When a client application requests a connection, the SSL-enabled server presents its certificate to prove its identity before data is transmitted. Essentially, the SSL handshake consists of the following steps:
The client sends a connection request to the server. The request includes the SSL (or Transport Layer Security, TLS) options that the client supports.
The server returns its certificate and a list of supported CipherSuites, which includes SSL/TLS support options, the algorithms used for key exchange, and digital signatures.
A secure, encrypted session is established when both client and server have agreed upon a CipherSuite.
For more specific information about the SSL handshake and the SSL/TLS protocol, see the Internet Engineering Task Force Web site.
There is additional overhead required to establish a secure session, because data increases in size when it is encrypted, and it requires additional computation to encrypt or decrypt information. Typically, the additional I/O accrued during the SSL handshake may make user login 10-20-times slower.
During the SSL handshake, the client and server negotiate
a common security protocol through a CipherSuite. CipherSuites are
preferential lists of key-exchange algorithms, hashing methods,
and encryption methods used by the SSL protocol.
For a complete description of CipherSuites, go to the IETF organization
Web site.
By default, the strongest CipherSuite supported by both the client and the server is the CipherSuite that is used for the SSL-based session.
Server connection attributes are specified with directory services, such as LDAP or DCE, or with the traditional Sybase interfaces file.
The CipherSuites listed below conform to the TLS specification.
TLS, or Transport Layer Security, is an enhanced version of SSL
3.0, and is an alias for the SSL version 3.0 CipherSuites.
Open Client/Open Server and Adaptive Server support the CipherSuites that are available with the SSL Plus™ library API and the cryptographic engine, Security Builder™, both from Certicom Corp.
From strongest to weakest, the supported CipherSuites in Open Client/Open Server 12.5 include:
TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_RC4_128_MD5, TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_DHE_DSS_WITH_RC4_128_SHA, TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_DES_CBC_SHA, TLS_DHE_DSS_WITH_DES_CBC_SHA, TLS_DHE_RSA_WITH_DES_CBC_SHA, TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA, TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, TLS_RSA_EXPORT_WITH_RC4_40_MD5, TLS_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
