently going through that pain at the moment. So I'd like to add to your list of issues for consideration

    Ensuring that the encryption certificate works for SQL, is in date and has a valid path - Requires Certificates plug-in for MMC
    Ensuring that the Server service account has read permissions on the encryption certificate - ditto
    Ensuring your users haven't over-written the compatible version of SQL Tools with an older, incompatible version or are just referencing one. - Check path variables and shortcut links
    Getting your users to track down all those connection strings in various spreadsheets/apps and updating them to use the right drivers
    Getting your BI Team to re-compile SSIS packages to be TLS 1.2 compatible
    Updating SSRS to use HTTPS port, configurating all your firewalls to allow that, and all your links to use it

    I have to add that creating an Extended Events session that tracks the trace event looking for function_name = SSL::Handshake helps a lot in later versions of SQL. Also having a test environment that models the infrastructure, not just individual VMs, systems or applications. Otherwise you'll find yourself testing in Production.

    Very useful thanks a lot. Will definitely try out the Extended events event. And I do confirm at some point we experienced something like "Ensuring your users haven't over-written the compatible version of SQL Tools with an older, incompatible version or are just referencing one"

    Br. Kenneth Igiri
    www.scribblingsage.com
    All nations come to my light, all kings to the brightness of my rising

  • Br. Kenneth Igiri

    SSCarpal Tunnel

    Points: 4521

    ken.trock - Thursday, January 3, 2019 10:57 AM

    I had trouble with IISCrypto. Instead, we used Set-Ciphers and DetectCipherConfig Powershell scripts developed by someone at Microsoft. We had a lot of machines to do and these really helped. It's tough to know all the downstream connections so even though we put out a communique on this, we had folks coming out of the woodwork with spreadsheet, ODBC, SSIS and SSRS connection issues. These got solved by updates on their end.

    Ken

    Thanks a lot Ken. Will keep in mind.

    Br. Kenneth Igiri
    www.scribblingsage.com
    All nations come to my light, all kings to the brightness of my rising

Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic. Login to reply