Suppose I want to set HTTPS connection.
I create following procedure:

CREATE PROCEDURE secadm.fa_client_authentication(  
 urlSpec LONG VARCHAR,  
 certif  LONG VARCHAR)  
    URL '!urlSpec'  
    TYPE 'HTTP:POST:text/plain'  
    CERTIFICATE '!certif'  
    SET 'REDIR (COUNT = 0)'  
;

I use the GeoTrust_Global_CA.cer-certificate. I run:

call secadm.fa_client_authentication(
'https://....com.au/apitesting/...',
'file=D:\...\GeoTrust_Global_CA.cer')

For SQL Anywhere Network Server Version 12.0.1.3967: alt text

But for SQL Anywhere Network Server Version 12.0.1.3994: alt text

What am I doing wrong from the standpoint of "Strong encryption now achieved using OpenSSL"-requirements (Engineering Case #749256)?

asked 10 Dec '13, 03:18

Ilia63's gravatar image

Ilia63
776263149
accept rate: 16%

edited 10 Dec '13, 10:56

Volker%20Barth's gravatar image

Volker Barth
30.0k295449654

I don't know of any regressions caused by the OpenSSL switch, but that doesn't mean there aren't any. Is it possible for you to email me the details of the web service (i.e. URL and certificate) so that I can investigate? My address is [my first name].[my last name] at sap dot com.

(10 Dec '13, 10:17) Graeme Perrow

This appears to be an implementation difference between OpenSSL and Certicom (our previous cryptographic library provider). The certificate used by the web server in question is cross-signed, which means it was signed by two root authorities rather than just one. In this case, it's signed by both GeoTrust and Equifax, and Equifax is the real root certificate. OpenSSL requires that you supply the root certificate in the chain, and the certificate you're giving (the GeoTrust one) is not the root certificate.

Certicom allows you to trust any certificate in the chain and the connection will succeed, which is why things worked with the old software.

I've attached the real root certificate here, which I exported from Firefox. Replacing your certificate with this one will allow the connection to succeed.

permanent link

answered 10 Dec '13, 14:21

Graeme%20Perrow's gravatar image

Graeme Perrow
8.5k371109
accept rate: 52%

Thanks.

1) Wanting to see the validity of the new certificate, I found the following bug(?):

viewcert.exe EquifaxSecureCA.crt

SQL Anywhere X.509 Certificate Viewer Version 12.0.1.3994

X.509 Certificate
-----------------
Country Code:            US
Organization:            Equifax
Organizational Unit:     Equifax Secure Certificate Authority

Internal error: 16

But:

viewcert.exe GeoTrust_Global_CA.cer

SQL Anywhere X.509 Certificate Viewer Version 12.0.1.3994

X.509 Certificate
-----------------
Common Name:             GeoTrust Global CA
Country Code:            US
Organization:            GeoTrust Inc.
Issuer:                  GeoTrust Global CA
Serial Number:           23456
Issued:                  May 21, 2002   7:00:00
Expires:                 May 21, 2022   7:00:00
Signature Algorithm:     RSA, SHA1
Key Type:                RSA
Key Size:                2048 bits
Basic Constraints:       Is a certificate authority, path length limit: 0
Key Usage:
(11 Dec '13, 00:26) Ilia63

2)Next question.
A similar error:
EXCEPTION at 2013-12-11 09:17:05.397: SQLCODE = -983, SQLSTATE = WW052, ERRORMSG() = HTTP request failed. Status code '<none>'
appeared for "hand made"-certificate:

X.509 Certificate
-----------------
Common Name:             MSU Certificate
Country Code:            RU
State/Province:          MOSCOW
Locality:                MOSCOW
Organization:            MSU
Organizational Unit:     Programmer
Issuer:                  MSU Certificate
Serial Number:           6cde1cf266d64bca971ae9042f27996f
Issued:                  Jun 11, 2013  15:40:00
Expires:                 Jun 12, 2018  15:40:00
Signature Algorithm:     RSA, SHA1
Key Type:                RSA
Key Size:                2048 bits
Basic Constraints:       Is not a certificate authority
Key Usage:               Digital Signature, Key Encipherment, Data Eqipherment

and "hand made"-Identity:

-xs https(FIPS=N;PORT=82;Identity=MSU.id;Identity_Password=...)

created by the createcert.exe.
What should be done in this case?

(11 Dec '13, 00:31) Ilia63
Replies hidden
1

The first is a bug in viewcert which I also found investigating this problem. It's fixed but I haven't submitted the fix yet. The second is an entirely separate problem. Can you post that as a separate question?

(11 Dec '13, 06:53) Graeme Perrow

FYI the viewcert problem will be fixed in 12.0.1 build 4033 and 16.0 build 1760.

(11 Dec '13, 11:11) Graeme Perrow
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×409
×37
×13
×12
×5

question asked: 10 Dec '13, 03:18

question was seen: 1,117 times

last updated: 11 Dec '13, 11:11