Unable to Disable TLS / Use TLS 1.0 with SQL Exporter for MSSQL 2008 R2 SP1

[nmhieu054]

We're using SQL Exporter to collect metrics from an on-premises Microsoft SQL Server 2008 R2 SP1 instance.
Due to legacy system constraints, we're currently unable to upgrade SQL Server or enable modern TLS versions (e.g., TLS 1.2).

Our setup:
Prometheus + SQL Exporter deployed via Helm in an AKS cluster
MSSQL 2008 R2 SP1 (Force Encryption disabled)
We attempted to disable encryption using the following target configuration:

static_configs:
  - targets: 
      MSSQL2008R2: 'mssql://user:password@mssqlserver:1433/dbname&encrypt=disable'

However, SQL Exporter still fails to connect.

level=ERROR source=promhttp.go:52 msg="Error gathering metrics" error="[from Gatherer #1] [job=multiple-DB,target=mssqlserver] TLS Handshake failed: cannot read handshake packet: EOF"
...
[from Gatherer #1] [job=multiple-DB,target=mssqlserver] TLS Handshake failed: cannot read handshake packet: EOF
...
[from Gatherer #1] [job=multiple-DB,target=mssqlserver] TLS Handshake failed: tls: server selected unsupported protocol version 301

It appears the encrypt=disable parameter is not working as expected, or the underlying driver still tries to enforce TLS.

We would like SQL Exporter to support connections to SQL Server using:

• No TLS (encrypt=disable or equivalent)
• Optionally allow TLS 1.0, since that is the only version supported on this legacy server
  Ideally, this should be configurable via the DSN and compatible with Helm-based deployments.

Tried both encrypt=false and encrypt=disable
Verified that "Force Encryption" is disabled on the SQL Server
Explored Helm chart overrides and documentation for connection string options
Upgrading to a newer SQL Server version or enabling TLS 1.2 is not feasible at this time
Tried with Exporter toolkit, but not sure how to apply it along with SQL Exporter Helm chart.

We suspect this may be related to the behavior of the underlying driver used by SQL Exporter when connecting to MSSQL.
If there's a workaround (driver flag, custom image, etc.) or a way to explicitly allow non-TLS/TLS 1.0 connections, that would help immensely.
Thanks for your time and for maintaining this project — it's super helpful for Prometheus-based monitoring setups!

[burningalchemist]

Hey @nmhieu054,

Thanks for reaching me out. 👍 Let's try to debug it together, as it would be a bit problematic for me to find the access to MSSQL2008 to reproduce the issue.

The driver used for connections is https://github.com/microsoft/go-mssqldb. In the sql_exporter code we don't do any custom connection handling, so it all comes from the underlying driver. That should reduce our scope.

The first thing attracted my attention in your config is missing ? after the dbname which delimits the connection parameters from the rest of DSN (you use & instead which allows us to add more, but ? is required).

According to the driver docs, we indeed should use encrypt=disable parameter to disable encryption.

Another idea I usually suggest for debugging is if you could try to connect to the database using usql cli (https://github.com/xo/usql), since they share the same components but it's easier to debug with.

UPD: Also, try to add tlsmin param, 1.0 is a supported value as per the driver docs. 👍

[burningalchemist]

@nmhieu054, I'll turn the issue into a discussion, since it's not something related to the sql_exporter directly, but I'm happy to support you further.