SSL Overview

Secure Sockets Layer (SSL) is an industry standard for sending wire- or socket-level encrypted data over client-to-server and server-to-server connections.

Before the SSL connection is established, the server and the client negotiate and agree upon a secure encrypted session. This is called the SSL handshake.

Note: Additional overhead is required to establish a secure session, because data increases in size when it is encrypted; it also requires additional computation to encrypt or decrypt information. Under normal circumstances, the additional I/O accrued during the SSL handshake can make user login 10 to 20 times slower.

SSL Handshake

When a client application requests a connection, the SSL-enabled server presents its certificate to prove its identity before data is transmitted.

The SSL handshake consists of these steps:

  1. The client sends a connection request to the server. The request includes the SSL (or Transport Layer Security, TLS) options that the client supports.

  2. The server returns its certificate and a list of supported cipher suites, which includes SSL/TLS support options, the algorithms used for key exchange, and digital signatures. Cipher suites are preferential lists of key-exchange algorithms, hashing methods, and encryption methods used by the SSL protocol.

  3. A secure, encrypted session is established when both client and server have agreed upon a cipher suite.

Cipher Suites

During the SSL handshake, the client and server negotiate a common security protocol through a cipher suite.

By default, the strongest cipher suite supported by both the client and the server is the cipher suite used for the SSL-based session. Server connection attributes are specified in the connection string or through directory services such as LDAP.

The Adaptive Server ODBC Driver and Adaptive Server support the cipher suites that are available with the SSL Plus library API and the cryptographic engine, Security Builder, both from Certicom Corp.

Note: The following list of cipher suites conform to the Transport Layer Security (TLS) specification, which is an enhanced version of SSL 3.0, and an alias for the SSL version 3.0 cipher suites.
These are the cipher suites, ordered from the strongest to the weakest, supported in Adaptive Server OBDC Driver:

  • TLS_RSA_WITH_3DES_EDE_CBC_SHA

  • TLS_RSA_WITH_RC4_128_SHA

  • TLS_RSA_WITH_RC4_128_MD5

  • TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

  • TLS_DHE_DSS_WITH_RC4_128_SHA

  • TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

  • TLS_RSA_WITH_DES_CBC_SHA

  • TLS_DHE_DSS_WITH_DES_CBC_SHA

  • TLS_DHE_RSA_WITH_DES_CBC_SHA

  • TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA

  • TLS_RSA_EXPORT1024_WITH_RC4_56_SHA

  • TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA

  • TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA

  • TLS_RSA_EXPORT_WITH_RC4_40_MD5

  • TLS_RSA_EXPORT_WITH_DES40_CBC_SHA

  • TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA

  • TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA

For more specific information about the SSL handshake and the SSL/TLS protocol, see the Internet Engineering Task Force Web site at http://www.ietf.org.

For a complete description of cipher suites, go to the IETF organization Web site at http://www.ietf.org/rfc/rfc2246.txt.

Parent topic: Adaptive Server Features Supported