SQL Anywhere Servers and Utilities Use OpenSSL
SQL Anywhere Servers and Utilities Use Cryptographic Software Provided by OpenSSL, which introduce behavioral changes described here.
SQL Anywhere Server and Utility changes include:
- Server identity uses AES encryption, previously it used 3DES encryption. Server certificates used by older servers (using FIPS) had private keys encrypted with 3DES which is no longer allowed. See Converting certificates for use with FIPS for instructions on modifying existing certificates so they can be used with a new server.
- Self-signed server certificates must now have the “Certificate Signing” attribute set.
- TLS/SSL connections to a MobiLink server using client-side certificates now require the client-side certificate to have the “Digital Signature” attribute set, otherwise the connection fails.
- Utility changes:
- The createcert utility now encrypts the private key of the certificate it creates with AES rather than the less secure 3DES. Certificates using AES cannot be used by older SQL Anywhere software. If you need such compatibility, specify the new “-3des” switch to instruct createcert to use 3DES instead.
- The viewcert utility now uses AES rather than 3DES to encrypt the private key when using -p to PEM -encode the output and -ip / -op to set the password. You can specify the new “-3des” switch to tell viewcert to use 3DES instead.
Converting certificates for use with FIPS
Certificates used by servers using FIPS are no longer accepted. This is because the older FIPS module only accepted certificates with private keys encrypted with 3DES. The OpenSSL FIPS module does not allow 3DES to be used, so the private keys must be encrypted with AES. It is possible to re-encrypt the private key, rather than generating new certificates, using the viewcert utility. Use this syntax: viewcert -p -o <new file> -op <new password> -ip <old password> <old file>
This creates a new certificate file with an AES-encrypted private key. The new and old passwords can be the same. The server must then use the new file instead of the old one. The certificate files used by clients do not need to change.
SQL Anywhere X.509 Certificate Viewer Version 16.0.0.1642 X.509 Certificate ----------------- Common Name: iAnywhere Country Code: CA State/Province: Ontario Locality: Waterloo Organization: SAP Organizational Unit: Sybase Issuer: iAnywhere Serial Number: 1ff932e3bb534398810066d26678f80e Issued: Oct 17, 2013 10:55:00 Expires: Oct 18, 2033 10:55:00 Signature Algorithm: RSA, SHA256 Key Type: RSA Key Size: 1024 bits Basic Constraints: Is not a certificate authority Key Usage: Digital Signature, Key Encipherment, Data Encipherment, Key Agreement, Certificate Signing Private Key ----------- Key Type: RSA Key Size: 1024 bits
