The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption.

The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption.

  • Comments 10

What is SSL and why is my JDBC driver using it?

The v1.2 JDBC driver uses SSL (Secure Sockets Layer) to encrypt connections to SQL Server for improved security.  Where it can, the v1.2 driver ALWAYS uses SSL to encrypt the login to SQL Server.  For integrated auth connections, SSL provides an added layer of security.  For SQL auth, where the user name and password would otherwise be sent in the clear, SSL provides an essential layer of security.

 

I trust that my network is secure without SSL...  How do I turn off SSL encryption?

You can control whether a connection encrypts all data to and from the server after login using the ‘encrypt’ connection property.  However, where it can, the v1.2 driver ALWAYS uses SSL to encrypt the login to SQL Server.  You cannot disable SSL encryption of the SQL Server login.

 

Ok, but I upgraded to v1.2 and now I can’t connect!  Why am I getting the error “The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: …”?

Odds are good that your Java SSL setup is messed up somehow.

 

SSL in Java is provided through the Java Secure Socket Extension (JSSE).  Its reference guide (for J2SE 5) is here: http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html .  A key aspect of JSSE is its pluggable provider model. Typically, JRE vendors supply JSSE provider implementations.  There are at least two main JSSE providers available out there and they do not necessary work well together.

 

For SSL to work at all, it is absolutely necessary to have the JSSE providers configured correctly for the JRE you are using.  There are two steps to this:

1)      Look at the java.security file in your JRE installation (typically found in the jre\lib\security directory).  The installed security providers are listed in that file as security.provider.x=… where ‘x’ is the priority used.  For Sun JRE installations, the first priority provider should be Sun’s.  E.g.: you should have the line “security.provider.1=sun.security.provider.Sun” in that file.  For other JRE's, please refer to the JRE's documentation regarding their default provider name.  We recommend when using the IBM JRE to specify the "com.ibm.jsse.IBMJSSEProvider" as the first security provider to use.

2)      Next, make sure that the classpath points to the correct JAR files (in the jre\lib directory) for use with those providers.  For Sun, the classpath should include jsse.jar.  For IBM,  should include ibmjsse.jar.

 

If either the classpath or the java.security file is not correct, SSL will not work.  Not just with SQL Server, but with anything else either.

 

SSL works for other apps, just not with JDBC.  And I’ve verified that the classpath is correct… Check certificates

If you are going to configure SQL Server to use a server certificate, then that certificate needs (or the certificate of one of its trusted issuing authorities) needs to be present in Java’s certificate store.  If the certificate isn’t there, chances are that your JSSE provider will give you a nice descriptive, if sometimes cryptic, error.  Configuring the client for use with SSL is covered in our docs here http://msdn2.microsoft.com/en-us/library/bb879943.aspx .  Some certificates are quite large and trip up older JSSE providers.  Of course there may be other VMs out there with similar problems, but we are not able to verify all of them.  A smaller certificate may help in this case.

 

Not a configuration problem or a certificate problem.  Now what.

When contacting Microsoft to help us be effective, we need to be armed with the following info:

1)      The complete text of the error message.  I.e. including the part after “Error: …” above.

2)      A stack trace (if available).

3)      A complete log (if available) containing FINEST TDS-level traces leading up to the error.  In particular, the following loggers should be enabled in the logging properties:

com.microsoft.sqlserver.jdbc.TDSChannel.level = FINEST

com.microsoft.sqlserver.jdbc.TDSReader.level = FINEST

com.microsoft.sqlserver.jdbc.TDSWriter.level = FINEST

com.microsoft.sqlserver.jdbc.TDS.DATA.level = FINEST

               Generating the log file with the XMLFormatter is preferred over SimpleFormatter, as it gives us more info.

4)      The java.security file that was used.

5)      Vendor and version of the JRE used.

6)      SQL Server version

7)      The connection string/connection properties used.

 

David Olix & Jimmy Wu

SQL Server JDBC Team

Leave a Comment
  • Please add 6 and 7 and type the answer here:
  • Post
  • Amigos espero que apoyen en la URL tengo lo siguiente:

    jdbc:sqlserver://IT-D106-002:8080;databaseName=DBSisCobrita01

    y me arroja el siguiente error para conectarme a la Base de Datos.

    la respuesta de inicio de sesión previo TDS esta imcompleta. El servidor de destiono debe ser SQL server 2000 o posterior

    Nota estoy trabajando con SQL server 2005, NetBeans 6.1 y el driver sqljdbc_2.0

    mi correo es eduansm@hotmail.com

    Gracias por la ayuda.

  • The thing is this just doesn't really do it for me, prefer something a little less... mainstream.

  • I still having the “The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: …”?

    I'm developing a program in Netbean to connect to SQL Server 2005. Previously is working fine but then suddenly it unable to connect. Now my application is not working.

    I check the java.security file, do have this.

    security.provider.1=sun.security.provider.Sun

    Please advise.

  • Hi Adrian,

    What is the complete error message?  The part of the message that you omitted is probably important to the diagnosis.  What version of the JDBC driver are you using?  What JRE vendor & version?  What are the other security provider entries?  For example, the Sun 1.4.2 JRE java.security file may have these entries:

    security.provider.1=sun.security.provider.Sun

    security.provider.2=com.sun.net.ssl.internal.ssl.Provider

    security.provider.3=com.sun.rsajca.Provider

    security.provider.4=com.sun.crypto.provider.SunJCE

    security.provider.5=sun.security.jgss.SunProvide

    Try enabling Java's SSL debugging facilities:

    http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#Debug

    Regards,

    --David Olix [SQL Server]

  • **** Found a solution to this problem ****

    I had the same problem when I ran my code through MS-DOS script. It was working fine through Eclipse Java IDE but was always failing when I invoked the same java class from command line. Finally, I found a solution to this problem.

    I solved this issue by adding "C:\dev\java\jdk1.6.0_12\jre\lib\ext" directory to my CLASSPATH variable and "-Djava.ext.dirs" parameters. I think you can resolve this just by adding the ext directory path to java.exe.dirs parameter.

    I am using the latest JDBC Driver (sqljdbc4.jar) and

    Java Version = Java(TM) SE Runtime Environment (build 1.6.0_23-b05)

    on Windows XP SP3. Hope this solution works for you all.

    Have a nice day!

    -Satheesh Donthy

    sdonthy@yahoo.com

  • Hi Satheesh, How did you add that directory to your classpath and the -Djava.ext.dirs" parameters?

  • In case somebody wonders, MS Driver trips over the latest SSL BEAST Fix from Oracle in 1.6.0_29 and _30. You can turn that off with the java system property -Djsse.enableCBCProtection=false, but this is not recommended. In jTDS you can use "ssl=no" (unless server is configured to force encryption). With encrypt=false it wont work for MS JDBC Driver (since it always encrypts login).

  • @post on Dec 31 2011

    The connection issues with 1.6.0_29 are known.  Watch this blog post for updates on this topic.

    blogs.msdn.com/.../supported-java-versions-november-2011.aspx

  • I have problem  cant execute my java program (webnformaton.jar)

  • My fb isn't comin in..if I goggle facebook it says couldn't establish a secure connection but I can goggle anything else.  So what should I do ..I rebooted my wifi for 3 min.. it works beside that..what is rhe problem..oh I have wifi wild blue  can anyone help

Page 1 of 1 (10 items)