How to enable TLS 1.2 in SQL server?

TLS (Transport Layer Security) is a widely adopted security protocol designed to facilitate privacy and data security for communications over the Internet. TLS is just an updated, more secure, version of SSL. We still refer to our security certificates as SSL because it is a more commonly used term, but when you are buying SSL from Symantec you are actually buying the most up to date TLS certificates with the option of ECC, RSA or DSA encryption.

A primary use case of TLS is encrypting the communication between web applications and servers, such as web browsers loading a website.

TLS provides you with the ability to encrypt connections between SQL Server and calling client applications.  When a client requests an encrypted connection to a SQL Server configured for TLS, an initial handshake takes place to negotiate the cipher suite from which further communication should take place.  Once agreed, SQL Server then sends its TLS certificate to the client, which the client must then validate and trust against its copy of the Certification Authority (CA) certificate.  Finally, providing the TLS certificate is trusted and it meets certain other requirements, a secure connection is established.

TLS Background:

We were able to secure communication channels since SQL Server 2000 and as the cryptographic protocols have become more and more secure over time, it’s good to see that Microsoft has continued to ensure that the product hasn't been left behind. In January 2016, Microsoft announced support for TLS 1.2 encryption for SQL Server 2008, 2008 R2, 2012 and 2014.  That announcement has since been updated to include support for SQL Server 2016 and 2017.  Previously, Microsoft only supported SSL encryption in SQL Server, however given the series of reported vulnerabilities against SSL, Microsoft now recommends that you move to TLS 1.2 since it is more secure for establishing the connection. 

SQL Server can use Transport Layer Security (TLS) to encrypt data that is transmitted across a network between an instance of SQL Server and a client application. The TLS encryption is performed within the protocol layer and is available to all supported SQL Server clients. The level of encryption used by TLS, 40-bit or 128-bit, depends on the version of the Microsoft Windows operating system that is running on the application and database computers.

In System Registry the following changes need to be applied to enable the TLS 1.2

“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\

SCHANNEL\Protocols\”

TLS 1.0

Client

                        DisabledByDefault - 1

                        Enabled                 - 0          

            Server

                        DisabledByDefault - 1

                        Enabled                 - 0          

TLS 1.1

Client

            DisabledByDefault - 1

            Enabled                 - 0

Server

            DisabledByDefault - 1

            Enabled                 - 0          

TLS 1.2

Client

            DisabledByDefault - 0

            Enabled                 - 1          

Server

            DisabledByDefault - 0

            Enabled                 - 1          

References:

https://support.microsoft.com/en-us/help/3135244/tls-1-2-support-for-microsoft-sql-server

https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/enable-encrypted-connections-to-the-database-engine?view=sql-server-ver15