Configuring TLS Updates on Server/Client to Implement TLS 1.2 – Azure SQL

Ensure secure connection by switching to the latest protocols

As we work to improve system security, it is essential that you update your server configurations to support only the latest, strongest protocols. Starting October 31, the minimum supported version for Transport Layer Security (TLS) will be TLS 1.2. Here is our comprehensive plan to ensure a smooth transition:

Support for TLS 1.0 and TLS 1.1 in Azure ends on October 31, 2024 – Microsoft Lifecycle | Microsoft…

outline

Beginning November 1, any Azure SQL Servers that remain set to “Choose an option” or “None” (where “None” means that no minimum TLS version is enforced) will only allow connections using TLS 1.2 and TLS 1.3. Connections using TLS 1.0 or TLS 1.1 will be rejected. It is important for all customers to properly configure their servers and ensure that their client applications can operate with TLS 1.2 or higher.

Essential Actions for Customers

Develop a plan to migrate these servers to support TLS 1.2 or TLS 1.3.

Effect on application

Applications that currently use TLS 1.0 or TLS 1.1 will experience connectivity issues if servers (such as Azure SQL and Managed Instance) are configured to use “None” after October 31. Therefore, we recommend that both servers and client applications use the same communication protocol to avoid disruption.

How to identify encryption settings?

• You can use the sample resource graph below to verify:

“`SQL` …

resources

| where type == ‘microsoft.sql/servers’

| Project Subscription ID, Resource Group, Name, Properties.minimalTlsVersion

resources

| where type == “microsoft.sql/managedinstances”

| Project Subscription ID, Resource Group, Name, Properties.minimalTlsVersion

“`

• Another way to check server level settings:

Log in to Azure Portal -> Connect to SQL Single Database -> Under Security, Networking -> Encryption in Transit -> Make sure Minimum TLS version is set.

Impact of TLS settings

If the server is set to “None” for TLS settings, the client and server can use any mutually supported protocol. The system defaults to the strongest available protocol.

Recommendations

Our goal is to enable customers to use TLS 1.2 or TLS 1.3 for their workloads. Here’s how customers can identify client drivers that use protocols lower than TLS 1.2:

Perform a thorough inventory

Review all client applications and libraries to ensure they use the current TLS version.

Leverage resource graph queries for server-side configuration.

You can verify client-side settings using Azure portal metrics by applying a filter on TLS version or using extended events to determine successful connections. Establishing a connection to Azure SQL Database and Azure Synapse Analytics – Azure SQL Database and Azure…

Updates and Testing:

Upgrade to a supported version and undergo rigorous testing to ensure compatibility and secure communication.

Upgrading client applications:

Ensure that your client application is upgraded to use TLS version 1.2.

Test changes in non-production:

To avoid issues, we recommend testing these configurations in a non-production environment before moving to production.

conclusion

Implementing TLS 1.2 as the minimum supported version is critical to strengthening security. By following these guidelines and proactively managing the transition, customers can ensure continued connectivity and strong security for their systems. If you need assistance, please contact MSFT Support. Thank you for your cooperation in maintaining a secure environment.