Enable TLS 1.2 for SQL Server 2016 database mail

TLS1.2 is the only version of TLS considered secure now (March 2019). It took considerable time and effort to discover that there are 2 essential, additional settings which are required to get this working which are not well known nor well documented, by Microsoft or on the web generally. The following could save you a great deal of time and effort.

These are the 2 new Registry settings that fixed the problem for us:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

This is a reference to the thread where we eventually found this information, buried halfway down the thread: TLS 1.2 in .NET Framework 4.0

Below is the content for a simple executable registry file that I put together that will make the 2 new settings and the settings already shown on the thread above (i.e. this makes all of the necessary Registry settings*):

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

Note 1: SQL needs to be restarted for these settings to take affect but it is better to restart Windows since the new settings will affect .NET 4.x generally.

Note 2: In SQL, the SSL-checkbox must be ticked in the mail profile to use TLS1.2.

*Note 3: FYI We ran the free tool, Crypto V2, with the "Best Practices" option enabled before starting on getting this working. We verified our changes afterwards using the new Crypto version 3.

Hopefully this will save considerable time, effort and frustration for others ;)


Since it seems nobody can answer this question, I opened a support case with Microsoft, and still it took almost 1 week for MS support to come back with an answer as he went through various internal resources to get the definite answer.

The summary is:

SQL Server Database mail uses System.Net.Mail to do the work, the System.Net.Mail is able to send mail using TLS 1.2 but only when the build runtime version is 4.6 or above. SQL Server 2016 db mail is built for .Net 3.5, hence SQL Server 2016 db mail does not support TLS 1.2 as of now.


It's odd because the linked article clearly states:

Support for TLS v1.2 included in the .NET Framework version 3.5 SP1 on Windows 8.1 and Windows Server 2012 R2

which contradicts the response you get from MS support. Edit: I found in this StackOverflow question that although .NET 3.5 didn't include support for TLS 1.2 at first it was added later by MS:

Support for TLS System Default Versions included in the .NET Framework 3.5.1 on Windows 7 SP1 and Server 2008 R2 SP1

Reading the FAQ section I think that the problem is that you missed one registry key when enabling TLS 1.2. The FAQ section says:

The correct registry settings are as follows:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2] 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
  "DisabledByDefault"=dword:00000000
  "Enabled"=dword:00000001 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
  "DisabledByDefault"=dword:00000000
  "Enabled"=dword:00000001  

These settings are required for both server and client computers.

But in the screen shot that you provided I only see "Enabled"=dword:00000001, the "DisabledByDefault"=dword:00000000 key is missing.

Also it says:

Is TLS 1.1 supported on SQL Server 2016?

Yes. SQL Server 2016 and SQL Server 2017 on Windows versions ship with TLS 1.0 to TLS 1.2 support. You have to disable TLS 1.0 and 1.1 if you want to use only TLS 1.2 for client-server communication.

which can be interpreted as that you need to disable TLS 1.0 and 1.1 in order to use 1.2, but I'm not sure about this one.