Encrypt incoming connections

Encrypt incoming connections#

Querona can encrypt incoming connections to its SQL Server–compatible (TDS) endpoint, so clients reach it over TLS. Encryption requires a server certificate configured on the Querona instance — review the certificate requirements before changing the settings below.

Querona serves both the long-established TDS 7.x transport (for the broadest client compatibility) and the modern TDS 8.0 transport, and supports the SQL Server encryption modes each one offers. By default encryption is not required and clients may connect unencrypted; configure a certificate and one of the modes below to require it.

Encryption

TDS version

Behaviour

Optional

TDS 7.x

Encryption is offered but not required: the login is always protected, and the rest of the session is encrypted only when the client asks for it. Clients that don’t support encryption can still connect. TLS is negotiated in-band, during the TDS pre-login exchange (up to TLS 1.2).

Mandatory

TDS 7.x

Encryption is required for the whole session; a client that won’t encrypt is rejected. TLS is still negotiated in-band during pre-login (up to TLS 1.2).

Strict

TDS 8.0

Encryption is required and the TLS channel is established before the TDS handshake, like HTTPS — which also enables TLS 1.3. Requires Maximum TDS version set to TDS v8.0.

Configure encryption#

  1. In the Administration Portal, navigate to ADMINISTER ‣ System Instances ‣ Root and click Edit.

    1. To change the certificate configured during installation, enter the thumbprint of the certificate you want Querona to use in the Certificate thumbprint box, then click OK.

  2. Set Encryption to the mode you want to enforce — Optional, Mandatory or Strict.

  3. Set the Maximum TDS version: keep TDS v7.4 for Optional or Mandatory and the widest client compatibility, or choose TDS v8.0 — required for Strict and for TLS 1.3.

  4. Verify the Minimum TLS version if encryption enabled (for example, TLS 1.2).

  5. Click SAVE, then restart the Querona Service.

Remarks#

If you see certificate validation errors, ensure that:

  • The server certificate is valid on the machine you’re using,

  • The HostNameInCertificate connection-string property matches the CA name or one of the DNS names in the certificate,

  • The Querona Service Account has read-private-key permission on the certificate used.

Note

To ensure secure connectivity between client and server, configure the SQL Client to support encrypted connections.