How can I change the RSA key length from 1024 to 2048?

Posted on

Question :

SQL Server Environment:
OS version: Windows 2012 R2
Microsoft SQL Server 2014 (SP3-CU4-GDR) (KB4583462) – 12.0.6433.1 (X64)
Instance type: Named instance

When I am attempting to connect from a Docker container (running Debian 10 and ODBC 17 for SQL Server) to SQL Server, we get the error [Client unable to establish connection]. If we downgrade the Cipherstring in the /etc/ssl/openssl.cnf file in our Docker container from DEFAULT@SECLEVEL=2 to DEFAULT@SECLEVEL=1 the connection works.

Why does it work with the same version when the setting is DEFAULT@SECLEVEL=2?

I have another SQL Serer with same version which works.

I exported the Cipher suites and TLS settings using the below commands from working and compared them with the ones from NotWorking and they were identical.

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNEL" /s  > c:/tmp/%computername%_ClientSchannelConfigs.txt

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlCryptographyConfigurationLocalSSL0010002" /s  >  c:/tmp/%computername%_ClientCipherSuitesConfigs.txt

I was able to extract the certificate using nmap. Not working server is generating an rsa key length of 1024 (insecure) and working server is using a certificate that is of appropriate length: 2048. How can we make Non Working server RSA key length to 2048?

❯ docker run -it instrumentisto/nmap -sV –script ssl-cert -p 1433 XXXXXXXXXXXXXXXX
Starting Nmap 7.92 ( https://nmap.org ) at 2021-10-14 20:08 UTC
Nmap scan report for XXXXXXXXXXXXXXXXXXXX
Host is up (0.0021s latency).
Other addresses for XXXXXXXXXXXXXXXXXXXXXXXXX

1433/tcp open ms-sql-s Microsoft SQL Server 2014 12.00.6433
| ssl-cert: Subject: commonName=XXXXXXXXXXXXXXXXXXXXX
| Subject Alternative Name: DNS:XXXXXXXXXXXXXXXXXXXX
| Issuer: commonName=XXX Intermediate CA -1
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-08-19T09:01:24
| Not valid after: 2023-08-19T09:01:24
| MD5: 7116 61d2 eca6 01b1 19f5 f4e9 0e46 42d5
|_SHA-1: f81b 8ed7 455c e981 a712 83ab 5fd5 3802 4d67 da4f
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Not working Server:

Public Key type: rsa

Public Key bits: 1024

Answer :

How can we make Non Working server RSA key length to 2048?

Use a company certificate that has the key length you’d like.

If you’re relying on the self generated certificates created by SQL Server as a nicety, then you’ll instead want to use your own as there is no way to change that, it’s hard coded.

For completeness, other items associated with this issue.

Leave a Reply

Your email address will not be published. Required fields are marked *