Bug in ODBC SQL Server and OLEDB driver on Windows server 2016 when connecting to SQL Server 2019 running on Windows Server 2022 Error 772 or 18 SSL Security Error

Bruce · February 25, 2024, 8:01am

We recently had a client who upgraded some SQL Server machines to SQL Server 2018 running on Windows Server 2022. He has a number of other Windows Server machines running our application which connects to that server.

We started getting the following Error;

Connection failed
SQLState: ‘01000’
[Microsoft][ODBC SQL Sever Driver][DBNETLIB]ConnectionOpen
(SECDoClientHandshake()).
Connection failed:
SQLState: ‘08001’
SQL Server Error: 18 (or in some cases Error 772)
[Microsoft][ODBC SQL Sever Driver][DBNETLIB]SSL Security error

We found this blog post Bug in ODBC SQL Server and OLEDB driver on Windows server 2016 when connecting to SQL Server 2019 running on Windows Server 2022? - Microsoft Q&A which explains that it’s because the new server has TLS 1.0 and TLS 1.1 OFF by default.

We used a Server Management tool to activate TLS 1.1 rather than the described Registry edits. (Apparently the tool is a GUI for the same registry edits. Unfortunately I don’t know the tool name, but it’s something on the server.) TLS 1.1 did not help, but turning on TLS 1.0 did.

The connection is now working, and a project is underway to upgrade the other servers as well.

Jane · February 25, 2024, 5:19pm

Interesting to call TLS 1.0 an “upgrade.”

Thanks for the heads-up.

Bruce · February 26, 2024, 5:05am

I should clarify: They need to upgrade the Windows Server 2016 boxes (to windows 2022) so they can then use TLS 1.2. Then we can remove the TLS 1.0 and 1.1 from the Windows 2022 boxes. I have not found a way yet for the 2016 boxes to use TLS 1.2 to talk to the 2022 box.

(Because these are servers talking to servers I also spent half the meeting getting confused about which side we were talking about…)

Jane · February 26, 2024, 6:32pm

Ah. Obviously I misread your post, Bruce. I thought you were saying it was an inherent limitation in the Clarion SQL drivers.

We encountered something similar a year ago on Server 2016 running SQL Server Reporting Services. We had a COVID cases report on top of a map that the SSRS engine fetched from Bing (their choice, not mine) that suddenly stopped working when Bing started enforcing TLS 1.2.

We did the registry settings to force the server (actually, its .Net stack) to use 1.2 as detailed on this page: Microsoft Entra Connect: TLS 1.2 enforcement for Microsoft Entra Connect - Microsoft Entra ID | Microsoft Learn

That fixed our problem and our 2016 server is still online, now using 1.2.

TimoMultanen · February 26, 2024, 8:14pm

Hi Bruce,

Windows Server 2016 does ship with TLS 1.2 support. However, the default version of the SQL Server client driver shipped with it doesn’t seem support TLS 1.2.

I recently ran into this same problem in a server environment with SQL Server 2019 on Windows Server 2022 and some clients on Windows Server 2016. Solution was to install the latest SQL Native Driver on the client servers - although our app wasn’t using the actual native driver in the connection string, the update still fixed the connectivity for OLEDB as well. See https://www.microsoft.com/en-us/download/details.aspx?id=50402 .

Of course the TLS 1.2 needs to be enabled on the Windows Server 2016 as well for this to work, so if it has been manually disabled, you would need to re-enable it. Nartac Software’s IIS Crypto tool is a good GUI for this - just enable the client protocols you need with it and apply+reboot.

Cheers,
Timo