How to deactivate SSL/TLS < 1.2 without getting problems

[Daffodil]

I have to find a way to deactivate all SSL/TLS communication below TLS 1.2 on our Veeam Servers.
Server OS is 2008R2, MSSQL Express is 2008R2 / 2012.
I have already installed several patches and changed some configs to get this done. Backup jobs are running fine and restore operations work without problems.
But i hang at the following problem. As soon as i deactivate SSL 3.0, the communication between veeam and mssql seems to get problems, everytime the sqloledb provider is used.
For example the truncating of transaction logs for the mssql express instance on the backupserver fails.
Has anyone already done that or can me tell what i have to do to get things running?
Support is not sure if it is possible at all (CaseID: 01990706).

[JoshuaPostSAMC]

Do you have SQL 2008 R2 SP3 and the TLS 1.2 patch?
https://support.microsoft.com/en-us/kb/3135244

For SQL 2012 you need SP3 CU1 or later for TLS 1.2

[Daffodil]

Thanks for your help.
I have already installed SP3 and after that the update 3135244.

If I enable debug logging for SCHANNEL, I can see that lower TLS Versions are used if they are allowed.
As soon as I disable eolder TLS Versions the Event Log shows SCHANNEL Errors and Veeam can not establish connection to SQL Server.

In the VeeamGuestHelper Log it is logged that the connection fails when the default sql provider sqloledb is used.
Does anyone know if the sqloledb can speak TLS 1.2?

[JoshuaPostSAMC]

What version of the SQL Native Client do you have installed in the ODBC>Drivers tab? I had an issue where I had to upgrade that to a higher level to allow a client to connect to a newer SQL server.

Then again, I couldn't get VeeamOne to install without TLS 1.0 Client enabled, even with everything patched

[Daffodil]

Hi again,
there are two SQL Server Native Client Versions installed.
SQL Server Native Client 10.0 - 2009.100.6542.00
SQL Server Native Client 11.0 - 2011.110.3000.00

The first one (10.0) was installed/updated with installation of SP3 and Patch KB3135244 for SQL Server 2008 R2 in October.
The second one (11.0) was installed with the Management Studio installation, which i had deployed tuesday last week.

I updated the 11.0 client to version 2011.110.6544.00 this morning but it still does not work.
I have not found any newer version for SQL Server 2008 R2.

[JoshuaPostSAMC]

Well, you've done all of your homework. I would suggest opening a case with support, as everything is about as updated as you can. They may need to update their software to support TLS 1.2, which I'm going to run into as well.

[Daffodil]

Thanks for your help, a case is already open.

Support wrote it seems to be impossible at the moment and i should write here in the forum.

So we have to wait until the developer will implement it.

[PierreNlend]

Hy

Does anyone know if veeam use tls 1.2 ? I also have to disable all SSL/TLS communication below TLS 1.2

[foggy]

Yes, TLS 1.2 is supported and used whenever all components support it.