on 01-04-2016 10:20 AM
Hi,
Can anyone confirm that ASE 15.7 supports TLS 1.2?
We can get all cipher suites enabled but does it support TLS 1.2?
sp_ssladmin lscipher
go
Cipher Suite
Name
Preference
----------------------------------------------------------------
-----------
TLS_RSA_WITH_AES_256_CBC_SHA
1
TLS_RSA_WITH_AES_128_CBC_SHA
2
TLS_RSA_WITH_3DES_EDE_CBC_SHA
3
TLS_RSA_WITH_RC4_128_SHA
4
TLS_RSA_WITH_RC4_128_MD5
5
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
6
TLS_DHE_DSS_WITH_RC4_128_SHA
7
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
8
TLS_RSA_WITH_DES_CBC_SHA
9
TLS_DHE_DSS_WITH_DES_CBC_SHA
10
TLS_DHE_RSA_WITH_DES_CBC_SHA
11
This cipher is found within ASE and even it is used it does not mean it is using TLS1.2 protocol since we are not negotiating from WebSphere application server and we are forcing only TLSv1.2 to be used.
When I tried to retrieve the signer certificate from WebSphere console it gave me that the database server is not supporting TLS and it failed until I changed the security level for WebSphere to accept TLS1.0 or SSL which is not acceptable since both protocols are vulnerable (ASE should support TLS1.2).
And it is used for all secure communications of the application servers since it is a general configuration over the cell, when it is forced to TLS1.2 the error appear and when we decrease it to accept TLS1.0 or SSLv3 the application server is accepting the connection with the database server.
I have attached RFC that covers TLS/SSL... Please check the Appendix A.5 at page 75, you will find that TLS_RSA_WITH_AES_256_CBC_SHA is listed as a cipher suite for TLS 1.2
Regards,
Marc
with sp_ssladmin you can show and set the allowed cipher suites
to see what the client is actually using, you can check this variable: @@ssl_ciphersuite
select @@ssl_ciphersuite
go
TLS_RSA_WITH_AES_256_CBC_SHA
Note that older openssl versions do not support SHA2 certificates
openssl is now delivered as part of your SAP Sybase installation, you need a recent version e.g.1.0.1h to be able to use SHA2 certificates (I didn't test all versions, but know for sure older versions like 1.0.1b do not support SHA2). As part of ASE 15.7 SP132 openssl 1.0.1h-fips is installed.
I think OpenSSL 1.0.1 series is supported till the end of 2016 only, so sooner or later SAP Sybase will also have to switch to the OpenSSL 1.0.2 series
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Jeroen.
Thank you for your feedback.
I am new to Traffic encryption between ASE and WebSphere using SSL (openssl)
I have enabled SSL on my personal laptop:
openssl version
OpenSSL 1.0.1m-fips 19 Mar 2015
isql -v
Sybase CTISQL Utility/15.7/P-EBF25038 SP136/PC Intel/BUILD1570-050/OPT/Mon Aug 24 18:29:13 2015
1> select @@ssl_ciphersuite
2> go
----------------------------------------
TLS_RSA_WITH_AES_256_CBC_SHA
Is the above enough to confirm that ASE is configured to user SSL connection with TLS1.2?
This is my concern: what is needed to be done to make sure that ASE is using TLS1,2?
Thanks for your help.
Marc
Hello Ryan,
I need to get back to my client regarding this.
But is it officially mentioned by SAP Sybase support team?
I can open a ticket with them but as you know this may take some time....
So if you can confirm the above, I can directly confirm the same to my end customer.
Do you have any paper, link or reference that mention the above?
Thanks a lot.
Marc
Hi,
I don't have any writing/docs.
Searched, but did not find anything where we specifically support TLS protocols.
Looked through old incidents and spoke to the processor that I know.
If you need an official statement you would have to go through an incident with component:
BC-SYB-ASE
Ran a test on that cipher:
TLSv1
openssl s_client -connect redhead:3213 -CAfile redhead.txt
connected
New, TLSv1/SSLv3, Cipher is AES256-SHA
...
Protocol: TLSv1
Cipher: AES256-SHA
...
TLSv1.2
openssl s_client -connect redhead:3213 -tls1_2 -CAfile redhead.txt
715684104:error:1408F10B:SSL routine:SSL3_GET_RECORD:wrong version number:s3_pkt.c:347:
New, (none), cipher is (none)
...
Protocol TLSv1.2
Cipher 0000
...
Regards,
Ryan
A bit of explanation - TLS replaced SSL as a superset some time back....e.g. the progression went SSL 1.0 -> SSL 2.0 (1995) -> SSL 3.0 (1996) -> TLS 1.0 (1999) -> TLS 1.1 (2006) -> TLS 1.2 (2008). So saying ASE was using SSL was often more accurate at saying ASE was using TLS 1.0. There are recent attacks showing how TLS 1.0 could be vulnerable. At issue is the fact that TLS (and SSL) protocols automatically negotiated down the most commonly supported level until recently - e.g. if you attempted to connect at TLS 1.1, it would silently downgrade to TLS 1.0 which was vulnerable. As a result, later TLS 1.x versions prohibited downgrades. In June of this year (2016), browsers are required to stop supporting TLS 1.0 - and PCI compliance will dictate this - not only for browsers, but POS terminals as well that might be vulnerable.
What it means for ASE depends. If your browser connects to a middle tier web server/app server using TLS 1.1 or 1.2 and then the app server connect to ASE - they you are fine providing you are not concerned about the ability to attack the connection between app server and ASE - e.g. the app will work, however, you may have issues with certifications such as PCI. However, if your browser runs javascript or other logic that attempts a direct SSL connection to ASE, then there will be problems until ASE supports TLS 1.1 or 1.2.
Engineering is aware of this and trying to find resources to provide support for later revs of TLS. As with anything, the more customers impacted that engineering is aware of, the higher the priority. So, as Ryan states, if you need TLS 1.1 or TLS 1.2 support, please open an incident on BC-SYB-ASE and request TLS 1.1 or 1.2 support as needed and dates needed by.
Hi Jeff,
Thanks a lot for the valuable info provided.
I have already opened a technical case with SAP support (BC-SYB-ASE) in parallel.
But, would it be feasible to ask for some additional feature or enhancement for future ASE releases... to be able to check the Protocol used by ASE without the need to check it with external tool such as openssl s_client?
Maybe some new global variable similar the one used to check the cipher suite @@ssl_ciphersuite
@Ryan, Thanks a lot for the effort done to test TLS 1.x support.
I have done the same on my laptop and found the same result.
Thank you for the clarification Jeff. Frankly, they should be building in TSL support into ALL connections.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello,
FYI, I logged an incident for the same. As Jeff explained, the more customers the better. I've always found that SSL support with ASE was "lazy", since the initial release with the Certicom suite. The 16.0 documentation is more comprehensive, and openssl is finally used, but we're still running behind industry standards.
Cheers,
Laurent
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Please keep logging the cases. As of now, it *looks* like TLS 1.2 support will be in 15.7 sp137 in June, with TLS 1.2 support for 16sp02 coming in Q4-ish. All caveats apply wrt timing/roadmaps, etc. While both 15.7 and 16.0sp02 (and earlier) used OpenSSL, it looks like future ASE's (beyond sp02) will transition to a common crypto library that is going through FIPS certification as we speak. This will minimally help reduce a lot of confusion around SSL vulnerabilities as many of those that affect OpenSSL don't actually affect ASE.
Hi again,
As we were testing this SSL/TLS between WebSphere and SAP ASE 15.7. We have configured WebSphere to use SSL.
We have encountered the below error on WebSphere when trying to connect to ASE:
[12/28/15 18:10:40:735 GMT] 00000237 DSConfigurati W DSRA8201W: DataSource Configuration: DSRA8040I: Failed to connect to the DataSource. Encountered java.sql.SQLException: JZ0D5: Error loading protocol com.sybase.jdbc4.ssl.SSL. DSRA0010E: SQL State = JZ0D5, Error Code = 0.
java.sql.SQLException: JZ0D5: Error loading protocol com.sybase.jdbc4.ssl.SSL. DSRA0010E: SQL State = JZ0D5, Error Code = 0
at com.sybase.jdbc4.jdbc.ErrorMessage.raiseError(ErrorMessage.java:753)
at com.sybase.jdbc4.jdbc.ProtocolManager.getProtocol(ProtocolManager.java:124)
at com.sybase.jdbc4.jdbc.SybUrlManager.loadProtocol(SybUrlManager.java:325)
at com.sybase.jdbc4.jdbc.SybDataSource$UrlProvider.<init>(SybDataSource.java:2744)
at com.sybase.jdbc4.jdbc.SybDataSource.createSybUrlProvider(SybDataSource.java:2693)
at com.sybase.jdbc4.jdbc.SybDataSource.getConnection(SybDataSource.java:311)
at com.sybase.jdbc4.jdbc.SybConnectionPoolDataSource.getPooledConnection(SybConnectionPoolDataSource.java:103)
at com.ibm.ws.rsadapter.DSConfigHelper$1.run(DSConfigHelper.java:1266)
at com.ibm.ws.security.auth.ContextManagerImpl.runAs(ContextManagerImpl.java:5477)
at com.ibm.ws.security.auth.ContextManagerImpl.runAsSystem(ContextManagerImpl.java:5603)
at com.ibm.ws.security.core.SecurityContext.runAsSystem(SecurityContext.java:255)
at com.ibm.ws.rsadapter.spi.ServerFunction$6.run(ServerFunction.java:567)
at com.ibm.ws.security.util.AccessController.doPrivileged(AccessController.java:118)
at com.ibm.ws.rsadapter.DSConfigHelper.getPooledConnection(DSConfigHelper.java:1281)
at com.ibm.ws.rsadapter.DSConfigHelper.getPooledConnection(DSConfigHelper.java:1189)
at com.ibm.ws.rsadapter.DSConfigurationHelper.getConnectionFromDSOrPooledDS(DSConfigurationHelper.java:2071)
at com.ibm.ws.rsadapter.DSConfigurationHelper.getConnectionFromDSOrPooledDS(DSConfigurationHelper.java:1947)
at com.ibm.ws.rsadapter.DSConfigurationHelper.testConnectionForGUI(DSConfigurationHelper.java:2814)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)
at java.lang.reflect.Method.invoke(Method.java:611)
at com.ibm.ws.management.DataSourceConfigHelperMBean.testConnectionToDataSource2(DataSourceConfigHelperMBean.java:556)
at com.ibm.ws.management.DataSourceConfigHelperMBean.testConnection(DataSourceConfigHelperMBean.java:484)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)
at java.lang.reflect.Method.invoke(Method.java:611)
at sun.reflect.misc.Trampoline.invoke(MethodUtil.java:69)
at sun.reflect.GeneratedMethodAccessor30.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)
at java.lang.reflect.Method.invoke(Method.java:611)
at sun.reflect.misc.MethodUtil.invoke(MethodUtil.java:272)
at javax.management.modelmbean.RequiredModelMBean$4.run(RequiredModelMBean.java:1152)
at java.security.AccessController.doPrivileged(AccessController.java:301)
at com.ibm.oti.security.CheckedAccessControlContext.securityCheck(CheckedAccessControlContext.java:30)
at sun.misc.JavaSecurityAccessWrapper.doIntersectionPrivilege(JavaSecurityAccessWrapper.java:41)
at javax.management.modelmbean.RequiredModelMBean.invokeMethod(RequiredModelMBean.java:1146)
at javax.management.modelmbean.RequiredModelMBean.invoke(RequiredModelMBean.java:999)
at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:847)
at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:783)
at com.ibm.ws.management.AdminServiceImpl$1.run(AdminServiceImpl.java:1335)
at com.ibm.ws.security.util.AccessController.doPrivileged(AccessController.java:118)
at com.ibm.ws.management.AdminServiceImpl.invoke(AdminServiceImpl.java:1228)
at com.ibm.ws.management.commands.AdminServiceCommands$InvokeCmd.execute(AdminServiceCommands.java:251)
at com.ibm.ws.console.core.mbean.MBeanHelper.invoke(MBeanHelper.java:241)
at com.ibm.ws.console.core.mbean.ResourceMBeanHelper.testNode(ResourceMBeanHelper.java:860)
at com.ibm.ws.console.core.mbean.ResourceMBeanHelper.testConnection(ResourceMBeanHelper.java:292)
at com.ibm.ws.console.resources.database.jdbc.DataSourceDetailAction.testConnection(DataSourceDetailAction.java:713)
at com.ibm.ws.console.resources.database.jdbc.DataSourceCollectionAction.execute(DataSourceCollectionAction.java:339)
at org.apache.struts.action.RequestProcessor.processActionPerform(Unknown Source)
at org.apache.struts.action.RequestProcessor.process(Unknown Source)
at org.apache.struts.action.ActionServlet.process(Unknown Source)
at org.apache.struts.action.ActionServlet.doPost(Unknown Source)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:595)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:668)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1235)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:779)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:478)
at com.ibm.ws.webcontainer.servlet.ServletWrapperImpl.handleRequest(ServletWrapperImpl.java:178)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.invokeTarget(WebAppFilterChain.java:136)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:79)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:964)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1104)
at com.ibm.ws.webcontainer.webapp.WebAppRequestDispatcher.dispatch(WebAppRequestDispatcher.java:1385)
at com.ibm.ws.webcontainer.webapp.WebAppRequestDispatcher.forward(WebAppRequestDispatcher.java:194)
at org.apache.struts.action.RequestProcessor.doForward(Unknown Source)
at org.apache.struts.tiles.TilesRequestProcessor.doForward(Unknown Source)
at org.apache.struts.action.RequestProcessor.processForwardConfig(Unknown Source)
at org.apache.struts.tiles.TilesRequestProcessor.processForwardConfig(Unknown Source)
at org.apache.struts.action.RequestProcessor.process(Unknown Source)
at org.apache.struts.action.ActionServlet.process(Unknown Source)
at org.apache.struts.action.ActionServlet.doPost(Unknown Source)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:595)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:668)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1235)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:779)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:478)
at com.ibm.ws.webcontainer.servlet.ServletWrapperImpl.handleRequest(ServletWrapperImpl.java:178)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.invokeTarget(WebAppFilterChain.java:136)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:97)
at com.ibm.ws.console.core.servlet.WSCUrlFilter.setUpCommandAssistance(WSCUrlFilter.java:964)
at com.ibm.ws.console.core.servlet.WSCUrlFilter.continueStoringTaskState(WSCUrlFilter.java:511)
at com.ibm.ws.console.core.servlet.WSCUrlFilter.doFilter(WSCUrlFilter.java:332)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:195)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:91)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:964)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1104)
at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:87)
at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:914)
at com.ibm.ws.webcontainer.WSWebContainer.handleRequest(WSWebContainer.java:1662)
at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:200)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:463)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewRequest(HttpInboundLink.java:530)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.processRequest(HttpInboundLink.java:316)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.ready(HttpInboundLink.java:287)
at com.ibm.ws.ssl.channel.impl.SSLConnectionLink.determineNextChannel(SSLConnectionLink.java:1049)
at com.ibm.ws.ssl.channel.impl.SSLConnectionLink$MyReadCompletedCallback.complete(SSLConnectionLink.java:643)
at com.ibm.ws.ssl.channel.impl.SSLReadServiceContext$SSLReadCompletedCallback.complete(SSLReadServiceContext.java:1818)
at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:175)
at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217)
at com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChannelFuture.java:161)
at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:138)
at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:204)
at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:775)
at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:905)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1865)
Can anyone help in explaining this issue and how to resolve it?
Marc
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
did you check the ASE logfile?
Does it show any "SSL or Crypto" errors?
based on the error codes you can figure out if the client has wrong certificates, connecting on the wrong port, etc.
off topic: you already marked this thread as answered, would be better to start a new thread for a new question
SQLException: JZ0D5: Error loading protocol
JZ0D5 |
Action: Check the settings for the CLASSPATH system variable. |
The test with isql, is that running from the same server where Websphere is installed?
Is it using the same Sybase client as Websphere?
One thing you might want to check is the version of the Sybase Open Client and jConnect version used by Websphere
There are a lot of changes related to SSL in 15.7 SP100
User | Count |
---|---|
86 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.