Configuring TLS 1.3 for Microsoft SQL Server

You can configure TLS 1.3 as the default mode of communication between the application and the database.

1. Add the following properties to the application.yml configuration file:

   enabled protocols: "TLSv1.3"
   cipher-suite: TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

   Note: Configure TLS 1.3 as an optional protocol by appending the TLS 1.3 values with the default configuration in application.yml. For example, set enabled protocols: "TLSv1.2,TLSv1.3" and append cipher-suite with both TLS 1.2 and TLS 1.3 supported ciphers separated by commas.

   To ensure secure communication from the application to the database, additional configurations may be required on the database to use TLSv1.3 protocol.

2. Add the following parameters to the JDBC URL:

   encrypt=true;trustServerCertificate=true; sslVersion=TLSv1.3;

   For example,

   liquibase: 
       enabled: true
     datasource:
       type: com.zaxxer.hikari.HikariDataSource 
       url: jdbc:sqlserver//db-host:1433;databaseNamedb-name;encrypt=true;trustServerCertificate=true; sslVersion=TLSv1.3; #Configuring TLS 1.3
       username: #Database username
       driver-class-name: com.microsoft.sqlserver.jdbc.SQLServerDrivr

3. Convert the public certificate of the database to either PKCS or JKS format and integrate the resulting p12 or JKS file as a truststore within the database configuration section.