SSL handshake  Validating a server by its certificate

Appendix D: Secure Sockets Layer in Open Client and Open Server

SSL security levels and security mechanisms

Security levels

SSL provides several levels of security in Open Client and Open Server:

SSL filter as a security mechanism

When establishing a connection to an SSL-enabled Adaptive Server, the SSL security mechanism is specified as a filter on the master and query lines in the sql.ini file. SSL is used as an Open Client and Open Server protocol layer that sits on top of the TCP/IP connection.

The SSL filter is different from other security mechanisms, such as DCE and Kerberos, which are defined with SECMECH (security mechanism) lines in the sql.ini file. The master and query lines determine the security protocols that are enforced for the connection.

A typical sql.ini file on Windows using SSL looks like this:

[SERVER]

    master=TCP,hostname,address1, ssl

    query=TCP,hostname,address1, ssl

where hostname is the name of the server to which the client is connecting, and address1 is the port number of the host machine. All connection attempts to a master or query entry in the sql.ini file with an SSL filter must support the SSL protocol. A server can be configured to accept SSL connections and have other connections that accept plain text (unencrypted data) or use other security mechanisms.

For example, an Adaptive Server sql.ini file that supports both SSL-based connections and plain-text connections looks like this:

[SYBSRV1]
    master=NLWNSCK,hostname,2748,ssl
    query=NLWNSCK,hostname,2748,ssl
    master=NLWNSCK,hostname,2749
    query=NLWNSCK,hostname,2749

In this example, the SSL security service is specified on port number 2748. On SYBSRV1, Adaptive Server listens for clear text on port number 2749, which is without any security mechanism or security filter.




Copyright © 2008. Sybase Inc. All rights reserved. Validating a server by its certificate

View this document as PDF