SSIS:Advisory:DQC for SSIS & TLS 1.2
TLS 1.0/1.1 Security Vulnerabilities
TLS 1.0 and 1.1 are no longer considered to be secure. They do not support modern cryptographic algorithms and are proven to be vulnerable to exploits. Most major technology companies have either already deprecated TLS 1.0 and 1.1
In order to stay current with industry standards for privacy and security in our audits, we must close vulnerabilities like TLS 1.0 and 1.1 for our web services.
When attempting to connect to a TLS 1.2 enabled web service or higher using DQC for SSIS you may encounter this error:
Error verifying service: The request was aborted: Could not create SSL/TLS secure channel.
The reason being is that DQC for SSIS natively runs on TLS 1.0 while the web service requires TLS 1.2. In order to connect, a registry edit must be made for DQC for SSIS to use TLS 1.2 instead.
Enforcing TLS 1.2
Follow the instructions below to enforce TLS 1.2 in your environment.
- Find the latest Microsoft Cumulative Update for the version of SQL Server being used. If your machine already has the latest updates or is unable to install, continue to the next step.
- In the Registry Editor, go to the directories mentioned below and add a Dword entry named
SchUseStrongCryptowith a value of
1for each directory.
You can override the default behavior in following registry:
Key : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 Value: SchUseStrongCrypto Type: REG_DWORD Data : 1
Key : HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319 Value: SchUseStrongCrypto Type: REG_DWORD Data : 1
Restart the machine, open up a DQC for SSIS project, and perform a Test Configuration to ensure you are connected successfully.
SSIS will now successfully connect to a TLS 1.2 web service.
We are currently working on natively integrating TLS 1.2 with DQC Components for SSIS and future releases with support for TLS 1.2 will be announced on SSIS:Data Quality Components.