出于安全原因,我们在 Windows 上禁用了 TLS 1.0 和更旧的协议,并在以下注册表路径下仅启用了 TLS 1.1 和 TLS 1.2:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols 之后,SQL 服务获胜’ 开始时出现以下错误:
2015-02-13 17:35:10.12 spid13s The server could not load the certificate it needs to initiate an SSL connection. It returned the following error: 0x80090331. Check certificates to make sure they are valid. 2015-02-13 17:35:10.12 spid13s Error: 26014, Severity: 16, State: 1. 2015-02-13 17:35:10.12 spid13s Unable to load user-specified certificate [Cert Hash(sha1) "9B49E2FB65EE880F7C8818A90187F572566C9213"]. The server will not accept a connection. You should verify that the certificate is correctly installed. See "Configuring Certificate for Use by SSL" in Books Online. 2015-02-13 17:35:10.12 spid13s Error: 17182, Severity: 16, State: 1. 2015-02-13 17:35:10.12 spid13s TDSSNIClient initialization failed with error 0x80092004, status code 0x80. Reason: Unable to initialize SSL support. Cannot find object or property. 2015-02-13 17:35:10.12 spid13s Error: 17182, Severity: 16, State: 1. 2015-02-13 17:35:10.12 spid13s TDSSNIClient initialization failed with error 0x80092004, status code 0x1. Reason: Initialization failed with an infrastructure error. Check for previous errors. Cannot find object or property. 2015-02-13 17:35:10.12 spid13s Error: 17826, Severity: 18, State: 3. 2015-02-13 17:35:10.12 spid13s Could not start the network library because of an internal error in the network library. To determine the cause, review the errors immediately preceding this one in the error log. 2015-02-13 17:35:10.12 spid13s Error: 17120, Severity: 16, State: 1. 2015-02-13 17:35:10.12 spid13s SQL Server could not spawn FRunCommunicationsManager thread. Check the SQL Server error log and the Windows event logs for information about possible related problems.
在事件管理器中,我们可以看到以下流程(增加了 Schannel 日志记录):
Info – Schannel – Creating an SSL client credential. Info – Schannel – Creating an SSL server credential. Error - Schannel - A fatal error occurred while creating an SSL client credential. The internal error state is 10013.
Schannel 错误详细说明:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Schannel" Guid="{1F678132-5938-4686-9FDC-C8FF68F15C85}" /> <EventID>36871</EventID> <Version>0</Version> <Level>2</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2015-02-16T15:22:16.166776400Z" /> <EventRecordID>5943102</EventRecordID> <Correlation /> <Execution ProcessID="712" ThreadID="772" /> <Channel>System</Channel> <Computer>(deleted)</Computer> <Security UserID="S-1-5-18" /> </System> <EventData> <Data Name="Type">server</Data> <Data Name="ErrorState">10013</Data> </EventData> </Event>
使用 WireShark,我们看不到任何客户端或服务器问候消息。似乎错误发生在 TLS 协商之前 - 可能是在解析服务器证书期间。
使用 ProccessMonitor,我们看到 sqlserver.exe 服务从注册表中读取证书,然后读取 CRL(无)、CTL(无),然后遵循第一条错误日志消息。以下是第一个日志错误之前来自 ProcMon 的最后几条日志:
12:22:09.8165314 PM sqlservr.exe 23256 RegCloseKey HKLM\SOFTWARE\Microsoft\SystemCertificates\MY\Certificates SUCCESS 12:22:09.8165667 PM sqlservr.exe 23256 RegQueryKey HKLM\SOFTWARE\Microsoft\SystemCertificates\MY\CRLs SUCCESS Query: Cached, SubKeys: 0, Values: 0 12:22:09.8166280 PM sqlservr.exe 23256 RegQueryKey HKLM\SOFTWARE\Microsoft\SystemCertificates\MY\CTLs SUCCESS Query: Cached, SubKeys: 0, Values: 0 12:31:01.0048783 PM sqlservr.exe 9928 RegCloseKey HKLM\SOFTWARE\Microsoft\SystemCertificates\MY SUCCESS 12:22:09.8177144 PM sqlservr.exe 23256 WriteFile C:\Program Files\Microsoft SQL Server\MSSQL11.SQLSERVER2014\MSSQL\Log\ERRORLOG SUCCESS Offset: 7,530, Length: 422
我们还尝试使用 Verisign 的证书设置 SQL 服务器(30 天试用期)。我们已按照此处所述设置所有设置
而且我们也按照此处所示的答案进行操作(通过此处的参考获得)。
不幸的是,没有运气。仍然是同样的错误。
我们还尝试在 SQL 配置管理器中禁用“强制加密”,并从中删除了证书,但 SQL 服务器仍然尝试创建自签名证书,但失败并显示相同的错误代码 0x80090331。
我知道这里发布了一个类似的问题,但它是在不禁用 TLS 1.0 的情况下自行接受的:
请注意,使用相同的设置和相同的证书,启用 TLS 1.0 时,一切正常。当 TLS 1.0 被禁用时,它就会失败。因此,似乎 TLS 1.1+ 不喜欢我们证书中的某些内容,或者 SQL Server 不喜欢 TLS 1.1+。
我们不允许启用 TLS 1.0。任何帮助将非常感激。
仅启用 TLS 1.2 后,您可能会遇到两个错误:
此外,您必须更新连接到 SQL Server 的所有客户端上的 SNAC/OBDC 驱动程序。
