Kbase P144001: Database appears to be allowing 4GL clients not using -SSL to connect to a database that is SSL enab
| Autor |
Progress Software Corporation - Progress |
| Acesso |
Público |
| Publicação |
11/20/2009 |
|
Status: Unverified
SYMPTOM(s):
Database appears to be allowing 4GL clients that do not have the -ssl option connect to the database.
Client is connecting using -H hostname and -S portnumber to connect to the database.
Database is started with -ssl option
4GL client is not using -ssl parameter as a parameter to connect to a database.
FACT(s) (Environment):
WireShark (a network protocol analyzer) validates that communication between the client and the server is encrypted.
All Supported Operating Systems
OpenEdge 10.1C
OpenEdge 10.1C03 Service Pack
CAUSE:
This is expected behavior. The database server because it was started with -ssl is expecting to communicate with clients in an SSL fashion. If a client is not started with the -ssl parameter but is able to support SSL communication, the server will communicate with the client in an SSL manner. If a client attempts to connect to the database and the client does not support SSL, the connection will be terminated and an error returned to the client.
FIX:
An environment variable can be set to validate that the client and server are communicating via an encrypted session. The variable is:
UNIX:
SSLSYS_DEBUG_LOGGING=x;export SSLSYS_DEBUG_LOGGING
Windows:
set SSLSYS_DEBUG_LOGGING=x
The value for "x" is set from 1 to 5 depending on the level of logging you want to run.
1 - Errors
2 - level 1 + Progress info messages
3 - level 2 + RSA state information
4 - level 3 + buffer information
5 - level 4 + buffer dump
This will result in 2 log files being generated if set prior to the start of the database server. The logs are: cert.server.log and cert.client.log. If the variable is set after the database server is started then only 1 log will be created. That log will be the cert.client.log. These log files will be created in the directory where the command is issued. If you were to view the cert.client.log file you can confirm that the client and server are communicating via SSL by checking for the SSL handshake between the server and the client. Example:
more cert.server.log | grep handshake
[Fri Apr 10 09:30:16 2009] ID-0x003adb40 CTX-0x003b1830 BIO-0x00000000 INFO --- SSL Server handshake suceeded
more cert.client.log | grep handshake
[Fri Apr 10 09:30:16 2009] ID-0x0094da80 CTX-0x00953488 BIO-0x00000000 INFO --- SSL Client starting handshake with host (hostname)
[Fri Apr 10 09:30:16 2009] ID-0x0094da80 CTX-0x00953488 BIO-0x009539d0 INFO --- SSL Client handshake succeeded with host (hostname)