Sqlserver安全篇之_启用TLS即配置SQL Server 数据库引擎以加密连接

lusklusklusk2025-03-03 21:27

官方文档

https://learn.microsoft.com/zh-cn/sql/database-engine/configure-windows/configure-sql-server-encryption?view=sql-server-ver16

https://learn.microsoft.com/zh-cn/sql/database-engine/configure-windows/manage-certificates?view=sql-server-ver15\&preserve-view=true

TLS加密连接与TDE(Transparent data encryption)透明数据加密完全不一样,虽然TDE也要证书,但是TDE是针对数据库层面的也就是针对数据和日志文件,比如影响整个数据库的备份恢复、快照、删除、脱机、分离、转换READ ONLY 状态等,主要是DBA这种管理人员使用的。

TDE加密数据库步骤
1、创建证书certSSRSTEST

sql 复制代码 
create certificate certSSRSTEST with subject ='SSRSTEST database certificate data encription';

2、使用证书certSSRSTEST加密数据库SSRSTEST

sql 复制代码 
use SSRSTEST;
go
create database encryption key with algorithm = AES_128 encryption by server certificate certSSRSTEST
go
alter database SSRSTEST set encryption on
go

Sqlserver启用TLS加密连接的步骤
1、SQL Server配置为使用证书

每个版本的Sqlserver启动的时候都会生成一份self-signed certificate自签名证书,也可以使用powershell脚本建立一个自签名证书,也可以导入一个证书。再配置Sqlserver使用这些证书

在SQL Server 2019及更高版本中,证书管理已集成到SQL Server配置管理器中。这句话的理解是,从SQL Server 2019开始因为Sql Server Configuration Manager有了Import选项(Sql Server Configuration Manager-->SQL Server Network Configuration-->Right-click Protocols for MSSQLSERVER-->Properties-->Certificate-->Import),可以一次性导入证书并配置Sqlserver使用这些证书,而之前的版本没有这个Import选项,所以从SQL Server 2019开始我们不再需要像之前的sqlserver版本一样先通过certlm.msc或MMC把证书导入到操作系统再通过Sql Server Configuration Manager配置Sqlserver使用这些证书

SQL Server 2019之前的版本,需要2步,第一步导入证书,第二步配置Sqlserver使用这些证书

bash 复制代码 
certlm.msc-->Certificates-Local Computer-->Personal-->Certificates-->All Tasks-->Import
Sql Server Configuration Manager-->SQL Server Network Configuration-->Right-click Protocols for MSSQLSERVER-->Properties-->Certificate-->Certificate:-->dropdown list-->choose Certificate-->Apply

SQL Server 2019版本开始,一次性导入证书并配置Sqlserver使用这些证书

bash 复制代码 
Sql Server Configuration Manager-->SQL Server Network Configuration-->Right-click Protocols for MSSQLSERVER-->Properties-->Certificate-->Import


2、SQL Server配置强制加密

bash 复制代码 
Sql Server Configuration Manager-->SQL Server Network Configuration-->Right-click Protocols for MSSQLSERVER-->Properties-->Flags-->Force Encryption-->Yes

Sqlserver配置了强制加密后,客户端或在实例本机上使用SSMS连接该实例如果不勾选Trust server certificat这个选项的话会有报错:A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted.)

视图sys.dm_exec_connections的encrypt_option字段的值可以看到会话是否已经加密了

sql 复制代码 
select session_id,encrypt_option,connect_time,client_net_address,local_net_address,net_transport,protocol_type,endpoint_id,auth_scheme from sys.dm_exec_connections

Sqlserver启用TLS加密后,证书信息并没有在sys.certificates表中找到

因为每个版本的Sqlserver启动的时候都会生成一份self-signed certificate自签名证书,Sqlserver服务器启动后在错误日志里面会记录一条信息A self-generated certificate was successfully loaded for encryption,这样的话就算该Sqlserver没有使用其他证书只要该Sqlserver配置了强制加密,客户端比如SSMS连接到该Sqlserver时如果选择了Encrypt connection和Trust server certificate,那么连接的会话就会被加密。

SQL Server uses a certificate from a trusted certification authority if available for encrypting login packets. If a trusted certificate isn't installed, SQL Server generates a self-signed certificate (fallback certificate) during startup and use that self-signed certificate to encrypt the credentials. This self-signed certificate helps increase security, but it doesn't protect against identity spoofing by the server. If the self-signed certificate is used, and the value of the ForceEncryption option is set to Yes, all data transmitted across a network between SQL Server and the client application is encrypted using the self-signed certificate.

SQL Server 使用来自受信任的证书颁发机构(如果可用)的证书来加密登录数据包。 如果未安装受信任的证书,SQL Server 将在启动期间生成自签名证书(回退证书),并使用该自签名证书来加密凭据。 此自签名证书有助于提高安全性,但它不会防范通过服务器进行的身份欺骗。 如果使用了自签名证书,并且"ForceEncryption"选项的值设置为"是",将使用自签名证书对通过网络在 SQL Server 和客户端应用程序之间传输的所有数据进行加密。

--备注:以上那句话"但它不会防范通过服务器进行的身份欺骗",不是说在实例的本机上使用SSMS可以直接连接该实例,因为如果实例启用强制加密连接后,就算在该实例的本机上使用SSMS连接该实例如果不勾选Trust server certificate这个选项的话一样会有报错:A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted.)

创建self-signed certificate自签名证书的powershell脚本,以下脚本执行后,在certlm.msc或MMC或Sql Server Configuration Manager里面都能直接查看到,说明证书创建好了的话就代表导入到了操作系统中

bash 复制代码 
# Define parameters
$certificateParams = @{
    Type = "SSLServerAuthentication"
    Subject = "CN=$env:COMPUTERNAME"
    DnsName = @("$($env:COMPUTERNAME)", $([System.Net.Dns]::GetHostEntry('').HostName), 'localhost')
    KeyAlgorithm = "RSA"
    KeyLength = 2048
    HashAlgorithm = "SHA256"
    TextExtension = "2.5.29.37={text}1.3.6.1.5.5.7.3.1"
    NotAfter = (Get-Date).AddMonths(36)
    KeySpec = "KeyExchange"
    Provider = "Microsoft RSA SChannel Cryptographic Provider"
    CertStoreLocation = "cert:\LocalMachine\My"
}

# Call the cmdlet
New-SelfSignedCertificate @certificateParams

查看证书

certlm.msc-->Certificates-Local Computer-->Personal-->Certificates

Sql Server Configuration Manager-->SQL Server Network Configuration-->Right-click Protocols for MSSQLSERVER-->Properties-->Certificate-->Certificate:-->dropdown list

导出证书

certlm.msc-->Certificates-Local Computer-->Personal-->Certificates-->Right-click Certificatename-->All Tasks-->Export

导入证书

Sql Server Configuration Manager--SQL Server Network Configuration--Right-click Protocols for MSSQLSERVER--Properties--Certificate-->Import

certlm.msc-->Certificates-Local Computer-->Personal-->Certificates-->All Tasks-->Import

certlm.msc等同于MMC-->File-->Add/Remove Snap-in-->Certificates-->Add-->Computer account-->Next-->Finish-->OK

Sqlserver导入self-signed certificate自签名证书报错

Sql Server Configuration Manager-->SQL Server Network Configuration-->Right-click Protocols for MSSQLSERVER-->Properties-->Certificate-->Import

bash 复制代码 
Errors or Warnings for certificate:C:\Users\lukes\Desktop\privatekey.pfx
The selected certificate is a self signed certificate. Proceeding with this certificate isn't advised
Error:
	The selected certificate name does not match FQDN of this hostname. This property is required by SQL Server 
	Certificate name: DBTEST1 
	Computer name: DBTEST1.lukes.com

Sqlserver导入一个外部的域名的证书

Sql Server Configuration Manager-->SQL Server Network Configuration-->Right-click Protocols for MSSQLSERVER-->Properties-->Certificate-->Import,导入一个证书G:\Share\TLS\star.pan.com.pem的时候出现问题,本机的域名是daidbrestore1.dai.com,导入的的证书的dns是*.pan.com

bash 复制代码 
Errors or Warnings for certificate:G:\Share\TLS\star.pan.com.pem
-----------------------
Error:
	The selected certificate name does not match FQDN of this hostname. This property is required by SQL Server 
	Certificate name: *.pan.com 
	Computer name: daidb1.dai.com 
Error:
	The selected certificate  does not have the KeySpec Exchange property. This property is required by SQL Server to import a certificate. 
Import error: 0x2, Windows Native Error: 0x80092004
相关推荐
王有品14 分钟前
Spring MVC 多个拦截器的执行顺序
数据库·spring·mvc
极小狐39 分钟前
如何使用极狐GitLab 的外部状态检查功能?
数据库·ci/cd·gitlab·devops·mcp
Leo.yuan1 小时前
数据仓库建设全解析!
大数据·数据库·数据仓库·数据分析·spark
神经毒素1 小时前
WEB安全--社会工程--SET钓鱼网站
安全·web安全
闪电麦坤951 小时前
SQL:子查询(subqueries)
数据库·sql
活跃的煤矿打工人1 小时前
【星海出品】分布式存储数据库etcd
数据库·分布式·etcd
文牧之1 小时前
PostgreSQL的扩展 pgcrypto
运维·数据库·postgresql
老友@3 小时前
小集合 VS 大集合:MySQL 去重计数性能优化
数据库·mysql·性能优化
声声codeGrandMaster3 小时前
django之优化分页功能(利用参数共存及封装来实现)
数据库·后端·python·django
熏鱼的小迷弟Liu4 小时前
【Redis】Redis Zset实现原理:跳表+哈希表的精妙设计
数据库·redis·散列表
热门推荐
01西电B测-计算机网络综合实验(含验收问题)02KGG转MP3工具|非KGM文件|解密音频03从零安装 LLaMA-Factory 微调 Qwen 大模型成功及所有的坑04Coze扣子平台完整体验和实践(附国内和国际版对比)05YOLOv8入门 | 重要性能衡量指标、训练结果评价及分析及影响mAP的因素【发论文关注的指标】06DeepSeek各版本说明与优缺点分析07yolov10来了!用yolov10训练自己的数据集(原理、训练、部署、应用)08yolov8,yolo11,yolo12 服务器训练到部署全流程 笔记09我决定放弃搞 Java 了10最新 Kubernetes 集群部署 + flannel 网络插件(保姆级教程,最新 K8S 版本)