-
- Novice
- Posts: 8
- Liked: never
- Joined: Apr 03, 2014 12:03 pm
- Contact:
How to deactivate SSL/TLS < 1.2 without getting problems
I have to find a way to deactivate all SSL/TLS communication below TLS 1.2 on our Veeam Servers.
Server OS is 2008R2, MSSQL Express is 2008R2 / 2012.
I have already installed several patches and changed some configs to get this done. Backup jobs are running fine and restore operations work without problems.
But i hang at the following problem. As soon as i deactivate SSL 3.0, the communication between veeam and mssql seems to get problems, everytime the sqloledb provider is used.
For example the truncating of transaction logs for the mssql express instance on the backupserver fails.
Has anyone already done that or can me tell what i have to do to get things running?
Support is not sure if it is possible at all (CaseID: 01990706).
Server OS is 2008R2, MSSQL Express is 2008R2 / 2012.
I have already installed several patches and changed some configs to get this done. Backup jobs are running fine and restore operations work without problems.
But i hang at the following problem. As soon as i deactivate SSL 3.0, the communication between veeam and mssql seems to get problems, everytime the sqloledb provider is used.
For example the truncating of transaction logs for the mssql express instance on the backupserver fails.
Has anyone already done that or can me tell what i have to do to get things running?
Support is not sure if it is possible at all (CaseID: 01990706).
-
- Expert
- Posts: 124
- Liked: 22 times
- Joined: Jul 30, 2015 7:32 pm
- Contact:
Re: How to deactivate SSL/TLS < 1.2 without getting problems
Do you have SQL 2008 R2 SP3 and the TLS 1.2 patch?
https://support.microsoft.com/en-us/kb/3135244
For SQL 2012 you need SP3 CU1 or later for TLS 1.2
https://support.microsoft.com/en-us/kb/3135244
For SQL 2012 you need SP3 CU1 or later for TLS 1.2
-
- Novice
- Posts: 8
- Liked: never
- Joined: Apr 03, 2014 12:03 pm
- Contact:
Re: How to deactivate SSL/TLS < 1.2 without getting problems
Thanks for your help.
I have already installed SP3 and after that the update 3135244.
If I enable debug logging for SCHANNEL, I can see that lower TLS Versions are used if they are allowed.
As soon as I disable eolder TLS Versions the Event Log shows SCHANNEL Errors and Veeam can not establish connection to SQL Server.
In the VeeamGuestHelper Log it is logged that the connection fails when the default sql provider sqloledb is used.
Does anyone know if the sqloledb can speak TLS 1.2?
I have already installed SP3 and after that the update 3135244.
If I enable debug logging for SCHANNEL, I can see that lower TLS Versions are used if they are allowed.
As soon as I disable eolder TLS Versions the Event Log shows SCHANNEL Errors and Veeam can not establish connection to SQL Server.
In the VeeamGuestHelper Log it is logged that the connection fails when the default sql provider sqloledb is used.
Does anyone know if the sqloledb can speak TLS 1.2?
-
- Expert
- Posts: 124
- Liked: 22 times
- Joined: Jul 30, 2015 7:32 pm
- Contact:
Re: How to deactivate SSL/TLS < 1.2 without getting problems
What version of the SQL Native Client do you have installed in the ODBC>Drivers tab? I had an issue where I had to upgrade that to a higher level to allow a client to connect to a newer SQL server.
Then again, I couldn't get VeeamOne to install without TLS 1.0 Client enabled, even with everything patched
Then again, I couldn't get VeeamOne to install without TLS 1.0 Client enabled, even with everything patched
-
- Novice
- Posts: 8
- Liked: never
- Joined: Apr 03, 2014 12:03 pm
- Contact:
Re: How to deactivate SSL/TLS < 1.2 without getting problems
Hi again,
there are two SQL Server Native Client Versions installed.
SQL Server Native Client 10.0 - 2009.100.6542.00
SQL Server Native Client 11.0 - 2011.110.3000.00
The first one (10.0) was installed/updated with installation of SP3 and Patch KB3135244 for SQL Server 2008 R2 in October.
The second one (11.0) was installed with the Management Studio installation, which i had deployed tuesday last week.
I updated the 11.0 client to version 2011.110.6544.00 this morning but it still does not work.
I have not found any newer version for SQL Server 2008 R2.
there are two SQL Server Native Client Versions installed.
SQL Server Native Client 10.0 - 2009.100.6542.00
SQL Server Native Client 11.0 - 2011.110.3000.00
The first one (10.0) was installed/updated with installation of SP3 and Patch KB3135244 for SQL Server 2008 R2 in October.
The second one (11.0) was installed with the Management Studio installation, which i had deployed tuesday last week.
I updated the 11.0 client to version 2011.110.6544.00 this morning but it still does not work.
I have not found any newer version for SQL Server 2008 R2.
-
- Expert
- Posts: 124
- Liked: 22 times
- Joined: Jul 30, 2015 7:32 pm
- Contact:
Re: How to deactivate SSL/TLS < 1.2 without getting problems
Well, you've done all of your homework. I would suggest opening a case with support, as everything is about as updated as you can. They may need to update their software to support TLS 1.2, which I'm going to run into as well.
-
- Novice
- Posts: 8
- Liked: never
- Joined: Apr 03, 2014 12:03 pm
- Contact:
Re: How to deactivate SSL/TLS < 1.2 without getting problems
Thanks for your help, a case is already open.
Support wrote it seems to be impossible at the moment and i should write here in the forum.
So we have to wait until the developer will implement it.
Support wrote it seems to be impossible at the moment and i should write here in the forum.
So we have to wait until the developer will implement it.
-
- Lurker
- Posts: 1
- Liked: never
- Joined: Nov 29, 2017 1:59 pm
- Contact:
Re: How to deactivate SSL/TLS < 1.2 without getting problems
Hy
Does anyone know if veeam use tls 1.2 ? I also have to disable all SSL/TLS communication below TLS 1.2
Does anyone know if veeam use tls 1.2 ? I also have to disable all SSL/TLS communication below TLS 1.2
-
- Veeam Software
- Posts: 21139
- Liked: 2141 times
- Joined: Jul 11, 2011 10:22 am
- Full Name: Alexander Fogelson
- Contact:
Re: How to deactivate SSL/TLS < 1.2 without getting problems
Yes, TLS 1.2 is supported and used whenever all components support it.
Who is online
Users browsing this forum: Bing [Bot], Google [Bot], Semrush [Bot] and 71 guests