Take the following steps to configure TLS/SSL encryption.

Important: The driver complies with FIPS when FIPS mode is enabled with the client JVM. See "FIPS (Federal Information Processing Standard)" for more information.
  • Choose the type of encryption for your application:
    • If you want the driver to encrypt all data, including the login request, set the EncryptionMethod property to one of the following:
      • SSL: Data is encrypted using TLS/SSL. If the database server does not support TLS/SSL, the connection fails and the driver throws an exception.
      • requestSSL: Data is encrypted using TLS/SSL. If the database server does not support TLS/SSL, the driver establishes an unencrypted connection.
      • Strict: The driver uses the TDS (Tabular Data Stream) 8.0 protocol to support TLSv1.3 encryption for SQL Server connections. You must specify this value when your server is configured with Force Strict Encryption=yes.
        Important: When using strict connection encryption:
        • The driver validates the certificates sent by the server (ValidateServerCertificate=true) for the connection, regardless of the setting of the ValidateServerCertificate property.
        • You must specify a truststore containing the server certificate against which the server will be validated at connection.
    • If you want the driver to encrypt only the login request, set the EncryptionMethod property to loginSSL.
  • Use the CryptoProtocolVersion property to specify acceptable cryptographic protocol versions (for example, TLSv1.2) supported by your server.
    Note: TLSv1.3 is currently supported only when strict connection encryption is enabled (EncryptionMethod=Strict).
  • Specify the location and password of the truststore file used for TLS/SSL server authentication. Either set the TrustStore and TrustStore properties or their corresponding Java system properties (javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword, respectively).
  • To validate certificates sent by the database server, set the ValidateServerCertificate property to true.
  • Optionally, set the HostNameInCertificate property to a host name to be used to validate the certificate. The HostNameInCertificate property provides additional security against man-in-the-middle (MITM) attacks by ensuring that the server the driver is connecting to is the server that was requested.