SQL Server is not using the latest version of TLS encryption
ID |
sql_server_minimum_tls_version |
Severity |
high |
Vendor |
Azure |
Resource |
MSSQL Server |
Tags |
reachable |
Description
SQL Server should use at least TLS 1.2.
Transport Layer Security is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securing HTTPS remains the most publicly visible.
TLS 1.0 is a security protocol first defined in 1999 for establishing encryption channels over computer networks. Evolving regulatory requirements as well as new security vulnerabilities in TLS 1.0 provide corporations with the incentive to disable TLS 1.0 entirely.
Microsoft recommends customers to go ahead and disable TLS 1.0. TLS 1.2 should be used instead.
See Deprecating weak cryptographic standards (TLS 1.0 and 1.1) in Azure DevOps Services and more specifically TLS for MSSQL to learn more about this flaw.
Examples
ARM
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Sql/servers",
"apiVersion": "2015-05-01-preview",
"location": "[variables('databaseServerLocation')]",
"name": "bad", (1)
"properties": {
"minimalTlsVersion": "1.0"
}
}
]
}| 1 | Below the minimal TLS version deemed as safe. |
Mitigation / Fix
Buildtime
ARM
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Sql/servers",
"apiVersion": "2015-05-01-preview",
"location": "[variables('databaseServerLocation')]",
"name": "good", (1)
"properties": {
"minimalTlsVersion": "1.2"
}
}
]
}| 1 | SQL Server uses TLS minimal version 1.2. |