SQL Anywhere Servers and Utilities Use OpenSSL

SQL Anywhere Servers and Utilities Use Cryptographic Software Provided by OpenSSL, which introduce behavioral changes described here.

SQL Anywhere Server and Utility changes include:

  1. Server identity uses AES encryption, previously it used 3DES encryption. Server certificates used by older servers (using FIPS) had private keys encrypted with 3DES which is no longer allowed. See Converting certificates for use with FIPS for instructions on modifying existing certificates so they can be used with a new server.
  2. Self-signed server certificates must now have the “Certificate Signing” attribute set.
  3. TLS/SSL connections to a MobiLink server using client-side certificates now require the client-side certificate to have the “Digital Signature” attribute set, otherwise the connection fails.
  4. Utility changes:
    • The createcert utility now encrypts the private key of the certificate it creates with AES rather than the less secure 3DES. Certificates using AES cannot be used by older SQL Anywhere software. If you need such compatibility, specify the new “-3des” switch to instruct createcert to use 3DES instead.
    • The viewcert utility now uses AES rather than 3DES to encrypt the private key when using -p to PEM -encode the output and -ip / -op to set the password. You can specify the new “-3des” switch to tell viewcert to use 3DES instead.

Converting certificates for use with FIPS

Certificates used by servers using FIPS are no longer accepted. This is because the older FIPS module only accepted certificates with private keys encrypted with 3DES. The OpenSSL FIPS module does not allow 3DES to be used, so the private keys must be encrypted with AES. It is possible to re-encrypt the private key, rather than generating new certificates, using the viewcert utility. Use this syntax: viewcert -p -o <new file> -op <new password> -ip <old password> <old file>

This creates a new certificate file with an AES-encrypted private key. The new and old passwords can be the same. The server must then use the new file instead of the old one. The certificate files used by clients do not need to change.

You can run the OpenSSL viewcert command against your certificate to determine if the “Key Usage” attributes are set appropriately. For example:viewcert -ip sql client_id.pem
SQL Anywhere X.509 Certificate Viewer Version 16.0.0.1642

X.509 Certificate
-----------------
Common Name: iAnywhere
Country Code: CA
State/Province: Ontario
Locality: Waterloo
Organization: SAP
Organizational Unit: Sybase
Issuer: iAnywhere
Serial Number: 1ff932e3bb534398810066d26678f80e
Issued: Oct 17, 2013 10:55:00
Expires: Oct 18, 2033 10:55:00
Signature Algorithm: RSA, SHA256
Key Type: RSA
Key Size: 1024 bits
Basic Constraints: Is not a certificate authority
Key Usage: Digital Signature, Key Encipherment, Data Encipherment,
Key Agreement, Certificate Signing

Private Key
-----------
Key Type: RSA
Key Size: 1024 bits
Parent topic: Known Issues for Security