Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Does Microsoft OLE DB Provider for SQL Server support TLS 1.2

Our client recently upgraded from TLS 1.0 to TLS 1.2 and after this our software cannot connect with SQL server. It uses OLE DB provider for connecting to SQL server. Below is the error which is returned from SQL server-

[DBNETLIB][ConnectionOpen SECDoClientHandshake()]SSL Security error SQL State: 08001 SQL Error Number: 18

Could not find any useful information related to whether Microsoft OLE DB Provider for SQL Server support TLS 1.2 or not.

One of the links I found seems to suggest that it is not supported. https://forums.iis.net/t/1233674.aspx?connecing+SQL+server+DB+issue+after+installingTLS1+2+in+SQL+srver+with+classic+asp+application+

Hence, wanted to check on stackoverflow in case anyone has any information on this.

like image 888
Amit Rastogi Avatar asked Sep 02 '17 07:09

Amit Rastogi


People also ask

What SQL Server ODBC driver should be used when TLS version 1.2 is enabled?

The client drivers that have support for TLS 1.2 are SQL Server Native Client , Microsoft ODBC Driver for SQL Server , Microsoft JDBC Driver for SQL Server and ADO.NET (SqlClient) . You can use KB3135244 to download the appropriate server and client component applicable for your environment.

Is OLE DB still supported?

Support status Microsoft's release of SQL Server 2012 (internal code: 'Denali') is the last to include an OLE DB provider for SQL Server, but support will continue for 7 years.

How do you check if TLS 1.2 is enabled?

Click on: Start -> Control Panel -> Internet Options 2. Click on the Advanced tab 3. Scroll to the bottom and check the TLS version described in steps 3 and 4: 4. If Use SSL 2.0 is enabled, you must have TLS 1.2 enabled (checked) 5.

What is Microsoft OLE DB Provider for SQL Server?

The OLE DB Driver for SQL Server is a stand-alone data access application programming interface (API), used for OLE DB, that was introduced in SQL Server 2005 (9. x). OLE DB Driver for SQL Server delivers the SQL OLE DB driver in one dynamic-link library (DLL).


3 Answers

The SQLOLEDB provider and the SQL Server ODBC driver that ship with Windows are legacy components provided only for backwards compatibility. These have been deprecated since SQL 2005.

According to this blog post by the MSSQL Tiger Team:

SQLOLEDB will not receive support for TLS 1.2. You will need to switch your driver to one of the supported drivers listed in https://support.microsoft.com/en-us/kb/3135244

You should be able to install SQL Server Native Client 2012 and use that OLE DB provider with only a connection string change (change Provider=SQLOLEDB to Provider=SQLNCLI11). Of course, once should test to avoid surprises. For example, I recall someone experiencing behavior differences with the SQL Server Native Client provider and ADO classic when server API cursors were used, although the commonly used firehose cursors were fine. 

EDIT

The new OLE DB driver, MSOLEDBSQL, has been released. This new driver includes the support for the latest TLS 1.2 standards and is backwards compatible with SQL Server Native Client 11 (SQLNCLI11). See the Microsoft SQLNCLi team blog announcement. Change the connection string to Provider=MSOLEDBSQL after installation.

EDIT #2

Time continues to march on. The SQL Server Native Client OLE DB driver is now deprecated in favor of MSOLEDBSQL. End of support for the final 2012 SNAC version is July 12, 2012.

Furthermore, as David called out in his answer, Microsoft recently added support for TLS 1.2 MDAC components in Windows 10 Build 17763.1554:

Adds support for the Transport Layer Security (TLS) 1.1 and 1.2 protocols when connecting to SQL Server using the data providers in Microsoft Data Access Components (MDAC)

No enhancements (e.g. support for post-SQL 2000 data types) were added, though.

In summary, newer SQL Server client drivers provides more control over the specific driver and version without a direct OS patch level dependency. Modern drivers like MSOLEDBSQL and ODBC Driver n for SQL Server are continuously improved to support latest SQL Server features and security standards.

EDIT#3

SQLOLEDB and the SQL Server ODBC driver (part of MDAC, shipped and serviced with Windows) has support for TLS 1.2 with October 20, 2020 build, version 17763.1554. This applies to Windows 10 and Windows Server 2019 or later.

like image 89
Dan Guzman Avatar answered Oct 08 '22 16:10

Dan Guzman


This may not be a solution for you, since it's a future fix your client may not be able to wait for, but apparently Microsoft is undeprecating the OLEDB Driver, with a new release supporting TLS 1.2 out Q1 2018: https://blogs.msdn.microsoft.com/sqlnativeclient/2017/10/06/announcing-the-new-release-of-ole-db-driver-for-sql-server/

The new Microsoft OLE DB Driver for SQL Server, or msoledbsql, will also introduce multi-subnet failover capabilities in this first upcoming release, and keeps up with latest TLS 1.2 standards.

Also, this first upcoming release will be a stand-alone install package that is out-of-band with SQL Server lifecycle. This also means the driver will not be packaged in the SNAC library, nor coupled with any other driver.

like image 25
SeanG Avatar answered Oct 08 '22 18:10

SeanG


TLS 1.2 Support has been added to sqloledb in Windows. See KB4580390.

This includes support both ODBC and OleDB providers in MDAC:

Adds support for the Transport Layer Security (TLS) 1.1 and 1.2 protocols when connecting to SQL Server using the data providers in Microsoft Data Access Components (MDAC)

You can verify that MDAC has been updated by checking the Windows build number, anything 17763.1554 or later has this fix. MDAC has not been distributed outside of OS patches for many years.

The build is visible in winver or in Powershell with [environment]::OSVersion.Version.Build

like image 3
David Browne - Microsoft Avatar answered Oct 08 '22 17:10

David Browne - Microsoft