client-requested SSL encryption errors

I did not get any useful response the last time I posted this, so now I'm
posting a more detailed version of the question.

We are having difficulty getting client-requested SSL encryption to work
with SQL Server 2000 Enterprise SP4.

Using "Force All Clients to Use SSL" is not an option for us. We need to be
able to have certain clients (extranet)use encryption without forcing other
clients (intranet) to also use encryption. Hence, we need to know how to
make "Force Protocol Encryption" work from the Client Network Utility with
SQL Query Analyzer.

Ultimately, our goal is to enable encryption in certain connection requests
from custom client applications we are writing. However, we will be happy
for now if we can at least get it working from a standard MS tool as
described in the SQL Server documentation and KB articles.

Has anyone else managed to make client-requested encryption work without
using a commercial CA? For that matter, has anyone suceeded in making it
work *with* a commercial CA?

When I connect using SQL Query Analyzer without Force Protocol Encryption in
the Client Network Utility, everything works fine. When I select Force
Protocol Encryption, then I get the following error:

====
unable to connect to server
server: msg 18, level 16, state 1
[microsoft][ODBC SQL Server Driver][DBNETLIB]SSL Security error

====

The server is running Windows Server 2003 Enterprise SP1. As mentioned
earlier, MSSQLSERVER version is SQL Server 2000 Enterprise SP4.

The Server Authentication certificate is installed correctly on the SQL
Server 2000 machine. It was generated by Microsoft Certificate Services
configured as a stand-alone root CA. The certificate chain is OK according
to MMC snap-in and works fine with no warnings for HTTPS connections to IIS,
so I don't see how the certificate could be malformed. There definitely is
only one certificate installed on the server (at least according to the MMC
snap-in for Certificates). The Root CA chain is installed on the client and
is OK according to MMC. This seems to be validated by the fact that IE
doesn't give any warnings when making an HTTPS connection to the server
(i.e., it recognizes the certificate chain as a trusted source).

I've read every KB article I can find on the subject, followed all the
instructions with meticulous care, and reinstalled everything from scratch
twice already (including the CA, thus generating a new root certificate and
new server authentication certificate). The client still fails to connect
whenever I force client encryption (it's not feasible for us to set force
encryption on the server).

I've even tried creating various aliases for the server in the Client
Network Utility, as suggested in one KB article, but that doesn't seem to
help either.

Perhaps I'm overlooking something really obvious, but I'm seriously
beginning to doubt whether SQL Server really supports client-initiated SSL
connections at all. Has anyone else gotten this to work? If so, what was the
trick to making it work?

Any suggestions would be greatly appreciated.

Hello Aubrey,

I don't think you need a commercial certfiicate to do this.

If you want to enable Force Protocol Encryption on the client, you must
have a certificate on the server and the client must have the Trusted Root
Authority updated to trust the server certificate. You can install your own
CA and get certficate from it on the server, and install root CA
certificate on the client.

You may have reviewed the following articles but the steps to enable SSL
from client are verified to work properly.

316898 How to enable SSL encryption for SQL Server 2000 with Microsoft
http://support.microsoft.com/?id=316898

316779 PRB: Clients with Force Protocol Encryption Set On May Fail to
Connect
http://support.microsoft.com/?id=316779

276553 How to enable SSL encryption for SQL Server 2000 with Certificate
Server
http://support.microsoft.com/?id=276553

Also, to make sure the certificate installed on the SQL server is correct,
we suggest that you enable "Force Protocol Encryption" temporarily and
disable "Force Protocol Encryption" on client to test the situation. If it
works under this situation, the server certificate itself has no issues.

Note: EVEN IF YOU ARE ENABLING FORCE PROTOCOL ENCRYPTION ON THE CLIENT SIDE
ONLY, YOU STILL NEED TO RESTART SQL SERVER FOR THE CERTIFICATE TO BECOME
EFFECTIVE AND USED BY SQL SERVER.

If  "Force Protocol Encryption" on server does not work, please check the
certificate property to make sure it is for FQDN for the SQL server.

839617 BUG: You cannot connect to an instance of SQL Server on a server
http://support.microsoft.com/?id=839617

You may want to check if the issue occurs on different client computers to
isolate the issue.

Best Regards,

Peter Yang
MCSE2000/2003, MCSA, MCDBA
Microsoft Online Partner Support

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

 ====================
 ====================
=============


This posting is provided "AS IS" with no warranties, and confers no rights.


--------------------
| From: "Aubrey McAuley" <winaix@nospam.nospam>
| Subject: client-requested SSL encryption errors
| Date: Wed, 27 Jul 2005 16:10:49 -0500
| Lines: 65
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2527
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
| X-RFC2646: Format=Flowed; Original
| Message-ID: <#Gi#t#ukFHA.2852@TK2MSFTNGP15.phx.gbl>
| Newsgroups: microsoft.public.sqlserver.server
| NNTP-Posting-Host: rrcs-67-79-5-147.sw.biz.rr.com 67.79.5.147
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.sqlserver.server:64999
| X-Tomcat-NG: microsoft.public.sqlserver.server
|
| I did not get any useful response the last time I posted this, so now I'm
| posting a more detailed version of the question.
|
| We are having difficulty getting client-requested SSL encryption to work
| with SQL Server 2000 Enterprise SP4.
|
| Using "Force All Clients to Use SSL" is not an option for us. We need to
be
| able to have certain clients (extranet)use encryption without forcing
other
| clients (intranet) to also use encryption. Hence, we need to know how to
| make "Force Protocol Encryption" work from the Client Network Utility
with
| SQL Query Analyzer.
|
| Ultimately, our goal is to enable encryption in certain connection
requests
| from custom client applications we are writing. However, we will be happy
| for now if we can at least get it working from a standard MS tool as
| described in the SQL Server documentation and KB articles.
|
| Has anyone else managed to make client-requested encryption work without
| using a commercial CA? For that matter, has anyone suceeded in making it
| work *with* a commercial CA?
|
| When I connect using SQL Query Analyzer without Force Protocol Encryption
in
| the Client Network Utility, everything works fine. When I select Force
| Protocol Encryption, then I get the following error:
|
| ====
| unable to connect to server
| server: msg 18, level 16, state 1
| [microsoft][ODBC SQL Server Driver][DBNETLIB]SSL Security erro
r
|
| ====
|
| The server is running Windows Server 2003 Enterprise SP1. As mentioned
| earlier, MSSQLSERVER version is SQL Server 2000 Enterprise SP4.
|
| The Server Authentication certificate is installed correctly on the SQL
| Server 2000 machine. It was generated by Microsoft Certificate Services
| configured as a stand-alone root CA. The certificate chain is OK
according
| to MMC snap-in and works fine with no warnings for HTTPS connections to
IIS,
| so I don't see how the certificate could be malformed. There definitely
is
| only one certificate installed on the server (at least according to the
MMC
| snap-in for Certificates). The Root CA chain is installed on the client
and
| is OK according to MMC. This seems to be validated by the fact that IE
| doesn't give any warnings when making an HTTPS connection to the server
| (i.e., it recognizes the certificate chain as a trusted source).
|
| I've read every KB article I can find on the subject, followed all the
| instructions with meticulous care, and reinstalled everything from
scratch
| twice already (including the CA, thus generating a new root certificate
and
| new server authentication certificate). The client still fails to connect
| whenever I force client encryption (it's not feasible for us to set force
| encryption on the server).
|
| I've even tried creating various aliases for the server in the Client
| Network Utility, as suggested in one KB article, but that doesn't seem to
| help either.
|
| Perhaps I'm overlooking something really obvious, but I'm seriously
| beginning to doubt whether SQL Server really supports client-initiated
SSL
| connections at all. Has anyone else gotten this to work? If so, what was
the
| trick to making it work?
|
| Any suggestions would be greatly appreciated.
|
|
|