70

I'm using Encrypt=yes in a SQL Server connection string, as I need the TCPIP traffic to be encrypted, but on opening the connection I get an error:

A connection was successfully established with the server, but then an error occurred during the pre-login handshake. (provider: SSL Provider, error: 0 - The certificate's CN name does not match the passed value.)

Any suggestions how to fix this? I assume I need some sort of certificate relationship between my servers, but have no idea where to start.

I need this for two connections, one each to a SQL 2000 server and one to a 2005 server.

Improve this question

4 Answers 4

Reset to default
128

Your database connection can be configured to encrypt traffic and to accept any certificate from your server. Not a grand solution, but it worked for me.

The resulting connection string should look like this:

"[...];Encrypt=True;TrustServerCertificate=True"
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Indeed. A minor addition: Beginning in .NET Framework 4.5, when TrustServerCertificate is false and Encrypt is true, the server name (or IP address) in a SQL Server SSL certificate must exactly match the server name (or IP address) specified in the connection string. Otherwise, the connection attempt will fail. More info at MSDN
Don't set trustServerCertificate=true ever in LIVE. There is another connection property "hostNameInCertificate" which you can use. Please refer this Microsoft Doc
Using the native client 11.0 driver, I had to use "yes" instead of "true".
14

I realize this is pretty old, but thought this might still help someone.

If the server you are connecting to does not have a certificate installed, a default certificate number is generated each time the server is restarted. When this happens the CN number changes, and might not match the one you have.

I read this recently, but I'm still trying to find the link for you. I'd suggest you makes sure that the server you are connecting to has explicitly installed a certificate, and that your client has it too.

I'll update this as soon as I find the link.

Improve this answer

1 Comment

I appreciate that I'm a bit late to the party, but if anyone still needs the source of that info they can go here technet.microsoft.com/en-us/library/ms189067(v=sql.105).aspx
8

You can't encrypt the the connection without also having a certificate installed on the Server. By default SQL Server will present a self signed certificate, and this is (and should be) rejected by clients.

Your options are:

a) The solution is to install a real certificate on the SQL Server:

Certificate Management (SQL Server Configuration Manager)

b) If you aren't able to install a real certificate on the SQL Server (a few $/year). You can issue a self signed certificate and trust this specific certificate on your client machines.

c) If you really do want to ignore this security problem. Please don't do this you do have the option to add an "ignore this security warning flag" (TrustServerCertificate) to the connectstring:

Encrypt=Yes;TrustServerCertificate=Yes

(added 2023-07-27) If you are using ODBC Driver for SQL Server version 18.x or newer:

Encrypt=Yes;hostNameInCertificate=<myservername>

d) If you are using JDBC there is an addition connectstring property that can be used instead of TrustServerCertificate

Encrypt=Yes;hostNameInCertificate=<myservername>
Improve this answer

2 Comments

Real certificate, could you elaborate what you mean?
A certificate from a trusted Certificate Authorities like LetsEncypt, Comodo, DigiSign etc...
4

Note that a public CA is not not necessary if the SQL server is part of a well organized domain. Windows Active Directory Certificate Services can also be used to issue certificates to machines on the domain.In combination with group policy you can also ensure that all servers on the domain are issued with the root certificate (i.e. the root certificate is automatically placed in "Trusted Root Certification Authorities"). This is a better solution than a "self-signed" certificate.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.