Why TLS 1.3 matters
TLS (Transport Layer Security) is the protocol that encrypts traffic between clients and servers.
For many years, most SQL Server environments have relied on TLS 1.2, which dates back to 2008.
TLS 1.3, finalized in 2018, is a significant evolution. It brings three main benefits:
Better performance
With fewer roundtrips and faster negotiation, secure connections are established much more quickly in practice
Stronger security
- Old and weak algorithms are removed (RC4, SHA1, MD5, DES, 3DES…)
- Perfect Forward Secrecy (PFS) is mandatory. Even if a private key is compromised later, past sessions remain protected
- Simpler cipher suites: less configuration complexity, fewer chances to misconfigure
Easier compliance
- Recommended by NIST
- Strongly encouraged by PCIDSS 4.0
- Fewer exceptions to justify during audits
What SQL Server 2025 adds
SQL Server 2022 introduced TLS 1.3 through the new TDS 8.0 (Tabular Data Stream) protocol. And SQL Server 2025 makes it broadly usable across the SQL Server ecosystem, this is not limited to client connections only.
Components that can use TLS 1.3
- Client connections (ODBC, OLE DB, .NET)
- SQL Server Agent
- bcp utility
- sqlcmd utility
- Always On Availability Groups
- Always On Failover Cluster Instances
- Log Shipping
- Transactional replication
- Merge replication
- Peer-to-peer replication
- Snapshot replication
- Linked Servers
- PolyBase
- SQL Writer Service
Prerequisites
Valid certificates on all endpoints
- Selfsigned certificates are acceptable for testing
- In production, use certificates from a trusted CA or an internal PKI
Updated drivers
- ODBC Driver 18+ for SQL Server
- OLE DB Driver 19+ for SQL Server
- Microsoft.Data.SqlClient 5.0+
- Older drivers will either fall back to older TLS versions or fail to connect
SQL Server configuration
- You can enforce encryption on all connections (Force Encryption)
- You can configure TDS 8.0 as the minimum protocol version (Force Strict Encryption)
How Copilot can help
I'm setting up log shipping between two SQL Server 2025 instances with TLS 1.3 enabled.
What certificate requirements should I verify ? The MSSQL extension with GitHub Copilot can assist you when planning and rolling out TLS 1.3.
Auditing the current state
Analyze my current SQL Server encryption configuration.
What TLS version are my connections using ?
Are there any connections using deprecated protocols ? Copilot can generate and explain the queries that inspect the relevant DMVs and interpret the results.
Generating configuration scripts
Generate a script to configure SQL Server 2025 to require TLS 1.3 for all incoming connections,
including the certificate configuration steps.
Diagnosing compatibility issues
My application fails to connect after enabling TDS 8.0.
The error mentions "SSL Provider". What should I check and how do I fix it ?Reviewing linked servers
Review my linked server configurations and identify which onesmight have issues with TLS 1.3 requirements. Documenting the changes
Generate documentation for our security team explainingthe TLS configuration changes we're implementing for PCI-DSS compliance.
It is possible that the AI generated content is incorrect. You remain responsible for reviewing, validating, and approving it before any use. Do not rely on this output without thorough human verification. Not intended for production use.
Things to watch out for
Linked Servers to legacy systems
You may have linked servers that point to:
- Older SQL Server versions (2016 and earlier)
- ODBC sources that do not support TLS 1.2/1.3
- Thirdparty servers with outdated TLS stacks
If you enforce TLS 1.3 everywhere, these connections can fail.
Possible approaches:
- Upgrade the remote systems
- Use temporary exceptions (not recommended longterm in production)
- Introduce a proxy or gateway that can handle protocol translation
Replication to older versions
Transactional or merge replication to subscribers running SQL Server 2019 or earlier may require mixed configurations.
Legacy applications
Applications using:
- .NET Framework with older System.Data.SqlClient versions
- Old ODBC/OLE DB drivers
- Thirdparty tools that are not updated may need to be upgraded or reconfigured before you enforce TLS 1.3.
Suggested deployment strategy
These steps are indicative; adapt them to your environment and change management process.
Phase 1: Audit
- Inventory all inbound and outbound connections
- Identify client types and driver versions
- Document linked servers and replication paths
Phase 2: Testing
- Enable TLS 1.3 in a staging or preproduction environment
- Test all critical applications and administrative tools
- Identify and resolve compatibility issues
Phase 3: Progressive rollout
- Enable TLS 1.3 as an option without forcing it
- Monitor which connections still negotiate older TLS versions
- Once all key systems are compatible, enforce TLS 1.3
References
Microsoft