Sqlserver安全篇之_启用TLS即配置SQL Server 数据库引擎以加密连接

lusklusklusk2025-03-03 21:27

官方文档

https://learn.microsoft.com/zh-cn/sql/database-engine/configure-windows/configure-sql-server-encryption?view=sql-server-ver16

https://learn.microsoft.com/zh-cn/sql/database-engine/configure-windows/manage-certificates?view=sql-server-ver15\&preserve-view=true

TLS加密连接与TDE(Transparent data encryption)透明数据加密完全不一样,虽然TDE也要证书,但是TDE是针对数据库层面的也就是针对数据和日志文件,比如影响整个数据库的备份恢复、快照、删除、脱机、分离、转换READ ONLY 状态等,主要是DBA这种管理人员使用的。

TDE加密数据库步骤
1、创建证书certSSRSTEST

sql 复制代码 
create certificate certSSRSTEST with subject ='SSRSTEST database certificate data encription';

2、使用证书certSSRSTEST加密数据库SSRSTEST

sql 复制代码 
use SSRSTEST;
go
create database encryption key with algorithm = AES_128 encryption by server certificate certSSRSTEST
go
alter database SSRSTEST set encryption on
go

Sqlserver启用TLS加密连接的步骤
1、SQL Server配置为使用证书

每个版本的Sqlserver启动的时候都会生成一份self-signed certificate自签名证书,也可以使用powershell脚本建立一个自签名证书,也可以导入一个证书。再配置Sqlserver使用这些证书

在SQL Server 2019及更高版本中,证书管理已集成到SQL Server配置管理器中。这句话的理解是,从SQL Server 2019开始因为Sql Server Configuration Manager有了Import选项(Sql Server Configuration Manager-->SQL Server Network Configuration-->Right-click Protocols for MSSQLSERVER-->Properties-->Certificate-->Import),可以一次性导入证书并配置Sqlserver使用这些证书,而之前的版本没有这个Import选项,所以从SQL Server 2019开始我们不再需要像之前的sqlserver版本一样先通过certlm.msc或MMC把证书导入到操作系统再通过Sql Server Configuration Manager配置Sqlserver使用这些证书

SQL Server 2019之前的版本,需要2步,第一步导入证书,第二步配置Sqlserver使用这些证书

bash 复制代码 
certlm.msc-->Certificates-Local Computer-->Personal-->Certificates-->All Tasks-->Import
Sql Server Configuration Manager-->SQL Server Network Configuration-->Right-click Protocols for MSSQLSERVER-->Properties-->Certificate-->Certificate:-->dropdown list-->choose Certificate-->Apply

SQL Server 2019版本开始,一次性导入证书并配置Sqlserver使用这些证书

bash 复制代码 
Sql Server Configuration Manager-->SQL Server Network Configuration-->Right-click Protocols for MSSQLSERVER-->Properties-->Certificate-->Import


2、SQL Server配置强制加密

bash 复制代码 
Sql Server Configuration Manager-->SQL Server Network Configuration-->Right-click Protocols for MSSQLSERVER-->Properties-->Flags-->Force Encryption-->Yes

Sqlserver配置了强制加密后,客户端或在实例本机上使用SSMS连接该实例如果不勾选Trust server certificat这个选项的话会有报错:A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted.)

视图sys.dm_exec_connections的encrypt_option字段的值可以看到会话是否已经加密了

sql 复制代码 
select session_id,encrypt_option,connect_time,client_net_address,local_net_address,net_transport,protocol_type,endpoint_id,auth_scheme from sys.dm_exec_connections

Sqlserver启用TLS加密后,证书信息并没有在sys.certificates表中找到

因为每个版本的Sqlserver启动的时候都会生成一份self-signed certificate自签名证书,Sqlserver服务器启动后在错误日志里面会记录一条信息A self-generated certificate was successfully loaded for encryption,这样的话就算该Sqlserver没有使用其他证书只要该Sqlserver配置了强制加密,客户端比如SSMS连接到该Sqlserver时如果选择了Encrypt connection和Trust server certificate,那么连接的会话就会被加密。

SQL Server uses a certificate from a trusted certification authority if available for encrypting login packets. If a trusted certificate isn't installed, SQL Server generates a self-signed certificate (fallback certificate) during startup and use that self-signed certificate to encrypt the credentials. This self-signed certificate helps increase security, but it doesn't protect against identity spoofing by the server. If the self-signed certificate is used, and the value of the ForceEncryption option is set to Yes, all data transmitted across a network between SQL Server and the client application is encrypted using the self-signed certificate.

SQL Server 使用来自受信任的证书颁发机构(如果可用)的证书来加密登录数据包。 如果未安装受信任的证书,SQL Server 将在启动期间生成自签名证书(回退证书),并使用该自签名证书来加密凭据。 此自签名证书有助于提高安全性,但它不会防范通过服务器进行的身份欺骗。 如果使用了自签名证书,并且"ForceEncryption"选项的值设置为"是",将使用自签名证书对通过网络在 SQL Server 和客户端应用程序之间传输的所有数据进行加密。

--备注:以上那句话"但它不会防范通过服务器进行的身份欺骗",不是说在实例的本机上使用SSMS可以直接连接该实例,因为如果实例启用强制加密连接后,就算在该实例的本机上使用SSMS连接该实例如果不勾选Trust server certificate这个选项的话一样会有报错:A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted.)

创建self-signed certificate自签名证书的powershell脚本,以下脚本执行后,在certlm.msc或MMC或Sql Server Configuration Manager里面都能直接查看到,说明证书创建好了的话就代表导入到了操作系统中

bash 复制代码 
# Define parameters
$certificateParams = @{
    Type = "SSLServerAuthentication"
    Subject = "CN=$env:COMPUTERNAME"
    DnsName = @("$($env:COMPUTERNAME)", $([System.Net.Dns]::GetHostEntry('').HostName), 'localhost')
    KeyAlgorithm = "RSA"
    KeyLength = 2048
    HashAlgorithm = "SHA256"
    TextExtension = "2.5.29.37={text}1.3.6.1.5.5.7.3.1"
    NotAfter = (Get-Date).AddMonths(36)
    KeySpec = "KeyExchange"
    Provider = "Microsoft RSA SChannel Cryptographic Provider"
    CertStoreLocation = "cert:\LocalMachine\My"
}

# Call the cmdlet
New-SelfSignedCertificate @certificateParams

查看证书

certlm.msc-->Certificates-Local Computer-->Personal-->Certificates

Sql Server Configuration Manager-->SQL Server Network Configuration-->Right-click Protocols for MSSQLSERVER-->Properties-->Certificate-->Certificate:-->dropdown list

导出证书

certlm.msc-->Certificates-Local Computer-->Personal-->Certificates-->Right-click Certificatename-->All Tasks-->Export

导入证书

Sql Server Configuration Manager--SQL Server Network Configuration--Right-click Protocols for MSSQLSERVER--Properties--Certificate-->Import

certlm.msc-->Certificates-Local Computer-->Personal-->Certificates-->All Tasks-->Import

certlm.msc等同于MMC-->File-->Add/Remove Snap-in-->Certificates-->Add-->Computer account-->Next-->Finish-->OK

Sqlserver导入self-signed certificate自签名证书报错

Sql Server Configuration Manager-->SQL Server Network Configuration-->Right-click Protocols for MSSQLSERVER-->Properties-->Certificate-->Import

bash 复制代码 
Errors or Warnings for certificate:C:\Users\lukes\Desktop\privatekey.pfx
The selected certificate is a self signed certificate. Proceeding with this certificate isn't advised
Error:
	The selected certificate name does not match FQDN of this hostname. This property is required by SQL Server 
	Certificate name: DBTEST1 
	Computer name: DBTEST1.lukes.com

Sqlserver导入一个外部的域名的证书

Sql Server Configuration Manager-->SQL Server Network Configuration-->Right-click Protocols for MSSQLSERVER-->Properties-->Certificate-->Import,导入一个证书G:\Share\TLS\star.pan.com.pem的时候出现问题,本机的域名是daidbrestore1.dai.com,导入的的证书的dns是*.pan.com

bash 复制代码 
Errors or Warnings for certificate:G:\Share\TLS\star.pan.com.pem
-----------------------
Error:
	The selected certificate name does not match FQDN of this hostname. This property is required by SQL Server 
	Certificate name: *.pan.com 
	Computer name: daidb1.dai.com 
Error:
	The selected certificate  does not have the KeySpec Exchange property. This property is required by SQL Server to import a certificate. 
Import error: 0x2, Windows Native Error: 0x80092004
相关推荐
小张-森林人1 小时前
Oracle 字符串分割革命:正则表达式与 Lateral Join 的优雅解法
数据库·oracle·正则表达式
予安灵3 小时前
《白帽子讲 Web 安全:点击劫持》
前端·网络·安全·web安全·网络攻击模型·安全威胁分析·点击劫持
m0_748250933 小时前
SQL Server Management Studio的使用
数据库·oracle·性能优化
车载诊断技术3 小时前
人工智能AI在汽车设计领域的应用探索
数据库·人工智能·网络协议·架构·汽车·是诊断功能配置的核心
没有十八岁3 小时前
云创智城YunCharge 新能源二轮、四轮充电解决方案(云快充、万马爱充、中电联、OCPP1.6J等多个私有单车、汽车充电协议)之新能源充电行业系统说明书
java·数据库·spring·汽车
cdprinter4 小时前
信刻光盘安全隔离与信息交换系统让“数据摆渡”安全高效
网络·安全·自动化
爱搞技术的猫猫4 小时前
微店商品详情API接口实战指南:从零实现商品数据自动化获取
大数据·linux·运维·数据库·自动化
若云止水5 小时前
Ubuntu 下 nginx-1.24.0 源码分析 - ngx_init_cycle 函数 - 详解(1)
数据库·nginx·ubuntu
WannaRunning7 小时前
MySQL中的共享锁和排他锁
数据库·mysql
热门推荐
01DeepSeek各版本说明与优缺点分析02DeepSeek R1本地化部署 Ollama + Chatbox 打造最强 AI 工具03如何在WPS和Word/Excel中直接使用DeepSeek功能04从零安装 LLaMA-Factory 微调 Qwen 大模型成功及所有的坑05本地部署DeepSeek教程(Mac版本)06DeepSeek本地部署详细指南07【docker】Windows10安装Docker Desktop - WSL update failed08保姆级教程:利用Ollama与Open-WebUI本地部署 DeedSeek-R1大模型09DeepSeek r1本地安装全指南10Anaconda +Jupyter Notebook安装(2025最新版)