Domanda
I noticed that SQL Server Profiler includes an event when I use a deprecated feature:
Occurs when you use a feature that will be removed from future version of SQL Server, but will not be removed from the next major release of SQL Server. For greatest longevity of your applications, you should avoid using features that cause the Deprecation Announcement event class or hte Deprecation Final Support event class.
I turned it on and just before any Login event is recorded, I get:
Deprecated encryption algorithm rc4 will be removed in a future version of SQL Server. Avoid using this feature in new development work, and plan to modify applications that currently use it. Use stronger algorithms instead.
But I'm not using RC4! I'm not even using AES. I'm using nothing. I'm just connecting to SQL Server.
Or am i?
SQL Server, Deprecated Features Object
Deprecated encryption algorithm
Deprecated encryption algorithm rc4 will be removed in the next version of SQL Server. Avoid using this feature in new development work, and plan to modify applications that currently use it. The RC4 algorithm is weak and is only supported for backward compatibility. New material can only be encrypted using RC4 or RC4_128 when the database is in compatibility level 90 or 100. (Not recommended.) Use a newer algorithm such as one of the AES algorithms instead. In SQL Server 2012 material encrypted using RC4 or RC4_128 can be unencrypted in any compatibility level.
I'm simply opening a connect to SQL Server:
https://stackoverflow.com/questions/20712845
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianString connectionString =
"Provider=SQLOLEDB;Network Library=DBMSSOCN;Data Source=helium;
User ID=Contoso;Password=correctbatteryhorsestaple"
var conn = new ADOConnection();
conn.ConnectionString = connectionString;
conn.Open()
Even though the description of the event says:
occurs when you use a feature that...
Is it possible it is generated when I'm not using a feature? Is it possible this warning:
occurs when anyone logs in regardless of they are using RC4
and is actually just an announcement? Another application, an ASP.net MVC ADO-EF (a completely different connection technology) gets the same error.
The documentation of other deprecation warnings give when you would see them:
Whereas the documentation for this warning doesn't mention when you would see it.
Avoid using this feature in new development work, and plan to modify applications that currently use it.
How do I avoid RC4 in future work, when I can't figure out where I'm using it now?
Profile your 2008 R2 server. Do you get it?
No. SQL Server passwords are not stored using reversible encryption. The passwords are salted and hashed using SHA-1:
hashBytes = 0x0100 + fourByteSalt + SHA1(utf16EncodedPassword+fourByteSalt)
In SQL Server 2012, they switched to SHA2 over SHA-1.
Soluzione
This happens on all my 2008 R2 Servers as well, it seems to happen any time that a connection is made using a SQL login, I can't seem to find any documentation on why this would be the case, I can only presume that internally SQL Server is using RC4 somewhere in the login process, so it's nothing that you are doing in your code.
There aren't any options that I know of to change this behaviour and it doesn't seem to cause any issues so I wouldn't worry about it.
Altri suggerimenti
I haven't seen this behavior, however.... when I call a procedure named: verifyPassword 'secret' (for example) the string secret gets commented out by the profiler. Because the string 'Password' triggers some 'pssstttt don't reveal this one' algorithm.
My fair guess that this is also the case when warning for deprecated functions.
