openssl s_client does not indicate that SQL Server is using TLS, however the connection is secure. How is that possible?

Posted on

Question :

I am connecting to SQL Server 2017 using ODBC and MSSMS. The connection is not using TLS; I checked it using openssl s_client. However, the DBA assures me that the connection is secure.

What other common or typical methods/protocols could be used in making such a connection secure if not TLS? The connection is not being made through a SSH tunnel or VPN.

Answer :

Have the DBA run the following query to see if native SQL Server client-server connection encryption is being used.

SELECT @@SERVERNAME AS 'sql_server', a.host_name AS client_host, 
    a.login_name, client_interface_name, b.encrypt_option
FROM sys.dm_exec_sessions a 
JOIN sys.dm_exec_connections b ON a.session_id=b.session_id
WHERE login_name = '<login_name>'

If the encrypt_option column is false, then it’s not using the native encryption. At this point, any encryption that is wrapped around the connection would have to be at the networking layers, either Windows IPSec (or something similar), or encryption implemented by the network devices. So you’ll have to ask the DBA exactly how the connection is encrypted in that case.

Leave a Reply

Your email address will not be published. Required fields are marked *