Enable TLS 1.2 for SQL Server 2016 database mail
https://dba.stackexchange.com/questions/213608
-
07-01-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianDomanda
I have been puzzled by this issue for almost 1 week. Hopefully someone in our community has experienced the same issue and already found a solution.
So here is my problem:
As per our company policy, we want database mail to be able to send emails over port 25 with TLS 1.2 enabled and with TLS 1.0 & TLS 1.1 disabled.
Our mail server is Exchange Server 2010, our SQL Server 2016 (Developer and Enterprise editions) boxes have OS of Windows Server 2016 Standard editions.
Our SQL Server version is:
select @@version
----------------------------------------
Microsoft SQL Server 2016 (SP1-CU7-GDR) (KB4057119) - 13.0.4466.4 (X64)
Dec 22 2017 11:25:00
Copyright (c) Microsoft Corporation
Developer Edition (64-bit) on Windows Server 2016 Datacenter 10.0 <X64> (Build 14393: ) (Hypervisor)
We have the DB mail configuration as shown here.
The issue is whenever we turn on SSL
use msdb
exec dbo.sysmail_update_account_sp @account_id=2, @enable_ssl = 1;
We CANNOT send db mail (no matter whether our SMTP authentication is Windows Authentication, Basic authentication or Anonymous Authentication). The error message in db mail log is as follows:
Message
The mail could not be sent to the recipients because of the mail server failure. (Sending Mail using Account 2 (2018-07-30T10:52:41). Exception Message: Cannot send mails to mail server. (Failure sending mail.). )
But if we turn off this SSL, there is no problem for db mail sent out.
So how can we enable SSL and uses TLS 1.2 for db mail?
I have enabled TLS 1.2 by adding registry as shown below
The details is from this link (see the FAQ section)
Soluzione 2
Since it seems nobody can answer this question, I opened a support case with Microsoft, and still it took almost 1 week for MS support to come back with an answer as he went through various internal resources to get the definite answer.
The summary is:
SQL Server Database mail uses System.Net.Mail to do the work, the System.Net.Mail is able to send mail using TLS 1.2 but only when the build runtime version is 4.6 or above. SQL Server 2016 db mail is built for .Net 3.5, hence SQL Server 2016 db mail does not support TLS 1.2 as of now.
Altri suggerimenti
TLS1.2 is the only version of TLS considered secure now (March 2019). It took considerable time and effort to discover that there are 2 essential, additional settings which are required to get this working which are not well known nor well documented, by Microsoft or on the web generally. The following could save you a great deal of time and effort.
These are the 2 new Registry settings that fixed the problem for us:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001
This is a reference to the thread where we eventually found this information, buried halfway down the thread: TLS 1.2 in .NET Framework 4.0
Below is the content for a simple executable registry file that I put together that will make the 2 new settings and the settings already shown on the thread above (i.e. this makes all of the necessary Registry settings*):
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
Note 1: SQL needs to be restarted for these settings to take affect but it is better to restart Windows since the new settings will affect .NET 4.x generally.
Note 2: In SQL, the SSL-checkbox must be ticked in the mail profile to use TLS1.2.
*Note 3: FYI We ran the free tool, Crypto V2, with the "Best Practices" option enabled before starting on getting this working. We verified our changes afterwards using the new Crypto version 3.
Hopefully this will save considerable time, effort and frustration for others ;)
It's odd because the linked article clearly states:
Support for TLS v1.2 included in the .NET Framework version 3.5 SP1 on Windows 8.1 and Windows Server 2012 R2
which contradicts the response you get from MS support. Edit: I found in this StackOverflow question that although .NET 3.5 didn't include support for TLS 1.2 at first it was added later by MS:
Reading the FAQ section I think that the problem is that you missed one registry key when enabling TLS 1.2. The FAQ section says:
The correct registry settings are as follows:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001These settings are required for both server and client computers.
But in the screen shot that you provided I only see "Enabled"=dword:00000001, the "DisabledByDefault"=dword:00000000 key is missing.
Also it says:
Is TLS 1.1 supported on SQL Server 2016?
Yes. SQL Server 2016 and SQL Server 2017 on Windows versions ship with TLS 1.0 to TLS 1.2 support. You have to disable TLS 1.0 and 1.1 if you want to use only TLS 1.2 for client-server communication.
which can be interpreted as that you need to disable TLS 1.0 and 1.1 in order to use 1.2, but I'm not sure about this one.
