The default behavior for SSL validation in Open Client is to compare the common name in the server’s certificate with the server name specified by ct_connect(). In a Shared Disk Cluster (SDC) environment, a client may specify the SSL certificate common name independent of the server name or the SDC instance name. A client may connect to an SDC by its cluster name—which represents multiple server instances—or to a specific server instance.
With the SSL enhancement, Open Client can now support common name validation in an SDC environment. This enhancement allows the ASE SSL certificate common name to be different from the server or cluster name by allowing the client to use the transport address to specify the common name used in the certificate validation. The transport address can be specified in one of the directory services like the interfaces file, LDAP or NT registry, or through the connection property CS_SERVERADDR.
This is the new syntax of the server entries for the SSL-enabled ASE and cluster for UNIX:
CLUSTERSSL query tcp ether hostname1 5000 ssl="CN=name1" query tcp ether hostname2 5000 ssl="CN=name2" query tcp ether hostname3 5000 ssl="CN=name3" query tcp ether hostname4 5000 ssl="CN=name4" ASESSL1 master tcp ether hostname1 5000 ssl="CN=name1" query tcp ether hostname1 5000 ssl="CN=name1" ASESSL2 master tcp ether hostname2 5000 ssl="CN=name2" query tcp ether hostname2 5000 ssl="CN=name2" ASESSL3 master tcp ether hostname3 5000 ssl="CN=name3" query tcp ether hostname3 5000 ssl="CN=name3" ASESSL4 master tcp ether hostname1 5000 ssl="CN=name4" query tcp ether hostname1 5000 ssl="CN=name4"
