1

I have disabled SSL3 on my web server to combat the Poodle Vulnerability and now I am unable to connect to my SQL server using SQL Authentication. I just get "Connection forcibly closed by remote host" messages. Can anyone offer any advice? Are there config changes needed on SQL?

Katherine Villyard
  • 18,550
  • 4
  • 37
  • 59
rs82uk
  • 119
  • 1
  • 5
  • 3
    What webserver are you running? Are you referring to mysql, mssql, postgresql? What did you change to disable SSLv3? What does your connection string look like? Are the two server roles hosted on the same server/OS? Did you not attend grade school or do you simply just hate sensible punctuation? – Mathias R. Jessen Nov 14 '14 at 12:06
  • Sorry running IIS on a Windows 2008 Server and SQL 2008 I Simply disabled the SSL 3.0 Protocol using a tool called IIS Crypto – rs82uk Nov 14 '14 at 14:06
  • Some further information I tried to do this again last night and the weirdest thing is that I can access the server remotely but not locally – rs82uk Nov 19 '14 at 09:21
  • I think I have at least found the cause Turning off SSL v3 seems to have stopped SQL agent from starting – rs82uk Nov 19 '14 at 12:07

2 Answers2

1

EDIT 2015-06-19: My initial answer was wrong. See comments for context.

Old (wrong) version of this answer (preserved for context):

Check if your SQL server actually accepts any encryption above SSL3:

  1. Run the connection client
  2. Find out what serverport it is connecting to.
  3. Check with OpenSSL's s_client if TLS is supported:

    openssl s_client -connect Mysqlserver:myserverport -ssl3
    openssl s_client -connect Mysqlserver:myserverport -tls1
    openssl s_client -connect Mysqlserver:myserverport -tls1_1
    openssl s_client -connect Mysqlserver:myserverport -tls1_2

StackzOfZtuff
  • 1,842
  • 13
  • 21
  • 1
    That's good for MySQL, but question was edited 7 months ago to specify Microsoft SQL-Server which doesn't start with SSL/TLS handshake but instead wraps it within a different protocol (TDS) that `s_client` can't handle, even with `-starttls` which can do for example SMTP+STARTTLS. – dave_thompson_085 Jun 18 '15 at 13:50
  • Huh. Thanks. I stand corrected. In that case a [TDS NetMon trace](http://cornasdf.blogspot.com/2010/04/sql-server-data-in-transit-cipher.html) (Archived [here](https://archive.is/xvh7i).) can reveal what SSL/TLS versions are tried. And if the versions match. And then check if any of the client offered cipher suites are shared by the server. – StackzOfZtuff Jun 19 '15 at 09:08
  • But I just saw that the question owner seems to have found the explanation himself. (See comment by rs82uk dated Nov 19 '14 at 12:07) – StackzOfZtuff Jun 19 '15 at 09:09
0

If you disabled SSL_3 by removing ciphers, you have likely also disabled TLS1 and TSL1_1. This leaves TLS1_2 which is not yet supported by all applications.

As I documented in my post on Disabling SSLv3 to block Poodle, you can block SSL3 in Apache with the configuration line.

SSLProtocol all -SSLv3

As suggested by StackzOfStuff, test connectivity with SSL3 and TLS after disabling SSL3.

BillThor
  • 27,737
  • 3
  • 37
  • 69
  • Your link is broken. And I don't think that's the right syntax for IIS anyway. – Michael Hampton Nov 14 '14 at 15:39
  • @MichaelHampton I fixed the link. The syntax I provided was for Apache as specified. Check the enabled/disabled protocols as per http://support.microsoft.com/kb/245030. – BillThor Nov 15 '14 at 00:02
  • 1
    "Sorry running IIS on a Windows 2008 Server and SQL 2008 I Simply disabled the SSL 3.0 Protocol using a tool called IIS Crypto" I didn't see anything about Apache anywhere. – Michael Hampton Nov 15 '14 at 00:03