on 12-12-2014 5:47 PM
Anybody got experience with implementing SSL on Sybase ASE 15.7 SP100 or higher?
I'm especially interested in performance impact of using SSL (especially with openssl)
With SSL opening the connection is slightly longer, but not really an issue so far.
But how does it work on a busy ASE server?
Will it cause significant extra load on the ASE?
Does it require changing some configuration options? like increasing additional network memory?
The commands to create self signed certificate with openssl, adding the certificate with sp_ssladmin and add the SSL listener is not that well documented
Main thing I noticed on ASE 15.7 SP122 I had to run this before I could add the certificate:
exec sp_ssladmin 'setcipher', 'All'
Check with: exec sp_ssladmin lscipher
if no rows returned, SSL will not work.
Config option "enable ssl" is static, so I bounced the ASE server.
After that adding the ssltcp listener with sp_listener "start", "ssltcp:host:port" was not working.
Every time got the same error: the specified port xxx is invalid
Bouncing the ASE server solved that issue, listener started fine.
what's your experience with openssl and Sybase ASE?
One more SSL related question
If a client connects via SSL and doesn't close the connection properly, than informational messages are printed in the errorlog, e.g.:
00:0007:00000:00000:2014/12/22 13:02:01.13 kernel SSL or Crypto Error Info: psn -1, vsn -1, sockp (nil) error id 12, severity -2, provider id 2.
00:0007:00000:00000:2014/12/22 13:02:01.13 kernel SSL or Crypto Error Message: 'An I/O error occurred during the underlying SSL operation. Check your I/O callback handler return values and error codes.'.
Is it possible to surpress these informational messages from OpenSSL?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
useful..
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
The issue you had was probably the type of cipher you are using.
ASE default preference may not allow that.
ASE doc using lsciphers and setciphers:
ASE doc performance (old, but can give you an idea):
http://infocenter.sybase.com/help/index.jsp?topic=/com.sybase.dc31654_1251/html/sag/sag505.htm
Also, when starting a listener you can run the command sp_listener,
you can also add this to the interface file and bounce the server (as you have to already to enable ssl).
Example:
ASE
master tcp either host port ssl
query tcp ether host port ssl
ASE2
master tcp ether host port
query tcp either host port
This will give you 1 ssl port and 1 non ssl port.
FYI ssl port needs the alias name to be the common name(CN) in the ssl certificate or you have to configure this in the interfaces file also.
ASE doc using ssl to specify a common name:
SyBooks Online
Hope this helps.
Regards,
Ryan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Just adding my two cents. Ryan is really good with this stuff.
Yes you do have to increase additional network memory. If your OS has enough memory you should be good. If you have older application you will probably want to increase the packet size so your not flooding the network.
I do know there was an issue with ssl (doesn't matter if it's certicom or openssl). When you have large amount data going through with one process or a long running process that runs for hours it can have problems. This issue is fixed in SDK 15.7 SP132 and ASE 15.7 SP132 when they come out.
Thanks,
Dawn
Thanks, I'll take a look at the additional network memory.
Packet size will have to test, I guess that depends more on the application.
For the issue with large amounts of data and the long running process.
Do you have more details about this issue? CR?
The fix should be in SDK 15.7 SP132 and ASE 15.7 SP132, does that mean update of both the client and the server is required? (I mean, just patching the ASE server to SP132 is not sufficient?)
Thanks for the links
For the interfaces file, I'm using syntax with common name, that works fine. e.g.
ASE
master tcp ether host 5000
query tcp either host 5000
master tcp either host 5002 ssl
query tcp ether host 5002 ssl
ASE_SSL
master tcp ether host 5002 ssl="CN='ASE'"
query tcp either host 5002 ssl="CN='ASE'"
Regarding the ciphers, that's not working as expected.
By default, if not set anything, than the allowed ciphers should be the ciphers in the default set "All". But somehow that's not working for me. After explicitly setting cipher suite to "All" it's fine.
User | Count |
---|---|
91 | |
10 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.