Comprehensive data protection for all workloads
Post Reply
Daffodil
Novice
Posts: 8
Liked: never
Joined: Apr 03, 2014 12:03 pm
Contact:

How to deactivate SSL/TLS < 1.2 without getting problems

Post by Daffodil »

I have to find a way to deactivate all SSL/TLS communication below TLS 1.2 on our Veeam Servers.
Server OS is 2008R2, MSSQL Express is 2008R2 / 2012.
I have already installed several patches and changed some configs to get this done. Backup jobs are running fine and restore operations work without problems.
But i hang at the following problem. As soon as i deactivate SSL 3.0, the communication between veeam and mssql seems to get problems, everytime the sqloledb provider is used.
For example the truncating of transaction logs for the mssql express instance on the backupserver fails.
Has anyone already done that or can me tell what i have to do to get things running?
Support is not sure if it is possible at all (CaseID: 01990706).
JoshuaPostSAMC
Expert
Posts: 125
Liked: 22 times
Joined: Jul 30, 2015 7:32 pm
Contact:

Re: How to deactivate SSL/TLS < 1.2 without getting problems

Post by JoshuaPostSAMC »

Do you have SQL 2008 R2 SP3 and the TLS 1.2 patch?
https://support.microsoft.com/en-us/kb/3135244

For SQL 2012 you need SP3 CU1 or later for TLS 1.2
Daffodil
Novice
Posts: 8
Liked: never
Joined: Apr 03, 2014 12:03 pm
Contact:

Re: How to deactivate SSL/TLS < 1.2 without getting problems

Post by Daffodil »

Thanks for your help.
I have already installed SP3 and after that the update 3135244.

If I enable debug logging for SCHANNEL, I can see that lower TLS Versions are used if they are allowed.
As soon as I disable eolder TLS Versions the Event Log shows SCHANNEL Errors and Veeam can not establish connection to SQL Server.

In the VeeamGuestHelper Log it is logged that the connection fails when the default sql provider sqloledb is used.
Does anyone know if the sqloledb can speak TLS 1.2?
JoshuaPostSAMC
Expert
Posts: 125
Liked: 22 times
Joined: Jul 30, 2015 7:32 pm
Contact:

Re: How to deactivate SSL/TLS < 1.2 without getting problems

Post by JoshuaPostSAMC »

What version of the SQL Native Client do you have installed in the ODBC>Drivers tab? I had an issue where I had to upgrade that to a higher level to allow a client to connect to a newer SQL server.

Then again, I couldn't get VeeamOne to install without TLS 1.0 Client enabled, even with everything patched
Daffodil
Novice
Posts: 8
Liked: never
Joined: Apr 03, 2014 12:03 pm
Contact:

Re: How to deactivate SSL/TLS < 1.2 without getting problems

Post by Daffodil »

Hi again,
there are two SQL Server Native Client Versions installed.
SQL Server Native Client 10.0 - 2009.100.6542.00
SQL Server Native Client 11.0 - 2011.110.3000.00

The first one (10.0) was installed/updated with installation of SP3 and Patch KB3135244 for SQL Server 2008 R2 in October.
The second one (11.0) was installed with the Management Studio installation, which i had deployed tuesday last week.

I updated the 11.0 client to version 2011.110.6544.00 this morning but it still does not work.
I have not found any newer version for SQL Server 2008 R2.
JoshuaPostSAMC
Expert
Posts: 125
Liked: 22 times
Joined: Jul 30, 2015 7:32 pm
Contact:

Re: How to deactivate SSL/TLS < 1.2 without getting problems

Post by JoshuaPostSAMC »

Well, you've done all of your homework. I would suggest opening a case with support, as everything is about as updated as you can. They may need to update their software to support TLS 1.2, which I'm going to run into as well.
Daffodil
Novice
Posts: 8
Liked: never
Joined: Apr 03, 2014 12:03 pm
Contact:

Re: How to deactivate SSL/TLS < 1.2 without getting problems

Post by Daffodil »

Thanks for your help, a case is already open.

Support wrote it seems to be impossible at the moment and i should write here in the forum.

So we have to wait until the developer will implement it.
PierreNlend
Lurker
Posts: 1
Liked: never
Joined: Nov 29, 2017 1:59 pm
Contact:

Re: How to deactivate SSL/TLS < 1.2 without getting problems

Post by PierreNlend »

Hy

Does anyone know if veeam use tls 1.2 ? I also have to disable all SSL/TLS communication below TLS 1.2
foggy
Veeam Software
Posts: 21181
Liked: 2163 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: How to deactivate SSL/TLS < 1.2 without getting problems

Post by foggy »

Yes, TLS 1.2 is supported and used whenever all components support it.
Post Reply

Who is online

Users browsing this forum: Google [Bot], Semrush [Bot], stephen.mintrom and 34 guests