JDBC Driver 10.2 for SQL Server Released

Version 10.2 of the Microsoft JDBC Driver for SQL Server has been released. Version 10.2.0 brings several added features, changes, and fixed issues over the previous production release.

Added

• Java 17 support 1676
• Idle Connection Resiliency Feature 1669 (read more)
• Support for multi user scenarios for Always Encrypted key store providers 1614 (read more)
• Added logging when deriving realm 1672
• Added check for closed statement to registerColumnEncryptionKeyStoreProvidersOnStatement 1644
• Added 42108 and 42109 to transient error list 1643
• Retry for intermittent Java NativeSeedGenerator 1705
• Support for datetimeoffset with sql_variant 1673
• Canonical host name resolution when realm is provided in connection string 1730

Changed

• BREAKING CHANGE - Default Encrypt to true 1697
• BREAKING CHANGE - Changed certificate validation behavior to validate when encryption is negotiated from either the client or the server side, not just the client side 1731
• Deprecated AADSecurePrincipalId/AADSecurePrincipalSecret 1693
• Updated enclave provider to use a non-blocking random method 1734
• Updated Azure library dependency versions to address vulnerability issues 1733
• Updated Bouncy Castle dependency version 1735

Fixed

• Fix for Azure AD Interactive authentication timeout 1696
• Fix for Bulkcopy multi byte characters in char/varchar columns 1671
• Fixed an issue where Statement.closeOnCompletion() would cause a Null Pointer Exception 1639
• Fixed conversion of LocalDateTime and LocalTime to String in Bulk Copy 1640
• Fixed TDSParser stuck on TDS_COLMETADATA issue, which could result in a hang for certain queries [#1662] (#1662)

Breaking Changes

Encrypt = true, by default

There a couple breaking changes in 10.2 over previous releases that may affect a lot of users. Similar to the HTTP to HTTPS default changes made in web browsers a few years back (and the security reasons for them), we are changing the default value of the `Encrypt` connection option from `false` to `true`. With the increased emphasis on secure-by-default, the growing use of cloud databases, and the need to ensure connections are secure, it's time for this backwards-compatibility-breaking change. We realize this will cause some disruption, but letting clients try to connect without encryption by default leaves them open to attack from malicious actors.

We also changed the behavior of TrustServerCertificate to not be tied to the Encrypt setting. Previously, if Encrypt was set to false, certificates wouldn't be validated regardless of what TrustServerCertificate was set to. This allowed servers using self-signed certificates and Force Protocol Encryption to encrypt their client connections without requiring clients to change their default settings.

The action item if you are affected by the Encrypt change is to either (in order of recommendation):

• Install a trusted certificate on your server.
• Change your client's Encrypt connection string setting (or data source property) to false.

If you are using a self-signed certificate and the Force Encryption setting on the server to ensure clients connect with encryption, you will need to do one of the following (in order of recommendation):

• Change to a certificate that is trusted as part of the client's trust chain.
• Add the self-signed certificate as a trusted certificate on the client.
• Change your client's TrustServerCertificate connection string setting (or data source property) to true.

If you maintain an application that uses the Microsoft JDBC Driver for SQL Server and you don't expose the Encrypt and TrustServerCertificate settings to your users, it's recommended that you make application changes to allow users to opt-in to non-encrypted connections or connections that use an untrusted certificate. It's also recommended that you expose the HostNameInCertificate setting. This related setting allows users to specify a known hostname defined in a certificate that doesn't match the hostname they need to use to connect to the server.

Getting the latest release

The latest bits are available to download from Microsoft, from the GitHub repository, and via Maven Central.

Add the JDBC 10.2 RTW driver to your Maven project by adding the following code to your POM file to include it as a dependency in your project (choose .jre8, .jre11, or .jre17 for your required Java version).

<dependency> 
  <groupId>com.microsoft.sqlserver</groupId> 
  <artifactId>mssql-jdbc</artifactId> 
  <version>10.2.0.jre17</version> 
</dependency> 

Help us improve the JDBC Driver by taking our survey, filing issues on GitHub or contributing to the project.