Hello All,

I was trying to setup a connection to a server using TLS encryption using SQLAnywhere 17 but I always get a "TLS handshake failure" - any toughts?

Root

createcert.exe -b 2048 -x -ca 1 -co Root.crt -io Root.id -ko Root.pk -kp test -m 1 -sc PT -sst Test -sl Lisboa -so "Test" -sou Test -scn "Test" -u 1,2,3,4,5,6,7 -v 50

Server

createcert.exe -b 2048 -c Root.crt -ck Root.pk -cp test -ca 0 -co Server.crt -io Server.id -ko Server.pk -kp test -m 1 -sc PT -sst Test -sl Lisboa -so "Test" -sou Test -scn "Test" -u 1,2,3,4,5,6,7 -v 50

Client

createcert.exe -b 2048 -c Root.crt -ck Root.pk -cp test -ca 0 -co Client.crt -io Client.id -ko Client.pk -kp test -m 1 -sc PT -sst Test -sl Lisboa -so "Test" -sou Test -scn "Test" -u 1,2,3,4,5,6,7 -v 50

Server Launch

dbsrv17.exe -n SERVER -pc -ec tls(identity=server.id;identity_password=test;trusted_certificates=server.crt) -x tcpip "database.db"

Client Launch

dbisqlc.exe -c "ServerName=SERVER;Host=127.0.0.1;ENC=TLS(identity=client.id;identity_password=test;trusted_certificates=client.crt)

Thanks in advance, Rui Cruz

asked 30 May, 18:40

rmgdc77's gravatar image

rmgdc77
4114
accept rate: 0%


There are a few problems:

  1. The trusted_certificates option is used to specify the certificate that you trust, which should be the one that signed the one the other side is using. This means that in both your server command line and client connection string you should be specifying trusted_certificates=Root.crt.
  2. When creating the Server and Client certificates, don't specify Certificate Signing (6) as part of the -u switch. When creating the root certificate, use "-u 6, 7" and when creating the other two, use "-u 1,3,4,5".
  3. In a real-world situation, the common name of the server's certificate would be the name of the computer on which the server is running. In this case it's not, so you can tell the software not to check that name using the skip_certificate_name_check option.
  4. In your -c switch on the dbisqlc.exe command, the connection string begins with a quote but does not end with one.

So your server command should be:

dbsrv17.exe -n SERVER -pc -ec tls(identity=server.id;identity_password=test;trusted_certificates=Root.crt) -x tcpip "database.db"

and your client command should be:

dbisqlc.exe -c "ServerName=SERVER;Host=127.0.0.1;ENC=TLS(identity=client.id;identity_password=test;trusted_certificates=Root.crt;skip_certificate_name_check=1)"
permanent link

answered 30 May, 22:37

Graeme%20Perrow's gravatar image

Graeme Perrow
9.2k377118
accept rate: 53%

Thanks Graeme, the problem was the "skip_certificate_name_check" and the "common name" that was not the server name - all the other settings you suggested i already unsuccessfully tried and the example i've posted was only one of them.

Thank your very much!

Best regards, Rui Cruz

(31 May, 05:33) rmgdc77
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×40

question asked: 30 May, 18:40

question was seen: 85 times

last updated: 31 May, 05:33