Sqlserver安全篇之_启用TLS即配置SQL Server 数据库引擎以加密连接

官方文档
https://learn.microsoft.com/zh-cn/sql/database-engine/configure-windows/configure-sql-server-encryption?view=sql-server-ver16
https://learn.microsoft.com/zh-cn/sql/database-engine/configure-windows/manage-certificates?view=sql-server-ver15&preserve-view=true

TLS加密连接与TDE(Transparent data encryption)透明数据加密完全不一样，虽然TDE也要证书，但是TDE是针对数据库层面的也就是针对数据和日志文件，比如影响整个数据库的备份恢复、快照、删除、脱机、分离、转换READ ONLY 状态等，主要是DBA这种管理人员使用的。

TDE加密数据库步骤
1、创建证书certSSRSTEST

create certificate certSSRSTEST with subject ='SSRSTEST database certificate data encription';

2、使用证书certSSRSTEST加密数据库SSRSTEST

use SSRSTEST;
go
create database encryption key with algorithm = AES_128 encryption by server certificate certSSRSTEST
go
alter database SSRSTEST set encryption on
go

Sqlserver启用TLS加密连接的步骤
1、SQL Server配置为使用证书
每个版本的Sqlserver启动的时候都会生成一份self-signed certificate自签名证书，也可以使用powershell脚本建立一个自签名证书，也可以导入一个证书。再配置Sqlserver使用这些证书

在SQL Server 2019及更高版本中，证书管理已集成到SQL Server配置管理器中。这句话的理解是，从SQL Server 2019开始因为Sql Server Configuration Manager有了Import选项(Sql Server Configuration Manager–>SQL Server Network Configuration–>Right-click Protocols for MSSQLSERVER–>Properties–>Certificate–>Import)，可以一次性导入证书并配置Sqlserver使用这些证书，而之前的版本没有这个Import选项，所以从SQL Server 2019开始我们不再需要像之前的sqlserver版本一样先通过certlm.msc或MMC把证书导入到操作系统再通过Sql Server Configuration Manager配置Sqlserver使用这些证书

SQL Server 2019之前的版本，需要2步，第一步导入证书，第二步配置Sqlserver使用这些证书

certlm.msc-->Certificates-Local Computer-->Personal-->Certificates-->All Tasks-->Import
Sql Server Configuration Manager-->SQL Server Network Configuration-->Right-click Protocols for MSSQLSERVER-->Properties-->Certificate-->Certificate：-->dropdown list-->choose Certificate-->Apply

SQL Server 2019版本开始，一次性导入证书并配置Sqlserver使用这些证书

Sql Server Configuration Manager-->SQL Server Network Configuration-->Right-click Protocols for MSSQLSERVER-->Properties-->Certificate-->Import

在这里插入图片描述

2、SQL Server配置强制加密

Sql Server Configuration Manager-->SQL Server Network Configuration-->Right-click Protocols for MSSQLSERVER-->Properties-->Flags-->Force Encryption-->Yes

Sqlserver配置了强制加密后，客户端或在实例本机上使用SSMS连接该实例如果不勾选Trust server certificat这个选项的话会有报错：A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted.)

视图sys.dm_exec_connections的encrypt_option字段的值可以看到会话是否已经加密了

select session_id,encrypt_option,connect_time,client_net_address,local_net_address,net_transport,protocol_type,endpoint_id,auth_scheme from sys.dm_exec_connections

Sqlserver启用TLS加密后，证书信息并没有在sys.certificates表中找到

因为每个版本的Sqlserver启动的时候都会生成一份self-signed certificate自签名证书，Sqlserver服务器启动后在错误日志里面会记录一条信息A self-generated certificate was successfully loaded for encryption，这样的话就算该Sqlserver没有使用其他证书只要该Sqlserver配置了强制加密，客户端比如SSMS连接到该Sqlserver时如果选择了Encrypt connection和Trust server certificate，那么连接的会话就会被加密。

SQL Server uses a certificate from a trusted certification authority if available for encrypting login packets. If a trusted certificate isn’t installed, SQL Server generates a self-signed certificate (fallback certificate) during startup and use that self-signed certificate to encrypt the credentials. This self-signed certificate helps increase security, but it doesn’t protect against identity spoofing by the server. If the self-signed certificate is used, and the value of the ForceEncryption option is set to Yes, all data transmitted across a network between SQL Server and the client application is encrypted using the self-signed certificate.
SQL Server 使用来自受信任的证书颁发机构（如果可用）的证书来加密登录数据包。如果未安装受信任的证书，SQL Server 将在启动期间生成自签名证书（回退证书），并使用该自签名证书来加密凭据。此自签名证书有助于提高安全性，但它不会防范通过服务器进行的身份欺骗。如果使用了自签名证书，并且“ForceEncryption”选项的值设置为“是”，将使用自签名证书对通过网络在 SQL Server 和客户端应用程序之间传输的所有数据进行加密。
–备注：以上那句话"但它不会防范通过服务器进行的身份欺骗"，不是说在实例的本机上使用SSMS可以直接连接该实例，因为如果实例启用强制加密连接后，就算在该实例的本机上使用SSMS连接该实例如果不勾选Trust server certificate这个选项的话一样会有报错：A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted.)

创建self-signed certificate自签名证书的powershell脚本，以下脚本执行后，在certlm.msc或MMC或Sql Server Configuration Manager里面都能直接查看到，说明证书创建好了的话就代表导入到了操作系统中

# Define parameters
$certificateParams = @{Type = "SSLServerAuthentication"Subject = "CN=$env:COMPUTERNAME"DnsName = @("$($env:COMPUTERNAME)", $([System.Net.Dns]::GetHostEntry('').HostName), 'localhost')KeyAlgorithm = "RSA"KeyLength = 2048HashAlgorithm = "SHA256"TextExtension = "2.5.29.37={text}1.3.6.1.5.5.7.3.1"NotAfter = (Get-Date).AddMonths(36)KeySpec = "KeyExchange"Provider = "Microsoft RSA SChannel Cryptographic Provider"CertStoreLocation = "cert:\LocalMachine\My"
}# Call the cmdlet
New-SelfSignedCertificate @certificateParams

查看证书
certlm.msc–>Certificates-Local Computer–>Personal–>Certificates
或
Sql Server Configuration Manager–>SQL Server Network Configuration–>Right-click Protocols for MSSQLSERVER–>Properties–>Certificate–>Certificate:–>dropdown list

导出证书
certlm.msc–>Certificates-Local Computer–>Personal–>Certificates–>Right-click Certificatename–>All Tasks–>Export

导入证书
Sql Server Configuration Manager–SQL Server Network Configuration–Right-click Protocols for MSSQLSERVER–Properties–Certificate–>Import
或
certlm.msc–>Certificates-Local Computer–>Personal–>Certificates–>All Tasks–>Import

certlm.msc等同于MMC–>File–>Add/Remove Snap-in–>Certificates–>Add–>Computer account–>Next–>Finish–>OK

Sqlserver导入self-signed certificate自签名证书报错
Sql Server Configuration Manager–>SQL Server Network Configuration–>Right-click Protocols for MSSQLSERVER–>Properties–>Certificate–>Import

Errors or Warnings for certificate:C:\Users\lukes\Desktop\privatekey.pfx
The selected certificate is a self signed certificate. Proceeding with this certificate isn't advised
Error:The selected certificate name does not match FQDN of this hostname. This property is required by SQL Server Certificate name: DBTEST1 Computer name: DBTEST1.lukes.com

Sqlserver导入一个外部的域名的证书
Sql Server Configuration Manager–>SQL Server Network Configuration–>Right-click Protocols for MSSQLSERVER–>Properties–>Certificate–>Import，导入一个证书G:\Share\TLS\star.pan.com.pem的时候出现问题，本机的域名是daidbrestore1.dai.com，导入的的证书的dns是*.pan.com

Errors or Warnings for certificate:G:\Share\TLS\star.pan.com.pem
-----------------------
Error:The selected certificate name does not match FQDN of this hostname. This property is required by SQL Server Certificate name: *.pan.com Computer name: daidb1.dai.com 
Error:The selected certificate  does not have the KeySpec Exchange property. This property is required by SQL Server to import a certificate. 
Import error: 0x2, Windows Native Error: 0x80092004