Problem using TLS for communication

Hello All,

I was trying to setup a connection to a server using TLS encryption using SQLAnywhere 17 but I always get a "TLS handshake failure" - any toughts?

Root

createcert.exe -b 2048 -x -ca 1 -co Root.crt -io Root.id -ko Root.pk -kp test -m 1 -sc PT -sst Test -sl Lisboa -so "Test" -sou Test -scn "Test" -u 1,2,3,4,5,6,7 -v 50

Server

createcert.exe -b 2048 -c Root.crt -ck Root.pk -cp test -ca 0 -co Server.crt -io Server.id -ko Server.pk -kp test -m 1 -sc PT -sst Test -sl Lisboa -so "Test" -sou Test -scn "Test" -u 1,2,3,4,5,6,7 -v 50

Client

createcert.exe -b 2048 -c Root.crt -ck Root.pk -cp test -ca 0 -co Client.crt -io Client.id -ko Client.pk -kp test -m 1 -sc PT -sst Test -sl Lisboa -so "Test" -sou Test -scn "Test" -u 1,2,3,4,5,6,7 -v 50

Server Launch

dbsrv17.exe -n SERVER -pc -ec tls(identity=server.id;identity_password=test;trusted_certificates=server.crt) -x tcpip "database.db"

Client Launch

dbisqlc.exe -c "ServerName=SERVER;Host=127.0.0.1;ENC=TLS(identity=client.id;identity_password=test;trusted_certificates=client.crt)

Thanks in advance, Rui Cruz

encryption

asked 30 May '19, 18:40

rmgdc77
41●3●4●6
accept rate: 0%

flat view

One Answer:

active answers oldest answers newest answers popular answers

There are a few problems:

The trusted_certificates option is used to specify the certificate that you trust, which should be the one that signed the one the other side is using. This means that in both your server command line and client connection string you should be specifying trusted_certificates=Root.crt.
When creating the Server and Client certificates, don't specify Certificate Signing (6) as part of the -u switch. When creating the root certificate, use "-u 6, 7" and when creating the other two, use "-u 1,3,4,5".
In a real-world situation, the common name of the server's certificate would be the name of the computer on which the server is running. In this case it's not, so you can tell the software not to check that name using the skip_certificate_name_check option.
In your -c switch on the dbisqlc.exe command, the connection string begins with a quote but does not end with one.

So your server command should be:

dbsrv17.exe -n SERVER -pc -ec tls(identity=server.id;identity_password=test;trusted_certificates=Root.crt) -x tcpip "database.db"

and your client command should be:

dbisqlc.exe -c "ServerName=SERVER;Host=127.0.0.1;ENC=TLS(identity=client.id;identity_password=test;trusted_certificates=Root.crt;skip_certificate_name_check=1)"

permanent link

answered 30 May '19, 22:37

Graeme Perrow
9.6k●3●79●124
accept rate: 54%

Thanks Graeme, the problem was the "skip_certificate_name_check" and the "common name" that was not the server name - all the other settings you suggested i already unsuccessfully tried and the example i've posted was only one of them.

Thank your very much!

Best regards, Rui Cruz

(31 May '19, 05:33) rmgdc77

flat view

Your answer

toggle preview

community wiki:

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

*italic* or _italic_
**bold** or __bold__
link:[text](http://url.com/ "title")
image?![alt text](/path/img.jpg "title")
numbered list: 1. Foo 2. Bar
to add a line break simply add two spaces to where you would like the new line to be.
basic HTML tags are also supported

learn more about Markdown

Question tags:

encryption ×46

question asked: 30 May '19, 18:40

question was seen: 837 times

last updated: 31 May '19, 05:33

SAP SQL Anywhere