There are currently 2 modes of SSL with SQL.
Client side initiated SSL encryption and server-side SSL encryption.
Server side SSL encryption is enabled via the "Force Protocol Encryption"
settting on the server, you have discovered this already.
With Server side SSL, the client does not validate the SSL certificate at
all, it just uses it to encrypt the traffic.
With client side initiated SSL encryption, the client will both verify that
it trusts the root CA of the certificate as well as validate that the target
server is properly embedded in the certificate (mutual authentication). So
client side intiated SSL is more stringent.
However, you cannot use SSL to deny users access to the server (or for
client authentication like you can with IIS), SSL is only used to encrypt
the data over the wire with SQL. But that is actually a good idea I'll
bring to the next meeting we have about future of TDS protocol, I think
this would be a nice feature to have.
Matt Neerincx [MSFT]
This posting is provided "AS IS", with no warranties, and confers no rights.
Please do not send email directly to this alias. This alias is for newsgroup