mssql-jdbc-14.4.2.jre8 TLSv1.3

[ovidiugugila]

Hi, everyone,

I've the following scenario.

I recently had a scenario in my app where is required to use TLSv1.3 in my client-server communication.
I use SQL Management Studio 2022 in order to use TLSv1.3 and as client I use a java client. My problem is the following:

when I build the connection url in order to communicate with database even if I set the protocol to TLSv1.3 in my ClientHello I can see the both version of TLS is supported, TLSv1.2 and also TLSv1.3.

I already set the sslProtocol=TLSv1.3;encrypt=strict;trustServerCertificate=false; in my connection url.

Is any way to force the Client side to use the TLSv1.3 only?

[AlBundy33]

you can try to start your application with -Djdk.tls.client.protocols="TLSv1.3"

[ovidiugugila]

Your fix is valid, I tried it....but I want to know if it is a similar fix to the mssql-jdbc driver level.

[Jeffery-Wasty]

Hi @ovidiugugila,

This depends on the JDK you're using. If you are using SAP JVM, for example, then setting to TLSv1.3 will include TLSv1.2 and below (we can't change this). This behavior can be seen on our wiki page here.

If the correct behavior is not happening with sslProtocol=TLSv1.3 and encrypt=strict, there is nothing else we can do from the driver side. The only workaround is similar to what @AlBundy33 suggested above, which involves JDK modifying. An alternative would be adding the unwanted TLS versions to the list of disabled algorithms in the JVM config, like so:

jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, DTLSv1.0, RC4, DES, \
    MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
    ECDH

[Jeffery-Wasty]

Hi @ovidiugugila,

Does this resolve your issue? Let us know if you require further information or assistance. Without further communication, we'll assume the issue is resolved and mark it as closed.