cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSL On Sybase ASE 15.7

jayrijnbergen
Active Participant

on ‎12-12-2014 5:47 PM

0 Kudos

Anybody got experience with implementing SSL on Sybase ASE 15.7 SP100 or higher?

I'm especially interested in performance impact of using SSL (especially with openssl)

With SSL opening the connection is slightly longer, but not really an issue so far.

But how does it work on a busy ASE server?

Will it cause significant extra load on the ASE?

Does it require changing some configuration options? like increasing additional network memory?

The commands to create self signed certificate with openssl, adding the certificate with sp_ssladmin and add the SSL listener is not that well documented

Main thing I noticed on ASE 15.7 SP122 I had to run this before I could add the certificate:

exec sp_ssladmin 'setcipher', 'All'

Check with: exec sp_ssladmin lscipher

if no rows returned, SSL will not work.

Config option "enable ssl" is static, so I bounced the ASE server.

After that adding the ssltcp listener with sp_listener "start", "ssltcp:host:port" was not working.

Every time got the same error: the specified port xxx is invalid

Bouncing the ASE server solved that issue, listener started fine.

what's your experience with openssl and Sybase ASE?

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

jayrijnbergen
Active Participant
‎12-22-2014 12:14 PM
0 Kudos

One more SSL related question

If a client connects via SSL and doesn't close the connection properly, than informational messages are printed in the errorlog, e.g.:

00:0007:00000:00000:2014/12/22 13:02:01.13 kernel  SSL or Crypto Error Info: psn -1, vsn -1, sockp (nil) error id 12, severity -2, provider id 2.

00:0007:00000:00000:2014/12/22 13:02:01.13 kernel  SSL or Crypto Error Message: 'An I/O error occurred during the underlying SSL operation.  Check your I/O callback handler return values and error codes.'.

Is it possible to surpress these informational messages from OpenSSL?

Show replies
Show replies
former_member194957
Active Participant
‎12-22-2014 7:52 AM
0 Kudos

useful..

Show replies
Show replies
ryan_hansen
Employee
Employee
‎12-12-2014 6:13 PM
0 Kudos

Hi,

The issue you had was probably the type of cipher you are using.

ASE default preference may not allow that.

ASE doc using lsciphers and setciphers:

http://infocenter.sybase.com/help/index.jsp?topic=/com.sybase.infocenter.dc36273.1600/doc/html/san13...

ASE doc performance (old, but can give you an idea):

http://infocenter.sybase.com/help/index.jsp?topic=/com.sybase.dc31654_1251/html/sag/sag505.htm

Also, when starting a listener you can run the command sp_listener,

you can also add this to the interface file and bounce the server (as you have to already to enable ssl).

Example:
ASE

     master tcp either host port ssl

     query tcp ether host port ssl

ASE2

     master tcp ether host port

     query tcp either host port

This will give you 1 ssl port and 1 non ssl port.

FYI ssl port needs the alias name to be the common name(CN) in the ssl certificate or you have to configure this in the interfaces file also.

ASE doc using ssl to specify a common name:
SyBooks Online

Hope this helps.

Regards,

Ryan

Show replies
Show replies
dawn_kim
Contributor
‎12-12-2014 6:37 PM
0 Kudos

Just adding my two cents. Ryan is really good with this stuff.

Yes you do have to increase additional network memory. If your OS has enough memory you should be good. If you have older application you will probably want to increase the packet size so your not flooding the network.
I do know there was an issue with ssl (doesn't matter if it's certicom or openssl). When you have large amount data going through with one process or a long running process that runs for hours it can have problems. This issue is fixed in SDK 15.7 SP132 and ASE 15.7 SP132 when they come out.

Thanks,
Dawn

jayrijnbergen
Active Participant
‎12-15-2014 9:34 AM
0 Kudos

Thanks, I'll take a look at the additional network memory.

Packet size will have to test, I guess that depends more on the application.

For the issue with large amounts of data and the long running process.

Do you have more details about this issue? CR?

The fix should be in SDK 15.7 SP132 and ASE 15.7 SP132, does that mean update of both the client and the server is required? (I mean, just patching the ASE server to SP132 is not sufficient?)

jayrijnbergen
Active Participant
‎12-15-2014 9:52 AM
0 Kudos

Thanks for the links

For the interfaces file, I'm using syntax with common name, that works fine. e.g.

ASE

     master tcp ether host 5000

     query tcp either host 5000

     master tcp either host 5002 ssl

     query tcp ether host 5002 ssl

ASE_SSL

     master tcp ether host 5002 ssl="CN='ASE'"

     query tcp either host 5002 ssl="CN='ASE'"

Regarding the ciphers, that's not working as expected.

By default, if not set anything, than the allowed ciphers should be the ciphers in the default set "All". But somehow that's not working for me. After explicitly setting cipher suite to "All" it's fine.

dawn_kim
Contributor
‎12-15-2014 6:25 PM
0 Kudos

Hi,

It is CR 769463 ASE setup with SSL sending bad TDS when sending back large results sets. If you upgrade the ASE you should be fine.
I am not sure when the issue was introduced I know it was in ASE 15.7 SP122 and will be fixed ASE 15.7 SP132.

Thanks,
Dawn Kim

Ask a Question