Secure Sockets Layer (SSL) is an industry standard for sending wire- or socket-level encrypted data over client-to-server and server-to-server connections. Before the SSL connection is established, the server and the client negotiate and agree upon a secure encrypted session. This is called the “SSL handshake.”
Additional overhead is required to establish a secure
session, because data increases in size when it is encrypted, and
it requires additional computation to encrypt or decrypt information.
Typically, the additional I/O accrued during the SSL handshake
can make user login 10 to 20 times slower.
When a client application requests a connection, the SSL-enabled server presents its certificate to prove its identity before data is transmitted. Essentially, the SSL handshake consists of the following steps:
The client sends a connection request to the server. The request includes the SSL (or Transport Layer Security, TLS) options that the client supports.
Transport Layer Security (TSL) is an enhanced version
of SSL 3.0, and an alias for the SSL version 3.0 CipherSuites.
The server returns its certificate and a list of supported CipherSuites (described in the next section), which includes SSL/TLS support options, the algorithms used for key exchange, and digital signatures.
A secure, encrypted session is established when both client and server have agreed upon a CipherSuite, described next.
During the SSL handshake, the client and server negotiate a common security protocol through a CipherSuite. CipherSuites are preferential lists of key-exchange algorithms, hashing methods, and encryption methods used by the SSL protocol.
By default, the strongest CipherSuite supported by both the client and the server is the CipherSuite used for the SSL-based session. Server connection parameters are specified in the connection string or through directory services such as LDAP.
The ASE OLE DB Provider and Adaptive Server support the CipherSuites that are available with the SSL Plus library API and the cryptographic engine called Security Builder, both from Certicom Corporation.
The following list of CipherSuites conform to the TLS
specification.
Following is the list of CipherSuites, ordered from strongest to weakest, supported in ASE OLE DB Provider:
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_RC4_128_SHA
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_DES_CBC_SHA
TLS_DHE_DSS_WITH_DES_CBC_SHA
TLS_DHE_RSA_WITH_DES_CBC_SHA
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA
TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
TLS_RSA_EXPORT_WITH_RC4_40_MD5
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
For more specific information about the SSL handshake and the SSL/TLS protocol, see the Internet Engineering Task Force Web sitehttp://www.ietf.org.
For a complete description of CipherSuites, go to the IETF organization Web sitehttp://www.ietf.org/rfc/rfc2246.txt.
