Add TDS 8.0 support for SQL Server Strict Encryption (#1643)

* Add TDS 8.0 support for SQL Server Strict Encryption

Closes #1476

This adds support for SQL Server TDS 8.0 protocol which enables strict encryption mode.

The implementation includes:

- New 'encrypt' option supporting OFF, ON, and STRICT modes
- TDS 8.0 protocol support with mandatory encryption and certificate validation
- Backward compatibility with existing encryption behavior
- Comprehensive test coverage for all encryption modes

Some portions of this content were created with the assistance of Claude Code.

Signed-off-by: Thomas Segismont <tsegismont@gmail.com>

* Update docker-compose.yml to enable 2025-latest version usage

Workaround for microsoft/mssql-docker#951

Signed-off-by: Thomas Segismont <tsegismont@gmail.com>

---------

Signed-off-by: Thomas Segismont <tsegismont@gmail.com>

Author: tsegismont

.github/workflows/ci-matrix-5.x.yml

@@ -47,6 +47,10 @@ jobs:
             jdk: 11
             profile: 'MSSQL-2019-latest'
             module: 'vertx-mssql-client'
+          - os: ubuntu-latest
+            jdk: 11
+            profile: 'MSSQL-2025-latest'
+            module: 'vertx-mssql-client'
           - os: ubuntu-latest
             jdk: 11
             profile: 'DB2-11.5'
@@ -70,6 +74,10 @@ jobs:
             jdk: 25
             profile: 'MSSQL-2019-latest'
             module: 'vertx-mssql-client'
+          - os: ubuntu-latest
+            jdk: 25
+            profile: 'MSSQL-2025-latest'
+            module: 'vertx-mssql-client'
           - os: ubuntu-latest
             jdk: 25
             profile: 'Oracle-23'

vertx-mssql-client/README.adoc

@@ -26,6 +26,7 @@ You can test with different SQL Server versions by using Maven profiles:
 ----
 mvn test -P MSSQL-2017-latest
 mvn test -P MSSQL-2019-latest
+mvn test -P MSSQL-2025-latest
 ----
 
 Or by passing the version property directly:
@@ -38,7 +39,8 @@ mvn test -Dmssql-container.version=2017-latest
 The following versions are supported:
 
 * `2017-latest`
-* `2019-latest` (default)
+* `2019-latest`
+* `2025-latest` (default)
 
 ==== Testing with an external database
 
@@ -57,9 +59,11 @@ Then run tests against it:
 mvn test \
   -Dconnection.uri=sqlserver://SA:A_Str0ng_Required_Password@localhost:1433 \
   -Dtls.connection.uri=sqlserver://SA:A_Str0ng_Required_Password@localhost:1435 \
-  -Dforce.encryption.connection.uri=sqlserver://SA:A_Str0ng_Required_Password@localhost:1437
+  -Dforce.encryption.connection.uri=sqlserver://SA:A_Str0ng_Required_Password@localhost:1437 \
+  -Dstrict.encryption.connection.uri=sqlserver://SA:A_Str0ng_Required_Password@localhost:1439?encrypt=strict
 ----
 
+* `connection.uri`: connection uri of the database to use for all other tests
 * `tls.connection.uri`: connection uri of the database to use for `MSSQLEncryptionTest`
 * `force.encryption.connection.uri`: connection uri of the database to use for `MSSQLForcedEncryptionTest`
-* `connection.uri`: connection uri of the database to use for all other tests
+* `strict.encryption.connection.uri`: connection uri of the database to use for `MSSQLStrictEncryptionTest`

vertx-mssql-client/docker/docker-compose.yml

@@ -2,15 +2,21 @@ version: "3.9"
 
 services:
   test-mssql:
-    image: mcr.microsoft.com/mssql/server:${MSSQL_VERSION:-2019-latest}
+    # Set cpus and cpuset untilhttps://github.com/microsoft/mssql-docker/issues/951 is resolved
+    cpus: 1
+    cpuset: "0"
+    image: mcr.microsoft.com/mssql/server:${MSSQL_VERSION:-2025-latest}
     ports:
       - "1433:1433"
     environment:
       ACCEPT_EULA: Y
       TZ: UTC
       SA_PASSWORD: A_Str0ng_Required_Password
   test-mssql-initdb:
-    image: mcr.microsoft.com/mssql/server:${MSSQL_VERSION:-2019-latest}
+    # Set cpus and cpuset untilhttps://github.com/microsoft/mssql-docker/issues/951 is resolved
+    cpus: 1
+    cpuset: "0"
+    image: mcr.microsoft.com/mssql/server:${MSSQL_VERSION:-2025-latest}
     depends_on:
       - "test-mssql"
     command: [ "sh", "/opt/mssql-tools18/bin/initdb.sh","test-mssql,1433","A_Str0ng_Required_Password","/opt/data/init.sql" ]
@@ -24,7 +30,10 @@ services:
         target: /opt/data/init.sql
         read_only: true
   test-mssql-tls:
-    image: mcr.microsoft.com/mssql/server:${MSSQL_VERSION:-2019-latest}
+    # Set cpus and cpuset untilhttps://github.com/microsoft/mssql-docker/issues/951 is resolved
+    cpus: 1
+    cpuset: "0"
+    image: mcr.microsoft.com/mssql/server:${MSSQL_VERSION:-2025-latest}
     ports:
       - "1435:1433"
     environment:
@@ -45,7 +54,10 @@ services:
         target: /etc/ssl/certs/mssql.pem
         read_only: true
   test-mssql-force-encryption:
-    image: mcr.microsoft.com/mssql/server:${MSSQL_VERSION:-2019-latest}
+    # Set cpus and cpuset untilhttps://github.com/microsoft/mssql-docker/issues/951 is resolved
+    cpus: 1
+    cpuset: "0"
+    image: mcr.microsoft.com/mssql/server:${MSSQL_VERSION:-2025-latest}
     ports:
       - "1437:1433"
     environment:
@@ -65,3 +77,27 @@ services:
         source: ../src/test/resources/mssql.pem
         target: /etc/ssl/certs/mssql.pem
         read_only: true
+  test-mssql-strict-encryption:
+    # Set cpus and cpuset untilhttps://github.com/microsoft/mssql-docker/issues/951 is resolved
+    cpus: 1
+    cpuset: "0"
+    image: mcr.microsoft.com/mssql/server:${MSSQL_VERSION:-2025-latest}
+    ports:
+      - "1439:1433"
+    environment:
+      ACCEPT_EULA: Y
+      TZ: UTC
+      SA_PASSWORD: A_Str0ng_Required_Password
+    volumes:
+      - type: bind
+        source: ../src/test/resources/mssql-strict-encryption.conf
+        target: /var/opt/mssql/mssql.conf
+        read_only: true
+      - type: bind
+        source: ../src/test/resources/mssql.key
+        target: /etc/ssl/certs/mssql.key
+        read_only: true
+      - type: bind
+        source: ../src/test/resources/mssql.pem
+        target: /etc/ssl/certs/mssql.pem
+        read_only: true

vertx-mssql-client/pom.xml

@@ -1,4 +1,15 @@
 <?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2011-2026 Contributors to the Eclipse Foundation
+  ~
+  ~ This program and the accompanying materials are made available under the
+  ~ terms of the Eclipse Public License 2.0 which is available at
+  ~ http://www.eclipse.org/legal/epl-2.0, or the Apache License, Version 2.0
+  ~ which is available at https://www.apache.org/licenses/LICENSE-2.0.
+  ~
+  ~ SPDX-License-Identifier: EPL-2.0 OR Apache-2.0
+  -->
+
 <project xmlns="http://maven.apache.org/POM/4.0.0"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
@@ -20,6 +31,7 @@
     <!-- Set to a value for testing with a specific database -->
     <mssql-container.version/>
     <force.encryption.connection.uri/>
+    <strict.encryption.connection.uri/>
     <vertx.asciidoc.sources.dir>${project.basedir}/src/main/asciidoc/*.adoc,${project.basedir}/../vertx-sql-client/src/main/asciidoc/*.adoc</vertx.asciidoc.sources.dir>
   </properties>
 
@@ -67,6 +79,7 @@
             <connection.uri>${connection.uri}</connection.uri>
             <tls.connection.uri>${tls.connection.uri}</tls.connection.uri>
             <force.encryption.connection.uri>${force.encryption.connection.uri}</force.encryption.connection.uri>
+            <strict.encryption.connection.uri>${strict.encryption.connection.uri}</strict.encryption.connection.uri>
           </systemPropertyVariables>
         </configuration>
       </plugin>
@@ -86,6 +99,12 @@
         <mssql-container.version>2019-latest</mssql-container.version>
       </properties>
     </profile>
+    <profile>
+      <id>MSSQL-2025-latest</id>
+      <properties>
+        <mssql-container.version>2025-latest</mssql-container.version>
+      </properties>
+    </profile>
   </profiles>
 
 </project>

vertx-mssql-client/src/main/asciidoc/index.adoc

@@ -127,6 +127,7 @@ Currently, the client supports the following parameter keys:
 * `user`
 * `password`
 * `database`
+* `encrypt` - encryption mode: `strict` (TDS 8.0), `true` (TDS 7.x with SSL), `false` (no encryption)
 
 Additional parameters will be added to the {@link io.vertx.sqlclient.SqlConnectOptions#getProperties properties}.
 
@@ -323,9 +324,56 @@ You can set a handler on a connection to catch them and do something useful with
 
 == Using SSL/TLS
 
-=== Encryption level negotiation
+The client supports both TDS 7.x encryption and TDS 8.0 strict encryption.
 
-When a connection is established, the client and the server negotiate the encryption level.
+=== Encryption Modes
+
+The client supports three {@link io.vertx.mssqlclient.EncryptionMode encryption modes}:
+
+* `OFF` - No encryption (the default)
+* `ON` - Optional encryption (equivalent to `ssl=true`)
+* `STRICT` - Strict TDS 8.0 encryption
+
+=== TDS 8.0 and Strict Encryption
+
+Starting with SQL Server 2022, Microsoft introduced TDS 8.0, a new version of the Tabular Data Stream that requires encryption for the entire connection from the start.
+
+To connect to a SQL Server 2022+ instance with strict encryption:
+
+[source,$lang]
+----
+{@link examples.MSSQLClientExamples#strictEncryption}
+----
+
+Using connection URI:
+
+----
+sqlserver://localhost:1433/testdb?user=sa&password=xxx&encrypt=strict
+----
+
+[IMPORTANT]
+====
+TDS 8.0 requires proper certificate validation.
+Therefore, the `trustAll` option is not allowed with `STRICT` encryption mode.
+====
+
+=== TDS 7.x Encryption (Legacy)
+
+==== Encryption level negotiation
+
+When using TDS 7.x (`OFF` or `ON` mode), the client and server negotiate the encryption level.
+
+[NOTE]
+====
+The {@link io.vertx.mssqlclient.MSSQLConnectOptions} class maintains synchronization between the `encryptionMode` and `ssl` properties:
+
+* Setting `encryptionMode` to `OFF` sets `ssl` to `false`
+* Setting `encryptionMode` to `ON` sets `ssl` to `true`
+* Setting `ssl` to `false` sets `encryptionMode` to `OFF`
+* Setting `ssl` to `true` sets `encryptionMode` to `ON`
+
+This ensures consistency between the legacy `ssl` property and the newer `encryptionMode` property.
+====
 
 The negotiated level depends on the client config in {@link io.vertx.mssqlclient.MSSQLConnectOptions} and the server config:
 
@@ -339,7 +387,7 @@ The negotiation fails if `ssl` is set to `true` in client options, and the serve
 In this case, the client terminates the connection.
 ====
 
-=== Configuration
+==== Configuration
 
 To configure `ssl` in client options, use the {@link io.vertx.mssqlclient.MSSQLConnectOptions#setSsl} method.
 By default, `ssl` is set to `false`.

vertx-mssql-client/src/main/generated/io/vertx/mssqlclient/MSSQLConnectOptionsConverter.java

@@ -22,6 +22,11 @@ static void fromJson(Iterable<java.util.Map.Entry<String, Object>> json, MSSQLCo
             obj.setSsl((Boolean)member.getValue());
           }
           break;
+        case "encryptionMode":
+          if (member.getValue() instanceof String) {
+            obj.setEncryptionMode(io.vertx.mssqlclient.EncryptionMode.valueOf((String)member.getValue()));
+          }
+          break;
       }
     }
   }
@@ -33,5 +38,8 @@ static void toJson(MSSQLConnectOptions obj, JsonObject json) {
    static void toJson(MSSQLConnectOptions obj, java.util.Map<String, Object> json) {
     json.put("packetSize", obj.getPacketSize());
     json.put("ssl", obj.isSsl());
+    if (obj.getEncryptionMode() != null) {
+      json.put("encryptionMode", obj.getEncryptionMode().name());
+    }
   }
 }

vertx-mssql-client/src/main/java/examples/MSSQLClientExamples.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2011-2019 Contributors to the Eclipse Foundation
+ * Copyright (c) 2011-2026 Contributors to the Eclipse Foundation
  *
  * This program and the accompanying materials are made available under the
  * terms of the Eclipse Public License 2.0 which is available at
@@ -15,6 +15,7 @@
 import io.vertx.core.net.ClientSSLOptions;
 import io.vertx.core.net.PemTrustOptions;
 import io.vertx.docgen.Source;
+import io.vertx.mssqlclient.EncryptionMode;
 import io.vertx.mssqlclient.MSSQLBuilder;
 import io.vertx.mssqlclient.MSSQLConnectOptions;
 import io.vertx.mssqlclient.MSSQLConnection;
@@ -339,6 +340,14 @@ public void usingTrustOptions() {
       .setSslOptions(new ClientSSLOptions().setTrustOptions(new PemTrustOptions().addCertPath("/path/to/server-cert.pem")));
   }
 
+  public void strictEncryption() {
+    MSSQLConnectOptions connectOptions = new MSSQLConnectOptions()
+      .setEncryptionMode(EncryptionMode.STRICT)
+      .setSslOptions(new ClientSSLOptions()
+        // Strict encryption mode requires proper certificate validation
+        .setTrustOptions(new PemTrustOptions().addCertPath("/path/to/server-cert.pem")));
+  }
+
   public void infoHandler(MSSQLConnection connection) {
     connection.infoHandler(info -> {
       System.out.println("Received info " + info.getSeverity() + "" + info.getMessage());

vertx-mssql-client/src/main/java/io/vertx/mssqlclient/EncryptionMode.java

@@ -0,0 +1,33 @@
+/*
+ * Copyright (c) 2011-2026 Contributors to the Eclipse Foundation
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0, or the Apache License, Version 2.0
+ * which is available at https://www.apache.org/licenses/LICENSE-2.0.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR Apache-2.0
+ */
+
+package io.vertx.mssqlclient;
+
+import io.vertx.codegen.annotations.VertxGen;
+
+/**
+ * Encryption mode for SQL Server connections.
+ */
+@VertxGen
+public enum EncryptionMode {
+  /**
+   * No encryption (TDS 7.x).
+   */
+  OFF,
+  /**
+   * Optional encryption (TDS 7.x).
+   */
+  ON,
+  /**
+   * Mandatory TDS 8.0 encryption.
+   */
+  STRICT
+}