Update and clarify TL1.3 and TDS 8.0 usage [PLEASE SQUASH BEFORE MERGE] (#35077)

PiJoCoder · rwestMSFT · VanMSFT · web-flow · commit e0ca557e2522 · 2025-09-17T16:56:06.000-06:00
* Update and clarify TL1.3 and TDS 8.0 usage

* Apply suggestions from code review

* Apply suggestions from review

Co-authored-by: Van To &lt;40007119+VanMSFT@users.noreply.github.com&gt;
Co-authored-by: Masha Thomas (MSFT) &lt;32783170+MashaMSFT@users.noreply.github.com&gt;

* table update

* table update

* Apply suggestions from review

Co-authored-by: David Engel &lt;dengel1012@gmail.com&gt;

* creating breaks in table

* Fix formatting in TDS 8.0 encryption options table

* reverting line breaks in table

* Added breaks back in

* adding another break for separation

---------

Co-authored-by: Randolph West MSFT &lt;97149825+rwestMSFT@users.noreply.github.com&gt;
Co-authored-by: Van To &lt;40007119+VanMSFT@users.noreply.github.com&gt;
Co-authored-by: Masha Thomas (MSFT) &lt;32783170+MashaMSFT@users.noreply.github.com&gt;
Co-authored-by: David Engel &lt;dengel1012@gmail.com&gt;
diff --git a/docs/relational-databases/security/networking/tds-8.md b/docs/relational-databases/security/networking/tds-8.md
@@ -3,8 +3,8 @@ title: TDS 8.0
 description: This article discusses TDS 8.0, the application layer protocol used by clients to connect to SQL Server.
 author: VanMSFT
 ms.author: vanto
-ms.reviewer: randolphwest
-ms.date: 08/18/2025
+ms.reviewer: randolphwest, jaferebe, jopilov
+ms.date: 09/04/2025
 ms.service: sql
 ms.subservice: security
 ms.topic: conceptual
@@ -23,13 +23,13 @@ The [Tabular Data Stream (TDS)](/openspecs/windows_protocols/ms-tds/b46a581a-39d
 
 TDS is a secure protocol, but in previous versions of SQL Server, encryption could be turned off or not enabled. To meet the standards of mandatory encryption while using SQL Server, an iteration of the TDS protocol was introduced: TDS 8.0.
 
-The TLS handshake now precedes any TDS messages, wrapping the TDS session in TLS to enforce encryption, making TDS 8.0 aligned with HTTPS and other web protocols. This significantly contributes to TDS traffic manageability, as standard network appliances are now able to filter and securely passthrough SQL queries.
+The TLS handshake now precedes any TDS messages, wrapping the TDS session in TLS to enforce encryption, aligning TDS 8.0 with HTTPS and other web protocols. This enhancement significantly contributes to TDS traffic manageability, as standard network appliances are now able to filter and securely passthrough SQL queries.
 
-Another benefit to TDS 8.0 compared to previous TDS versions is compatibility with TLS 1.3, and TLS standards to come. TDS 8.0 is also fully compatible with TLS 1.2 and previous TLS versions.
+A benefit to TDS 8.0 compared to previous TDS versions is its compatibility with TLS 1.3, and TLS standards to come. TDS 8.0 is also fully compatible with TLS 1.2 and previous TLS versions.
 
 ## How TDS works
 
-The Tabular Data Stream (TDS) protocol is an application-level protocol used for the transfer of requests and responses between clients and database server systems. In such systems, the client typically establishes a long-lived connection with the server. Once the connection is established using a transport-level protocol, TDS messages are used to communicate between the client and the server.
+The Tabular Data Stream (TDS) protocol is an application-level protocol used for the transfer of requests and responses between clients and database server systems. The client system typically establishes a long-lived connection with the server. Once the connection is established using a transport-level protocol, TDS messages are exchanged to communicate between the client and SQL Server.
 
 During the TDS session lifespan, there are three phases:
 
@@ -45,6 +45,32 @@ With the introduction of TDS 8.0, the SQL Server connections are as follows:
 
 TCP handshake :arrow_right: TLS handshake :arrow_right: TDS prelogin (encrypted) and response (encrypted) :arrow_right: authentication (encrypted) :arrow_right: data exchange (encrypted)
 
+## Compatibility matrix for TDS, TLS, OS and encryption options
+
+You can enable both TLS 1.2 and TLS 1.3 versions at the OS level, which allows client connections to SQL Server to use multiple TDS protocol versions (TDS 7.x and 8.0). Depending on the OS version, TLS 1.2 and TLS 1.3 might be enabled by default. 
+
+Only TDS 7.x supports non-encrypted (optional) communication, TDS 8.0 doesn’t support this. TDS 7.x supports encryption using TLS up to version 1.2. TDS 8.0 requires encryption – everything is always encrypted with TDS 8.0 (Encrypt=Strict). TDS 8.0 has no minimum TLS version requirement and supports TLS 1.3.
+TLS 1.3 support is dependent on the operating system version. The following table summarizes various scenarios with the encryption options and the corresponding TLS and TDS versions.
+
+
+| Encrypt<br />option | TLS version enabled | OS version | Expected<br />connection<br />outcome | Notes |
+| --- | --- | --- | --- | --- |
+| Strict | TLS 1.3 only (or later) | Windows 11<br /><br />Windows Server 2022 and later | Success | TLS 1.3 negotiated; TDS 8.0 triggered (Encrypt=Strict) |
+| Strict | TLS 1.2 and TLS 1.3 | Windows 11<br /><br />Windows Server 2022 and later | Success | TLS 1.3 negotiated; TDS 8.0 triggered (Encrypt=Strict) |
+| Strict | TLS 1.2 only (or earlier) | Windows 11<br /><br />Windows Server 2022 and later | Success | TLS 1.2 negotiated; TDS 8.0 triggered (Encrypt=Strict) |
+| Strict | TLS 1.2 only (or earlier) | Windows 10<br /><br />Windows Server 2019 / 2016 | Success | TLS 1.2 negotiated; TDS 8.0 triggered (TLS 1.3 not available) |
+| Mandatory | TLS 1.3 only (or later) | Windows 11<br /><br />Windows Server 2022 and later | Failure | Encrypt=Mandatory is incompatible with TLS 1.3 for TDS 8.0 |
+| Mandatory | TLS 1.2 and TLS 1.3 | Windows 11<br /><br />Windows Server 2022 and later | Success | TLS 1.2 negotiated; TDS 8.0 not triggered (Encrypt=Mandatory) |
+| Mandatory | TLS 1.2 only (or earlier) | Windows 11<br /><br />Windows Server 2022 and later | Success | TLS 1.2 negotiated; TDS 8.0 not triggered (Encrypt=Mandatory) |
+| Mandatory | TLS 1.2 only (or earlier) | Windows 10<br /><br />Windows Server 2019 / 2016 | Success | TLS 1.2 negotiated; TDS 8.0 not supported on this OS (uses TDS 7.x) |
+| Optional | TLS 1.3 only (or later) | Windows 11<br /><br />Windows Server 2022 and later | Failure | Encrypt=Optional (false) is TDS 7.x, which is incompatible with TLS 1.3. |
+| Optional | TLS 1.2 and TLS 1.3 | Windows 11<br /><br />Windows Server 2022 and later | Success | TLS 1.3 negotiated; TDS 8.0 not triggered (Encrypt=Optional) |
+| Optional | TLS 1.2 only (or earlier) | Windows 11<br /><br />Windows Server 2022 and later | Success | TLS 1.2 negotiated; TDS 8.0 not triggered (Encrypt=Optional) |
+| Optional | TLS 1.2 only (or earlier) | Windows 10<br /><br />Windows Server 2019 / 2016 | Success | TLS 1.2 negotiated; encryption optional; connection can <br />succeed without encryption |
+| Any | TLS 1.3 only (or later) | Windows 10<br /><br />Windows Server 2019 / 2016 | Failure | TLS 1.3 not supported on this OS |
+
+For more information on how clients use different TDS versions, see the keywords usage in [Changes to connection string encryption properties](#additional-changes-to-connection-string-encryption-properties) section.
+
 ## SQL Server 2025 support
 
 [!INCLUDE [sssql25-md](../../../includes/sssql25-md.md)] introduces TDS 8.0 support for the following command-line tools and SQL Server features:
@@ -67,7 +93,7 @@ TCP handshake :arrow_right: TLS handshake :arrow_right: TDS prelogin (encrypted)
 
 ## Strict connection encryption
 
-To use TDS 8.0, [!INCLUDE [sssql22-md](../../../includes/sssql22-md.md)] added `strict` as an additional connection encryption type to SQL Server drivers (`Encrypt=strict`). To use the `strict` connection encryption type, download the latest version of the .NET, ODBC, OLE DB, JDBC, PHP, and Python drivers.
+To use TDS 8.0, [!INCLUDE [sssql22-md](../../../includes/sssql22-md.md)] added `strict` as an additional connection encryption option to SQL Server drivers (`Encrypt=strict`). To use the `strict` connection encryption type, download the latest version of the .NET, ODBC, OLE DB, JDBC, PHP, and Python drivers:
 
 - [Microsoft ADO.NET for SQL Server and Azure SQL Database](../../../connect/ado-net/microsoft-ado-net-sql-server.md) version 5.1 or higher
 - [ODBC Driver for SQL Server](../../../connect/odbc/download-odbc-driver-for-sql-server.md) version 18.1.2.1 or higher
@@ -76,7 +102,7 @@ To use TDS 8.0, [!INCLUDE [sssql22-md](../../../includes/sssql22-md.md)] added `
 - [Microsoft Drivers for PHP for SQL Server](../../../connect/php/microsoft-php-driver-for-sql-server.md) version 5.10 or higher
 - [Python SQL Driver - pyodbc](../../../connect/python/pyodbc/python-sql-driver-pyodbc.md)
 
-In order to prevent a man-in-the-middle attack with `strict` connection encryption, users aren't able to set the `TrustServerCertificate` option to `true` and trust any certificate the server provided. Instead, users would use the `HostNameInCertificate` option to specify the certificate `ServerName` that should be trusted. The certificate supplied by the server would need to pass the certificate validation.
+In order to prevent a man-in-the-middle attack with `strict` connection encryption, users can't set the `TrustServerCertificate` option to `true` and allow any certificate the server provided. Instead, users would use the `HostNameInCertificate` option to specify the certificate `ServerName` that should be trusted. The certificate supplied by the server would need to pass the certificate validation. For more information on certificate validation, see [Certificate requirements for SQL Server](../../../database-engine/configure-windows/certificate-requirements.md)
 
 ### Features that don't support forcing strict encryption
 
@@ -88,12 +114,12 @@ The following features or tools still use previous version of drivers that don't
 
 ## Additional changes to connection string encryption properties
 
-The following additions are added to connection strings for encryption:
+The following options are added to connection strings to encrypt communication:
 
 | Keyword | Default | Description |
 | --- | --- | --- |
-| `Encrypt` | `false` | **Existing behavior**<br /><br />When `true`, SQL Server uses TLS encryption for all data sent between the client and server if the server has a certificate installed. Recognized values are `true`, `false`, `yes`, and `no`. For more information, see [Connection String Syntax](/dotnet/framework/data/adonet/connection-string-syntax).<br /><br />**Change of behavior**<br /><br />When set to `strict`, SQL Server uses TDS 8.0 for all data sent between the client and server.<br /><br />When set to `mandatory`, `true`, or `yes`, SQL Server uses TDS 7.x with TLS/SSL encryption for all data sent between the client and server if the server has a certificate installed.<br /><br />When set to `optional`, `false`, or `no`, the connection uses TDS 7.x and would be encrypted only if required by the SQL Server. |
-| `TrustServerCertificate` | `false` | **Existing behavior**<br /><br />Set to `true` to specify that the driver doesn't validate the server TLS/SSL certificate. If `true`, the server TLS/SSL certificate is automatically trusted when the communication layer is encrypted using TLS.<br /><br />If `false`, the driver validates the server TLS/SSL certificate. If the server certificate validation fails, the driver raises an error and closes the connection. The default value is `false`. Make sure the value passed to `serverName` exactly matches the `Common Name (CN)` or DNS name in the `Subject Alternative Name` in the server certificate for a TLS/SSL connection to succeed.<br /><br />**Change of behavior for Microsoft ODBC Driver 18 for SQL Server**<br /><br />If `Encrypt` is set to `strict`, this setting specifies the location of the certificate to be used for server certificate validation (exact match). The driver supports PEM, DER, and CER file extensions.<br /><br />If `Encrypt` is set to `true` or `false`, and the `TrustServerCertificate` property is unspecified or set to `null`, `true`, or `false`, the driver uses the `ServerName` property value on the connection URL as the host name to validate the SQL Server TLS/SSL certificate. |
+| `Encrypt` | *false* | **Previous connection string options**<br /><br />Valid options are <br />- `true`, or `yes` <br /> - `false`, or `no`. <br /> For more information, see [Connection String Syntax](/dotnet/framework/data/adonet/connection-string-syntax#enable-encryption). When `true`, SQL Server uses TLS 1.2 encryption for all data exchanged between the client and server if the server has a certificate installed.<br /><br />**Latest connection string options**<br /><br />Valid options are  <br/>- `strict`  <br />- `mandatory`, or `true`, or `yes`  <br />- `optional`, or `false`, or `no`. <br /><br />When set to `strict`, SQL Server uses TDS 8.0 for all data exchanged between the client and server.<br /><br />When set to `mandatory`, `true`, or `yes`, SQL Server uses TDS 7.x with TLS/SSL encryption for all data sent between the client and server if the server has a certificate installed.<br /><br />When set to `optional`, `false`, or `no`, the connection uses TDS 7.x and would be encrypted only if required by the SQL Server. |
+| `TrustServerCertificate` | *false* | **Previous connection string option**<br /><br />When set to `true` (not recommended), the driver doesn't validate the server TLS/SSL certificate. If `true`, the server TLS/SSL certificate is automatically trusted (bypassing validation) when the communication layer is encrypted using TLS.<br /><br />If `false`, the driver validates the server TLS/SSL certificate. If the server certificate validation fails, the driver raises an error and closes the connection. The default value is `false`. Make sure the value passed to `serverName` exactly matches the `Common Name (CN)` or DNS name in the `Subject Alternate Name` in the server certificate for a TLS/SSL connection to succeed.<br /><br />**Change of behavior for Microsoft SQL Server ODBC Driver 18 and later**<br /><br />If `Encrypt` is set to `strict`, this setting specifies the location of the certificate to be used for server certificate validation (exact match). The driver supports PEM, DER, and CER file extensions.<br /><br />If `Encrypt` is set to `true` or `false`, and the `TrustServerCertificate` property is unspecified or set to `null`, `true`, or `false`, the driver uses the `ServerName` property value on the connection URL as the host name to validate the SQL Server TLS/SSL certificate. |
 | `HostNameInCertificate` | `null` | The host name to be used in validating the SQL Server TLS/SSL certificate. If the `HostNameInCertificate` property is unspecified or set to `null`, the driver uses the `ServerName` property value as the host name to validate the SQL Server TLS/SSL certificate. |
 
 ## Related content
