Blog Post

SQL Server Blog
2 MIN READ

OLE DB Driver 19.0 for SQL Server Released

David-Engel's avatar
David-Engel
Steel Contributor
Feb 15, 2022

Version 19.0 of the Microsoft OLE DB Driver for SQL Server has been released. Version 19.0 includes changes and new features that improve security in the driver.

 

Features

  • Support for TDS 8.0
  • Support for the Host Name In Certificate connection string keyword, and the SSPROP_INIT_HOST_NAME_CERTIFICATE initialization property

Changes

  • BREAKING CHANGE - Default Encrypt to Yes/Mandatory.
  • BREAKING CHANGE - Changed certificate validation behavior to validate when encryption is negotiated from either the client or the server side, not just the client side.

 

Breaking Changes

 

Encrypt = true, by default

There a couple breaking changes in 19.0 over previous releases that may affect a lot of users. Similar to the HTTP to HTTPS default changes made in web browsers a few years back (and the security reasons for them), we are changing the default value of the `Encrypt` connection option from `no` to `yes`/`mandatory`. (New encrypt values "mandatory" and "optional", synonymous with "yes" and "no", respectively, have been added to better describe encryption behavior.) With the increased emphasis on secure-by-default, the growing use of cloud databases, and the need to ensure connections are secure, it's time for this backwards-compatibility-breaking change. We realize this will cause some disruption, but letting clients try to connect without encryption by default leaves them open to attack from malicious actors.

 

We also changed the behavior of TrustServerCertificate to not be tied to the Encrypt setting. Previously, if Encrypt was set to no, certificates wouldn't be validated regardless of what TrustServerCertificate was set to. This allowed servers using self-signed certificates and Force Protocol Encryption to encrypt their client connections without requiring clients to change their default settings.

 

The action item if you are affected by the Encrypt change is to either (in order of recommendation):

  • Install a trusted certificate on your server.
  • Change your client's Encrypt connection string setting (or connection property) to optional/no.

If you are using a self-signed certificate and the Force Encryption setting on the server to ensure clients connect with encryption, you will need to do one of the following (in order of recommendation):

  • Change to a certificate that is trusted as part of the client's trust chain.
  • Add the self-signed certificate as a trusted certificate on the client.
  • Change your client's TrustServerCertificate connection string setting (or connection property) to yes.

If you maintain an application that uses the Microsoft OLE DB Driver for SQL Server and you don't expose the Encrypt and TrustServerCertificate settings to your users, it's recommended that you make application changes to allow users to opt-in to non-encrypted connections or connections that use an untrusted certificate. It's also recommended that you expose the HostNameInCertificate setting. This new, related setting allows users to specify a known hostname defined in a certificate that doesn't match the hostname they need to use to connect to the server.

 

For more details, see the release notes.

 

The updated driver can be downloaded directly from Microsoft.

David Engel

Published Feb 15, 2022
Version 1.0
  • ClaytonHoyt's avatar
    ClaytonHoyt
    Copper Contributor

    This is indeed a breaking change. In testing this, neither Encrypt=Yes or Encrypt=Mandatory cause the connection to be encrypted. Only using "Use Encryption For Data=True" actually encrypts the connection. 

Share