8000 How to connect to a Sybase SSL port if the Sybase server uses TDS version 5.0? · Issue #511 · FreeTDS/freetds · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

How to connect to a Sybase SSL port if the Sybase server uses TDS version 5.0? #511

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
sagarmavuri opened this issue Oct 30, 2023 · 5 comments
Open

How to connect to a Sybase SSL port if the Sybase server uses TDS version 5.0? #511

sagarmavuri opened this issue Oct 30, 2023 · 5 comments

Comments

@sagarmavuri
Copy link

How to connect to a Sybase SSL port using FreeTDS? I am using pyodbc and while I am able to connect to a non-SSL port just fine, but SSL connections aren't working.

Note that the Sybase server uses TDS version 5.0.
@sagarmavuri
Copy link
Author

Also, I have used FreeTDS 1.1.6 and 1.4 as well. Nothing works, when I look at the C++ files, the SSL checks are only enabled for TDS version 7 or greater.
So when I use TDS version 7 or more, the Sybase server is rejecting the connections. How do I make it this to work?

@freddy77
Copy link
Contributor

It sounds like something not supported by FreeTDS. Can you do a network trace of a successful connection (that is using Sybase libraries) to a SSL port? If you are concerned about security issues use a test server and/or test account/password and/or send privately to me.

@mmcnabb-vms
Copy link
Contributor

It works to connect through Stunnel . Otherwise, code changes are needed.

FreeTDS Branch 1.5 introduced a mode TDS_ENCRYPTION_STRICT, which is exactly what is needed for Sybase-SSL. However the code mistakenly assumed nobody would use this mode outside of TDS 8.0+ , so it's not possible to enable it for a TDS 5.0 server.

I found I was able to get it working by forcing the server to TDS 5.0 in freetds.conf (instead of autodetect), and the following changes:

------------------------------ src/tds/config.c -------------------------------
index f83d92cd..c77ac662 100644
@@ -1461,7 +1461,9 @@ tds_get_compiletime_settings(void)
 TDSRET
 tds8_adjust_login(TDSLOGIN *login)
 {
-	if (!IS_TDS80_PLUS(login) && login->encryption_level != TDS_ENCRYPTION_STRICT)
+	// (MM) Bugged - TDS_ENCRYPTION_STRICT should not force version 8.0 if a version was already set
+	//if (!IS_TDS80_PLUS(login) && login->encryption_level != TDS_ENCRYPTION_STRICT)
+	if (!IS_TDS80_PLUS(login))
 		return TDS_SUCCESS;
 
 	login->tds_version = 0x800;

------------------------------- src/tds/login.c -------------------------------
index 57786ce3..4e4c36e6 100644
@@ -687,6 +687,11 @@ reroute:
 		db_selected = true;
 	} else {
 		tds->out_flag = TDS_LOGIN;
+
+		/* SAP ASE 15.0+ SSL mode encrypts entire connection (like stunnel) */
+		if (login->encryption_level == TDS_ENCRYPTION_STRICT)
+			TDS_PROPAGATE(tds_ssl_init(tds, true));
+
 		erc = tds_send_login(tds, login);
 	}
 	if (TDS_FAILED(erc) || TDS_FAILED(tds_process_login_tokens(tds))) {

The first change probably needs further consideration before being submitted as a patch , my fix might break whatever they were going for with the original test; it's only appopriate to this 5.0 use case.

@freddy77
Copy link
Contributor

Yes, strict is designed for TDS 8. I would like to have a ASE setup with TLS to test. The capture I got time ago used an entirely different format from the standard TLS encapsulation.

@mmcnabb-vms
Copy link
Contributor
mmcnabb-vms commented Apr 13, 2025
edited
Loading

It's possible to install a 90 day free trial of SAP ASE, for Windows or Linux (or other options too). The instructions for enabling SSL are at https://infocenter.sybase.com/help/topic/com.sybase.infocenter.dc01672.1572/html/sec_admin/sec_admin383.htm . Additional notes:

I generated a self-signed server certificate using:

  1. openssl genpkey -algorithm RSA -out server.key -aes256
  2. openssl req -new -key server.key -out server.csr
  3. openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Installing the cert:

cat server.crt server.key >server_combo.pem
cp server.crt $SAP/ASE-16_0/certificates
cp server.crt $SAP/config/trusted.txt    #perhaps back up the original trusted.txt first

and then database command:

 sp_ssladmin addcert, '/path/to/server_combo.pem', yourprivatekeypassword

In Windows the trusted file was ini/trusted.txt.

Enabling the SSL listening port and telling query tools to use it is done via ini\sql.ini in windows, or interfaces in Linux, the files have different formats too in each case. In Linux the syntax needed was:

SYBASE
    master tcp ether 192.168.99.99 5000
    master tcp ether 192.168.99.99 5001 ssl="CN=SYBASE"
    query tcp ether 192.168.99.99 5000
SYBASE_SSL
    query tcp ether 192.168.99.99 5001 ssl="CN=SYBASE"

(it didn't work with the "master" line under SYBASE_SSL -- the master for non-ssl and ssl had to be in the same section)

It seems to need the CN=SYBASE (I put SYBASE as Common Name of the certificate request) even if you only have one server cert installed -- without this, the connection log just says that connecting two endpoints failed with no further clues. To test it's working, connect with tsql or isql and issue select @@ssl_ciphersuite.

NB. I have found Sybase non-SSL + Stunnel to behave identically to Sybase SSL, so far anyway.

@mmcnabb-vms mmcnabb-vms mentioned this issue Apr 22, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@freddy77 @sagarmavuri @mmcnabb-vms
0