SQL Server is TLS 1.2 only - ODBC connection timeout

[Antarctica]

Hello Advanced Installer team,

TLS 1.0 is deprecated since June 30, 2018, and use of TLS 1.2 is strongly encouraged. Eventually, some customers have started to switch to TLS 1.2 only.

I am using ODBC Connection Test in an installer built with AI 15.1.
When the SQL server's SCHANNEL.DLL is configured to only support TLS 1.2, the connection test fails with "Connection timeout". I can, however, connect through SSMS using encrypted TCP/IP, so TLS 1.2 seems to be working server-side.
Our .NET app had the same problem, which I have already fixed using the lines:

Code: Select all

            ServicePointManager.SecurityProtocol =
                SecurityProtocolType.Tls11 |
                SecurityProtocolType.Tls12;

For your reference, the registry file used by our customer to enforce TLS 1.2 is as follows:

Code: Select all

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

(Server reboot required for changes to take effect)

Kind regards,

Alexander

[Daniel]

Hello Alexander,

First of all I apologize for my delayed reply.

Analyzing your scenario this could happen if you are using the old "SQL Server" as the ODBC Driver to be used by our TestODBC custom action. Please note that this driver became deprecated and does not have TLS 1.2 support.

To avoid this issue I recommend you to use the newer "ODBC Driver 13 for SQL Server" ODBC driver which supports TLS 1.2.

Let us know if this helped.

All the best,
Daniel

[jdixon]

So are you saying we need to make sure we deploy "ODBC Driver 13 for SQL Server" with Advanced Installer and make sure that is being used in Advanced Installer as the driver?

[Daniel]

Hello,

Yes, in case the driver is not already installed you can simply download its setup package and add it as a pre-install prerequisite to your setup package.

All the best,
Daniel

[abarry]

For elaboration, refer to the following post: viewtopic.php?t=32277

[Catalin]

Hello,

Thank you for contributing to our forums.

I am sure the link will be useful for further users facing a similar scenario and finding this topic.

Best regards,
Catalin

[neki]

Hello

We have also a problem with the installer to connect to a sql server, that has disabled TLS 1.0.
We are working on AI version 16.4.1, have installed ODBC driver 13 on destination computer, using the default testconnection dialog from AI for browse database, have changed the "ODBC Driver:" string to the following 5 strings but it doesn't work with any of that strings.
1. [\{]ODBC Driver 13 for SQL Server[\}]
2. {ODBC Driver 13 for SQL Server}
3. ODBC Driver 13 for SQL Server
4. "ODBC Driver 13 for SQL Server"
5. "{ODBC Driver 13 for SQL Server}"

Is there a special format we have to insert the ODBC driver string or what we are doing wrong?

[Catalin]

Hello and welcome to Advanced Installer forums,

First of all, please accept my apologies for the delayed reply.

From what I can see, the first option is the correct one. The SQLConnectionString could look like this:

Driver=[\{]ODBC Driver 13 for SQL Server[\}];Server=[SERVER_PROP];Uid=[USERNAME_PROP];Pwd=[PASSWORD_PROP];

However, the server browse may still try to use the "SQL Server" driver. Could you please go to "SQL Databases" page --> under "Database server" section click on your predefined connection and make sure that the ODBC Driver is also set to "ODBC Driver 13 for SQL Server"?

ODBCDriver.png (133.68 KiB) Viewed 52804 times

Hope this helps.

Best regards,
Catalin

[narsingani]

Hi there,
I am facing the similar issue with the vesion 11.4.1. I have changed the SQL Database connection to "ODBC Driver 13 for SQL Server". However, do I also need to change the "sqlConnectionString" to "Driver=[\{]ODBC Driver 13 for SQL Server[\}];Server=[SERVER_PROP];Port=[PORT_PROP];Uid=[USERNAME_PROP];Pwd=[PASSWORD_PROP];Database=[DATABASE_PROP];" in my case?

Thanks in Advance for your assistance
Upendra Narsingani

[Catalin]

Hello Upendra,

However, do I also need to change the "sqlConnectionString" to "Driver=[\{]ODBC Driver 13 for SQL Server[\}];Server=[SERVER_PROP];Port=[PORT_PROP];Uid=[USERNAME_PROP];Pwd=[PASSWORD_PROP];Database=[DATABASE_PROP];" in my case?

Yes, this being the case, you should also change the event to set the driver accordingly.

Best regards,
Catalin