Sqlserver安全篇之_启用TLS即配置SQL Server 数据库引擎以加密连接

lusklusklusk2025-03-03 21:27

官方文档

https://learn.microsoft.com/zh-cn/sql/database-engine/configure-windows/configure-sql-server-encryption?view=sql-server-ver16

https://learn.microsoft.com/zh-cn/sql/database-engine/configure-windows/manage-certificates?view=sql-server-ver15\&preserve-view=true

TLS加密连接与TDE(Transparent data encryption)透明数据加密完全不一样,虽然TDE也要证书,但是TDE是针对数据库层面的也就是针对数据和日志文件,比如影响整个数据库的备份恢复、快照、删除、脱机、分离、转换READ ONLY 状态等,主要是DBA这种管理人员使用的。

TDE加密数据库步骤
1、创建证书certSSRSTEST

sql 复制代码 
create certificate certSSRSTEST with subject ='SSRSTEST database certificate data encription';

2、使用证书certSSRSTEST加密数据库SSRSTEST

sql 复制代码 
use SSRSTEST;
go
create database encryption key with algorithm = AES_128 encryption by server certificate certSSRSTEST
go
alter database SSRSTEST set encryption on
go

Sqlserver启用TLS加密连接的步骤
1、SQL Server配置为使用证书

每个版本的Sqlserver启动的时候都会生成一份self-signed certificate自签名证书,也可以使用powershell脚本建立一个自签名证书,也可以导入一个证书。再配置Sqlserver使用这些证书

在SQL Server 2019及更高版本中,证书管理已集成到SQL Server配置管理器中。这句话的理解是,从SQL Server 2019开始因为Sql Server Configuration Manager有了Import选项(Sql Server Configuration Manager-->SQL Server Network Configuration-->Right-click Protocols for MSSQLSERVER-->Properties-->Certificate-->Import),可以一次性导入证书并配置Sqlserver使用这些证书,而之前的版本没有这个Import选项,所以从SQL Server 2019开始我们不再需要像之前的sqlserver版本一样先通过certlm.msc或MMC把证书导入到操作系统再通过Sql Server Configuration Manager配置Sqlserver使用这些证书

SQL Server 2019之前的版本,需要2步,第一步导入证书,第二步配置Sqlserver使用这些证书

bash 复制代码 
certlm.msc-->Certificates-Local Computer-->Personal-->Certificates-->All Tasks-->Import
Sql Server Configuration Manager-->SQL Server Network Configuration-->Right-click Protocols for MSSQLSERVER-->Properties-->Certificate-->Certificate:-->dropdown list-->choose Certificate-->Apply

SQL Server 2019版本开始,一次性导入证书并配置Sqlserver使用这些证书

bash 复制代码 
Sql Server Configuration Manager-->SQL Server Network Configuration-->Right-click Protocols for MSSQLSERVER-->Properties-->Certificate-->Import


2、SQL Server配置强制加密

bash 复制代码 
Sql Server Configuration Manager-->SQL Server Network Configuration-->Right-click Protocols for MSSQLSERVER-->Properties-->Flags-->Force Encryption-->Yes

Sqlserver配置了强制加密后,客户端或在实例本机上使用SSMS连接该实例如果不勾选Trust server certificat这个选项的话会有报错:A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted.)

视图sys.dm_exec_connections的encrypt_option字段的值可以看到会话是否已经加密了

sql 复制代码 
select session_id,encrypt_option,connect_time,client_net_address,local_net_address,net_transport,protocol_type,endpoint_id,auth_scheme from sys.dm_exec_connections

Sqlserver启用TLS加密后,证书信息并没有在sys.certificates表中找到

因为每个版本的Sqlserver启动的时候都会生成一份self-signed certificate自签名证书,Sqlserver服务器启动后在错误日志里面会记录一条信息A self-generated certificate was successfully loaded for encryption,这样的话就算该Sqlserver没有使用其他证书只要该Sqlserver配置了强制加密,客户端比如SSMS连接到该Sqlserver时如果选择了Encrypt connection和Trust server certificate,那么连接的会话就会被加密。

SQL Server uses a certificate from a trusted certification authority if available for encrypting login packets. If a trusted certificate isn't installed, SQL Server generates a self-signed certificate (fallback certificate) during startup and use that self-signed certificate to encrypt the credentials. This self-signed certificate helps increase security, but it doesn't protect against identity spoofing by the server. If the self-signed certificate is used, and the value of the ForceEncryption option is set to Yes, all data transmitted across a network between SQL Server and the client application is encrypted using the self-signed certificate.

SQL Server 使用来自受信任的证书颁发机构(如果可用)的证书来加密登录数据包。 如果未安装受信任的证书,SQL Server 将在启动期间生成自签名证书(回退证书),并使用该自签名证书来加密凭据。 此自签名证书有助于提高安全性,但它不会防范通过服务器进行的身份欺骗。 如果使用了自签名证书,并且"ForceEncryption"选项的值设置为"是",将使用自签名证书对通过网络在 SQL Server 和客户端应用程序之间传输的所有数据进行加密。

--备注:以上那句话"但它不会防范通过服务器进行的身份欺骗",不是说在实例的本机上使用SSMS可以直接连接该实例,因为如果实例启用强制加密连接后,就算在该实例的本机上使用SSMS连接该实例如果不勾选Trust server certificate这个选项的话一样会有报错:A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted.)

创建self-signed certificate自签名证书的powershell脚本,以下脚本执行后,在certlm.msc或MMC或Sql Server Configuration Manager里面都能直接查看到,说明证书创建好了的话就代表导入到了操作系统中

bash 复制代码 
# Define parameters
$certificateParams = @{
    Type = "SSLServerAuthentication"
    Subject = "CN=$env:COMPUTERNAME"
    DnsName = @("$($env:COMPUTERNAME)", $([System.Net.Dns]::GetHostEntry('').HostName), 'localhost')
    KeyAlgorithm = "RSA"
    KeyLength = 2048
    HashAlgorithm = "SHA256"
    TextExtension = "2.5.29.37={text}1.3.6.1.5.5.7.3.1"
    NotAfter = (Get-Date).AddMonths(36)
    KeySpec = "KeyExchange"
    Provider = "Microsoft RSA SChannel Cryptographic Provider"
    CertStoreLocation = "cert:\LocalMachine\My"
}

# Call the cmdlet
New-SelfSignedCertificate @certificateParams

查看证书

certlm.msc-->Certificates-Local Computer-->Personal-->Certificates

Sql Server Configuration Manager-->SQL Server Network Configuration-->Right-click Protocols for MSSQLSERVER-->Properties-->Certificate-->Certificate:-->dropdown list

导出证书

certlm.msc-->Certificates-Local Computer-->Personal-->Certificates-->Right-click Certificatename-->All Tasks-->Export

导入证书

Sql Server Configuration Manager--SQL Server Network Configuration--Right-click Protocols for MSSQLSERVER--Properties--Certificate-->Import

certlm.msc-->Certificates-Local Computer-->Personal-->Certificates-->All Tasks-->Import

certlm.msc等同于MMC-->File-->Add/Remove Snap-in-->Certificates-->Add-->Computer account-->Next-->Finish-->OK

Sqlserver导入self-signed certificate自签名证书报错

Sql Server Configuration Manager-->SQL Server Network Configuration-->Right-click Protocols for MSSQLSERVER-->Properties-->Certificate-->Import

bash 复制代码 
Errors or Warnings for certificate:C:\Users\lukes\Desktop\privatekey.pfx
The selected certificate is a self signed certificate. Proceeding with this certificate isn't advised
Error:
	The selected certificate name does not match FQDN of this hostname. This property is required by SQL Server 
	Certificate name: DBTEST1 
	Computer name: DBTEST1.lukes.com

Sqlserver导入一个外部的域名的证书

Sql Server Configuration Manager-->SQL Server Network Configuration-->Right-click Protocols for MSSQLSERVER-->Properties-->Certificate-->Import,导入一个证书G:\Share\TLS\star.pan.com.pem的时候出现问题,本机的域名是daidbrestore1.dai.com,导入的的证书的dns是*.pan.com

bash 复制代码 
Errors or Warnings for certificate:G:\Share\TLS\star.pan.com.pem
-----------------------
Error:
	The selected certificate name does not match FQDN of this hostname. This property is required by SQL Server 
	Certificate name: *.pan.com 
	Computer name: daidb1.dai.com 
Error:
	The selected certificate  does not have the KeySpec Exchange property. This property is required by SQL Server to import a certificate. 
Import error: 0x2, Windows Native Error: 0x80092004
相关推荐
zhu128930355621 分钟前
网络安全防护与挑战
网络·安全·web安全
搬码红绿灯1 小时前
数据库——MySQL数字函数和子查询
数据库·mysql
侧耳倾听1111 小时前
使用内存数据库来为mapper层的接口编写单元测试
数据库·单元测试
ifanatic1 小时前
[每周一更]-(第138期):MySQL 子查询详解:原理、应用及优化方案
数据库·mysql
TDengine (老段)2 小时前
TDengine 中的日志系统
java·大数据·数据库·物联网·时序数据库·tdengine·iotdb
神经毒素2 小时前
WEB安全--文件上传漏洞--36C3 CTF includer bypass
linux·安全·web安全
DPLSLAB62 小时前
数字孪生重构安全边界:无人机 “虚拟孪生体“ 的预演革命 —— 北京智慧云测构建全要素仿真体系
安全·重构·无人机
kfepiza2 小时前
Debian编译安装mysql8.0.41源码包 笔记250401
数据库·笔记·mysql·debian·database
tjfsuxyy2 小时前
SqlServer整库迁移至Oracle
数据库·oracle·sqlserver
热门推荐
01我决定放弃搞 Java 了02DeepSeek各版本说明与优缺点分析03如何在WPS和Word/Excel中直接使用DeepSeek功能04汽车上的各种质量:整备质量、总质量、装载质量、簧上质量、簧下质量05RAG 实践- Ollama+RagFlow 部署本地知识库06从零安装 LLaMA-Factory 微调 Qwen 大模型成功及所有的坑07唐刘:关于产品质量的思考 - 如何评估质量08本地化部署AI知识库:基于Ollama+DeepSeek+AnythingLLM保姆级教程09DeepSeek RAGFlow构建本地知识库系统10SpringAI整合Ollama集成DeepSeek