Skip to content
Advertisement

SQL Server JDBC Error: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption

Background:

  • Application Server:

Java Based Application is running on Windows Server 2008 R2 Enterprise. Java Version on this Server is Version 6 Update 32. JDBC Driver Version: 4.0

  • Database Server:

The database server has been recently upgraded(Side by side upgrade with the same servername as the one before that the application use to connect to) from Windows 2016 to Windows 2019 and SQL Server 2012 to SQL Server 2016 and there is no Java on this server. Is this a problem??

  • History:

When we did the database server upgrade last time from SQL Server 2008 to SQL Server 2012, we followed the same method and the application worked fine.

But this time it is throwing the following error into the Application logs:
org.jboss.resource.JBossResourceException: Could not create connection; – nested throwable: (com.microsoft.sqlserver.jdbc.SQLServerException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: “SQL Server did not return a response. The connection has been closed.”.)

We did not touch the application server at all, expecting that when the database server is up, since it is the same servername, it would start back up fine, but the application is failing with the above error. There is no logon failure because we tested the application login and password and it worked fine.

I looked at the following:
SQL Server JDBC Error on Java 8: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption but we cant seem to understand what is causing this issue since nothing on the Application Server has changed. I looked at the compatibility between the JDBC Version and the SQL Server matrix here
https://learn.microsoft.com/en-us/sql/connect/jdbc/microsoft-jdbc-driver-for-sql-server-support-matrix?view=sql-server-2017 and it looks like JDBC 4.0 works with SQL Server 2016.

Any ideas as to what could be going on?

Advertisement

Answer

Ok, so we worked with Microsoft Support on this issue and this is the understanding that we came to.

Microsoft added/enabled TLS 1.0 and TLS 1.1 to the Database Server for testing purposes only since Microsoft does not support TLS 1.0 anymore. This lowered the security protocol to a lower state but were able to establish SQL Connectivity between the Application server and the Database Server, but still the Application initially couldn’t connect. Microsoft thinks that it is because of the current connection provider/driver that is being used by the application and they wouldn’t support that part of it since that is Java/Oracle’s JDBC driver.

In our case, the application did connect after enabling the TLS 1.0 and TLS 1.1 after sometime. This may or may not work in your case.

So the recommended solutions if you have the resources to modify the application, are to update the drivers for the application, test and redeploy.

If you don’t have the resources to the application then the options are these: 1.Rollback to older Servers for SQL Server. This could work but there is no guarantee. Also another thing to note is that SQL Server 2008 and 2008R2 are out of support, so the oldest we could go (and still stay supported) would be SQL Server 2012 which may not resolve the issue.

2.Open the security wide open. This will very likely solve the issue, but is most definitely not recommended. It is likely that the issue has to do with extremely outdated security providers, that are no longer supported. So, opening your security wide open will likely resolve the issue, but this is not recommended.

3.Rewrite the application which is not the easiest option, but is the only one that is fully recommended by Microsoft.

See this https://serverfault.com/questions/649052/do-i-have-to-enable-tls-1-0-in-windows-2008-r2 and this https://www.youtube.com/watch?v=vUuR_M3biDU if you’d like to enable TLS by yourself. The server will require reboot after you make this change.

User contributions licensed under: CC BY-SA
9 People found this is helpful
Advertisement