文檔
官方文檔
https://docs.microsoft.com/zh-cn/sql/database-engine/configure-windows/enable-encrypted-connections-to-the-database-engine?view=sql-server-ver15
建議看看下面這個,可以測試加密是否成功:
http://mysql.taobao.org/monthly/2019/04/02/
抓包工具:
https://download.microsoft.com/download/7/1/0/7105C7FF-768E-4472-AFD5-F29108D1E383/NM34_x64.exe
補充說明
以下情況也會加密連接:
- 開啟"Force Encryption"。
- 對於服務器安裝了證書,並啟用了注冊表啟用TLS加密的,抓包工具是抓不到數據的,即若在服務器層使用了加密,SQL Server和 其他客戶端的通信也是加密的。
官方原文說明:
TLS can be used for server validation when a client connection requests encryption. If the instance of SQL Server is running on a computer that has been assigned a certificate from a public certification authority, identity of the computer and the instance of SQL Server is vouched for by the chain of certificates that lead to the trusted root authority. Such server validation requires that the computer on which the client application is running be configured to trust the root authority of the certificate that is used by the server.
但是對於沒有使用CA證書,如果只指定Encrypt=True,那么就會報以下錯誤
https://docs.microsoft.com/en-us/troubleshoot/sql/connect/error-message-when-you-connect
A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - 證書鏈是由不受信任的頒發機構頒發的。) (.Net SqlClient Data Provider)
創建自簽名證書
也可以使用自簽名證書
<#
.DESCRIPTION
Create Certificate
.EXAMPLE
.\New-selfSignedCertificate.ps1 -FQDN FQDN
.NOTES
CertMGR
#>
param(
[string]$FQDN,
[string]$CertPath="C:\temp" #Exported certificate path
)
Write-Host "Target server FQDN: $FQDN" -ForegroundColor Green -BackgroundColor Black
if ($FQDN -eq $null -or $FQDN -eq ""){
Write-Error 'You need to specify the FQDN parameter. Run this command to get FQDN on target Seraver : [System.Net.Dns]::GetHostByName($env:computerName)' -ErrorAction Stop
}
$FriendlyName="$FQDN Self Signed Cert By KiGiBoy"
$Subject="Self Signed Cert By KiGiBoy"
New-SelfSignedCertificate -DnsName $FQDN -CertStoreLocation cert:\LocalMachine\My -FriendlyName $FriendlyName -KeySpec KeyExchange -Subject $Subject -NotAfter (get-date).AddYears(199)
$pwd=ConvertTo-SecureString -String "Str0ngePassword1!" -Force -AsPlainText
$THUMBPRINT=Get-ChildItem -path cert:\LocalMachine\My | Where-Object -Property FriendlyName -EQ $FriendlyName | select Thumbprint -First 1
$loc="cert:\LocalMachine\My\"+$THUMBPRINT.Thumbprint
$path=join-path -Path $CertPath -ChildPath "$FriendlyName.pfx"
if (Test-Path -Path $CertPath){
Export-PfxCertificate -Cert $loc -FilePath $path -Password $pwd
}else{
New-Item -ItemType Directory -path $CertPath -InformationAction Ignore
Export-PfxCertificate -Cert $loc -FilePath $path -Password $pwd
}
Write-Host "Exported Certificate Location: $path" -ForegroundColor Green -BackgroundColor Black