Expect SQL Server failures as Microsoft disables old TLS in Windows

Microsoft has decided to disallow Transport Layer Security (TLS) versions 1.0 and 1.1 in the Windows operating system in a bid to increase the security posture of its customers and encourage modern protocol adoption. The company has warned that the move could impact SQL Servers of enterprises still using the older versions of the TLS.

These TLS versions have long been identified as having security weaknesses and were replaced with two successive upgrades, version 1.2 and 1.3.

"Over the past several years, internet standards and regulatory bodies have deprecated TLS versions 1.0 and 1.1, due to a variety of security issues," Microsoft said in a blog post. "We have been tracking TLS protocol usage for several years and believe TLS 1.0 and TLS 1.1 usage data are low enough to act."

The company will disable the versions by default in its Windows operating systems, starting with Windows 11 Insider Preview builds in September 2023.

Legacy TLS had security flaws

Since its launch in 1999, TLS 1.0 has been found to have several security weaknesses including POODLE attack vulnerability, weaker cipher suites, lack of forward secrecy, inadequate hash functions, and limited authentications.

A subsequent (1.1) version released in 2006 made some security improvements but failed in broader adoption. Ultimately, they were replaced with TLS 1.2 (2008) and 1.3 (2018) rollouts.

However, pulling out the legacy versions wasn't easy for all the adopters as it presented a few challenges including the requirement to maintain backward compatibility.

In January 2021, the National Security Agency (NSA) released guidance on eliminating obsolete TLS configurations, and many technology giants including Apple, Google, Mozilla and (now) Microsoft have announced plans to move from the outdated protocols.

Several Microsoft applications are set to break

Microsoft has warned enterprise users about a list of applications that can be expected to break as older TLS versions are disabled. Topping the list of endangered applications is SQL Server.

The 2012, 2014, and 2016 editions of the SQL Server are expected to break. While both 2014 and 2016 still remain in support, 2012 is out of support but will receive extended security updates.

Other popular applications listed in the red zone by the company include MS Office 2008 Professional, Safari 5.1.7, EVault Data Protection-7.01.6125, and Xbox One SmartGlass – 2.2.1702.2004.

Microsoft has advised upgrading applications that show hints of failure after the change. "Most newer versions of applications support TLS 1.2 or higher protocol versions," Microsoft said. "Therefore, if an application starts failing after this change, the first step is to look for a newer version of the application that has TLS 1.2 or TLS 1.3 support."

The discontinued protocol versions can be re-enabled with a system registry setting in the event of an application failure having no other alternative and needing to use TLS 1.0 or TLS 1.1.