Unencrypted connections in Always on Availability Group

Question

Post reply

Unencrypted connections in Always on Availability Group

Awais Afzal

SSC Veteran

Points: 269
More actions
November 7, 2024 at 9:41 am

#4478368
Hi,
In my Always On Availability environment, I am seeing two encrypt_option values as FALSE in the DMV sys.dm_exec_connections. This is causing issues in the database vulnerability scan. Please note that an SSL certificate is already applied, and the Force Encryption option is set to "Yes." How can I resolve this issue?
- This topic was modified 1 month, 2 weeks ago by Awais Afzal.
Attachments:
You must be logged in to view attached files.

Viewing 6 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic. Login to reply

Johan Bijnens SSC Guru Points: 135375 More actions · Answer 1

Modify your DB mirroring endpoints to force encryption ! ( encryption = required )

Check Create Endpoint

Johan

Learn to play, play to learn !

Dont drive faster than your guardian angel can fly ...
but keeping both feet on the ground wont get you anywhere :w00t:

- How to post Performance Problems
- How to post data/code to get the best help[/url]

- How to prevent a sore throat after hours of presenting ppt

press F1 for solution, press shift+F1 for urgent solution 😀

Need a bit of Powershell? How about this

Who am I ? Sometimes this is me but most of the time this is me

Awais Afzal SSC Veteran Points: 269 More actions · Answer 2

I have checked my endpoint configuration it is already encrypted. But still it is showing encrypt_option 'FALSE' in connections DMV.

ss3

Johan Bijnens SSC Guru Points: 135375 More actions · Answer 3

hmmm ... you are wright.

I never payed notice to those connections ( assuming they are encrypted due to the endpoint encryption setting, but apparently only the endpoint to endpoint conversation is encrypted )

Johan

Learn to play, play to learn !

Dont drive faster than your guardian angel can fly ...
but keeping both feet on the ground wont get you anywhere :w00t:

- How to post Performance Problems
- How to post data/code to get the best help[/url]

- How to prevent a sore throat after hours of presenting ppt

press F1 for solution, press shift+F1 for urgent solution 😀

Need a bit of Powershell? How about this

Who am I ? Sometimes this is me but most of the time this is me

Awais Afzal SSC Veteran Points: 269 More actions · Answer 4

Is there any workaround to fix this? because it appears in vulnerability scan and we have to remove this vulnerability.

Johan Bijnens SSC Guru Points: 135375 More actions · Answer 5

Apparently there are some extra certificate steps to be taken care of and instance configuration

ref: "How to set and use encrypted SQL Server connections"

Test it - TEST IT - Test IT !

Johan

Learn to play, play to learn !

Dont drive faster than your guardian angel can fly ...
but keeping both feet on the ground wont get you anywhere :w00t:

- How to post Performance Problems
- How to post data/code to get the best help[/url]

- How to prevent a sore throat after hours of presenting ppt

press F1 for solution, press shift+F1 for urgent solution 😀

Need a bit of Powershell? How about this

Who am I ? Sometimes this is me but most of the time this is me

Unencrypted connections in Always on Availability Group

Attachments: