After reviewing SQL Server compatibility with New TLS Standards and much Googling, I think we've got the updates and settings needed to disable TLS 1.0 on SQL Server 2008 R2 with .NET 3.5.1.
But I've found nothing definitive about whether our domain root certificate must be signed with SHA256, only a blog post that says:
Also, you should be using a SSL certificate signed with SHA2/SHA256.
But is it nice-to-have or a showstopper? Don't some TLS 1.2 implementations tolerate SHA1 certificates?
