Suppose I want to set HTTPS connection.
CREATE PROCEDURE secadm.fa_client_authentication( urlSpec LONG VARCHAR, certif LONG VARCHAR) URL '!urlSpec' TYPE 'HTTP:POST:text/plain' CERTIFICATE '!certif' SET 'REDIR (COUNT = 0)' ;
I use the GeoTrust_Global_CA.cer-certificate. I run:
call secadm.fa_client_authentication( 'https://....com.au/apitesting/...', 'file=D:\...\GeoTrust_Global_CA.cer')
For SQL Anywhere Network Server Version 184.108.40.20667:
But for SQL Anywhere Network Server Version 220.127.116.1194:
What am I doing wrong from the standpoint of "Strong encryption now achieved using OpenSSL"-requirements (Engineering Case #749256)?
This appears to be an implementation difference between OpenSSL and Certicom (our previous cryptographic library provider). The certificate used by the web server in question is cross-signed, which means it was signed by two root authorities rather than just one. In this case, it's signed by both GeoTrust and Equifax, and Equifax is the real root certificate. OpenSSL requires that you supply the root certificate in the chain, and the certificate you're giving (the GeoTrust one) is not the root certificate.
Certicom allows you to trust any certificate in the chain and the connection will succeed, which is why things worked with the old software.
I've attached the real root certificate here, which I exported from Firefox. Replacing your certificate with this one will allow the connection to succeed.
answered 10 Dec '13, 14:21