How to deactivate SSL/TLS < 1.2 without getting problems

Availability for the Always-On Enterprise

How to deactivate SSL/TLS < 1.2 without getting problems

Veeam Logoby Daffodil » Fri Dec 02, 2016 10:15 am

I have to find a way to deactivate all SSL/TLS communication below TLS 1.2 on our Veeam Servers.
Server OS is 2008R2, MSSQL Express is 2008R2 / 2012.
I have already installed several patches and changed some configs to get this done. Backup jobs are running fine and restore operations work without problems.
But i hang at the following problem. As soon as i deactivate SSL 3.0, the communication between veeam and mssql seems to get problems, everytime the sqloledb provider is used.
For example the truncating of transaction logs for the mssql express instance on the backupserver fails.
Has anyone already done that or can me tell what i have to do to get things running?
Support is not sure if it is possible at all (CaseID: 01990706).
Daffodil
Novice
 
Posts: 8
Liked: never
Joined: Thu Apr 03, 2014 12:03 pm

Re: How to deactivate SSL/TLS < 1.2 without getting problems

Veeam Logoby JoshuaPostSAMC » Fri Dec 02, 2016 3:17 pm

Do you have SQL 2008 R2 SP3 and the TLS 1.2 patch?
https://support.microsoft.com/en-us/kb/3135244

For SQL 2012 you need SP3 CU1 or later for TLS 1.2
JoshuaPostSAMC
Expert
 
Posts: 116
Liked: 16 times
Joined: Thu Jul 30, 2015 7:32 pm

Re: How to deactivate SSL/TLS < 1.2 without getting problems

Veeam Logoby Daffodil » Fri Dec 02, 2016 4:16 pm

Thanks for your help.
I have already installed SP3 and after that the update 3135244.

If I enable debug logging for SCHANNEL, I can see that lower TLS Versions are used if they are allowed.
As soon as I disable eolder TLS Versions the Event Log shows SCHANNEL Errors and Veeam can not establish connection to SQL Server.

In the VeeamGuestHelper Log it is logged that the connection fails when the default sql provider sqloledb is used.
Does anyone know if the sqloledb can speak TLS 1.2?
Daffodil
Novice
 
Posts: 8
Liked: never
Joined: Thu Apr 03, 2014 12:03 pm

Re: How to deactivate SSL/TLS < 1.2 without getting problems

Veeam Logoby JoshuaPostSAMC » Fri Dec 02, 2016 4:34 pm

What version of the SQL Native Client do you have installed in the ODBC>Drivers tab? I had an issue where I had to upgrade that to a higher level to allow a client to connect to a newer SQL server.

Then again, I couldn't get VeeamOne to install without TLS 1.0 Client enabled, even with everything patched
JoshuaPostSAMC
Expert
 
Posts: 116
Liked: 16 times
Joined: Thu Jul 30, 2015 7:32 pm

Re: How to deactivate SSL/TLS < 1.2 without getting problems

Veeam Logoby Daffodil » Mon Dec 05, 2016 8:26 am

Hi again,
there are two SQL Server Native Client Versions installed.
SQL Server Native Client 10.0 - 2009.100.6542.00
SQL Server Native Client 11.0 - 2011.110.3000.00

The first one (10.0) was installed/updated with installation of SP3 and Patch KB3135244 for SQL Server 2008 R2 in October.
The second one (11.0) was installed with the Management Studio installation, which i had deployed tuesday last week.

I updated the 11.0 client to version 2011.110.6544.00 this morning but it still does not work.
I have not found any newer version for SQL Server 2008 R2.
Daffodil
Novice
 
Posts: 8
Liked: never
Joined: Thu Apr 03, 2014 12:03 pm

Re: How to deactivate SSL/TLS < 1.2 without getting problems

Veeam Logoby JoshuaPostSAMC » Mon Dec 05, 2016 3:13 pm

Well, you've done all of your homework. I would suggest opening a case with support, as everything is about as updated as you can. They may need to update their software to support TLS 1.2, which I'm going to run into as well.
JoshuaPostSAMC
Expert
 
Posts: 116
Liked: 16 times
Joined: Thu Jul 30, 2015 7:32 pm

Re: How to deactivate SSL/TLS < 1.2 without getting problems

Veeam Logoby Daffodil » Mon Dec 05, 2016 4:00 pm

Thanks for your help, a case is already open.

Support wrote it seems to be impossible at the moment and i should write here in the forum.

So we have to wait until the developer will implement it.
Daffodil
Novice
 
Posts: 8
Liked: never
Joined: Thu Apr 03, 2014 12:03 pm


Return to Veeam Backup & Replication



Who is online

Users browsing this forum: Google [Bot], Yahoo [Bot] and 37 guests