Re: SSL Encryption Test

• Previous message: Mike Epprecht \(SQL MVP\): "Re: Access Denied Error when attaching a Database file"
• In reply to: xxdanbrowne_at_gmail.com: "Re: SSL Encryption Test"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 29 Sep 2005 18:52:02 -0700

There are currently 2 modes of SSL with SQL.

Client side initiated SSL encryption and server-side SSL encryption.

Server side SSL encryption is enabled via the "Force Protocol Encryption"
settting on the server, you have discovered this already.
With Server side SSL, the client does not validate the SSL certificate at
all, it just uses it to encrypt the traffic.

With client side initiated SSL encryption, the client will both verify that
it trusts the root CA of the certificate as well as validate that the target
server is properly embedded in the certificate (mutual authentication). So
client side intiated SSL is more stringent.

However, you cannot use SSL to deny users access to the server (or for
client authentication like you can with IIS), SSL is only used to encrypt
the data over the wire with SQL. But that is actually a good idea I'll
bring to the next meeting we have about future of TDS protocol, I think
this would be a nice feature to have.

-- 
Matt Neerincx [MSFT]
This posting is provided "AS IS", with no warranties, and confers no rights.
Please do not send email directly to this alias. This alias is for newsgroup 
purposes only.
<xxdanbrowne@gmail.com> wrote in message 
news:1128005350.799985.234510@z14g2000cwz.googlegroups.com...
> Correction: It looks like it is actually *working*.
> I sniffed the packets with force encryption on and cannot see anything
> intelligible.
> I sniffed the packets with force encryption off and I can make out
> everything passing back and forth between the sql server and the
> client.
>
> What is wierd as far as I'm concerned is how this is supposed to secure
> the system if *anybody* can connect. Basically the only protection it
> gives you is preventing packets from being sniffed and read, so someone
> could *still* connect using SSL and run a dictionary attack trying to
> guess sa if they knew what port you were on.
> 

• Previous message: Mike Epprecht \(SQL MVP\): "Re: Access Denied Error when attaching a Database file"
• In reply to: xxdanbrowne_at_gmail.com: "Re: SSL Encryption Test"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Antw: Re: LDAP Authentication Problem ... TLSv1 und wird auf einen SSL Client Hello Request mit TLSv1 nicht ... antworten anstatt ein SSLv3 Server Hello. ... the LDAP PAM module and the shadow package. ... (de.comp.sys.novell) Re: Socket Server with Encryption help ... Before the client ... Authentication protocols are fiercely difficult to get right. ... by Needham and Schroeder "Using encryption for authentication in large ... Client connects into Server and Server accepts the connection. ... (microsoft.public.dotnet.security) SSL and IPS (was RE: ssh and ids) ... How many simultaneous SSL sessions can be tracked?" ... I assume you're talking about a case in which the client constantly ... If you walk the possible session id space and ... The server chooses the session ID, ... (Focus-IDS) Re: username and Password sent as clear text strings ... encryption of the traffic. ... SSL is used. ... client, it would seem like too much hassle for a low possibility hack. ... This is how all web applications on the planet work today by design. ... (Pen-Test) Re: Using SSL with IIS 5.0 - how does it work. ... Description of the Secure Sockets Layer (SSL) Handshake ... username and password when users authenticates to server (e.g. to check ... his/her e-mail) (client sends this data to the server) ... If you want your users to trust your SSL certificate ... (microsoft.public.inetserver.iis.security)