Details for security related changes in the Progress DataDirect products as noted below.
- OpenSSL library has been upgraded to 1.1.1
- Java 1.7 is no longer supported
OpenSSL Related Changes
Version 1.0.2 of the OpenSSL library is scheduled to reach the end of its product life cycle in December 2019. As a result, we will no longer be able to deliver security and bug fixes to products using this library after that date. To address this issue, patches for the 8.0 and 7.1 versions of the ODBC drivers are now available that provide support for the latest version of the OpenSSL library, 1.1.1. In addition to shipping a fully supported version of the library, we will continue to ship version 1.0.2 to allow you to continue to access your data until you are ready to migrate to the newest version.
Below is the list of 8.0 and 7.1 drivers that are updated to include OpenSSL 1.1.1:
- Connect ODBC 7.1 Drivers - Oracle, SQL Server, Redshift, Hive, Db2, Greenplum, PostgreSQL, Impala, Informix, MySQL, OpenEdge, SybaseASE, SybaseIQ, Teradata
- Connect ODBC 8.0 Drivers – Oracle, SQL Server, Redshift, Hive, Spark
About the Library Files
The following contains general information about the OpenSSL library files.
Note: The 8.0 and 7.1. versions of the installer program install both versions of the OpenSSL libraries.
New OpenSSL Library (1.1.1)
- Windows: ivtls<xx>.dll (32-bit) | ddtls<xx>.dll (64-bit)
- UNIX: libivtls<xx>.so [ .sl | .a ] (32-bit) | libddtls<xx>.so [ .a ] (64-bit)
- Uses version 1.1.1d, which is the latest patch release of OpenSSL.
Earlier OpenSSL Library (1.0.2)
- Windows: ivssl<xx>.dll (32-bit) | ddssl<xx>.dll (64-bit)
- UNIX: libivssl<xx>tls.so [ .sl | .a ] (32-bit) | libddssl<xx>.so [ .a ] (64-bit)
- Uses OpenSSL 1.0.2r:
OpenSSL is planning on releasing an update to version 1.0.2 of the library (1.0.2t). A final patch will be released once OpenSSL has made that update available.NOTE: Filename suffixes will be based on driver version. For 7.1, the suffix is 27 and for version 8.0, the suffix is 28. For example: ivssl28.dll is for version 8.0 while ivssl27.dll is for version 7.1.
Two reasons for having different name:
1) When we released support for OpenSSL version 1.1.1, we were supporting both OpenSSL 1.0.2 and OpenSSL 1.1.1 at the same time so we cannot have the same name for both the libraries.
2) Also technically there were changes to OpenSSL APIs and we need a way to distinguish the libraries to determine best way to load them.
Designating an OpenSSL Library
OpenSSL 1.1.1 will now be the default version of SSL loaded by the drivers; however, the drivers will transparently fall back to using OpenSSL 1.0.2 for now. In a future update, the drivers will be changed to no longer transparently fall back to using 1.0.2.
You can specify which version of the OpenSSL library the drivers use via the following connection options:
AllowedOpenSSLVersions
New connection option that allows for specification of which version of the OpenSSL library file the driver uses for data encryption. This is a string value with the possible valid values:
This is a special value that indicates to the driver to use the latest supported version. Currently, this is a synonym for 1.1.1.
The driver attemtps to use version 1.1.1. If it’s not found, it transparently falls back to using version 1.0.2.
The driver uses version 1.1.1 (the new ivtls28.dll library)
The driver uses version 1.0.2 (the existing ivssl28.dll library)
If the OpenSSL library specified by the value used for AllowedOpenSSLVersions is not found, then the connection will fail.
SSLLibName
- Specifies the absolute path for the OpenSSL library file containing the SSL library to be used by the data source or connection when SSL is enabled.
CryptoLibName
- Specifies the absolute path for the OpenSSL library file containing the cryptographic library to be used by the data source or connection when SSL is enabled.
Miscellaneous
Several ODBC drivers also make use of the OpenSSL library for purposes that are not strictly SSL related. Below is the list of drivers that use cryptographic functions in the OpenSSL library.
- DB2 driver
- AES Encryption
- Oracle driver
- Oracle Advanced Security
- Oracle Wallet
OpenSSL 1.1.1 includes support for TLS version 1.3 and discontinues support for SSLv2.However, TLS version 1.3 is not currently supported in the DataDirect ODBC drivers (this is noted in the product documentation). As a result, the updated drivers support SSLv3, TLSv1.0, TLSv1.1 and TLSv1.2.
Following is the list of ciphers that are reported in the build of OpenSSL 1.0.2 that are not reported in the build of OpenSSL 1.1.1, so these can be considered unsupported by OpenSSL 1.1.1.
- DES-CBC3-MD5
- DES-CBC3-SHA
- DH-DSS-AES128-GCM-SHA256
- DH-DSS-AES128-SHA
- DH-DSS-AES128-SHA256
- DH-DSS-AES256-GCM-SHA384
- DH-DSS-AES256-SHA
- DH-DSS-AES256-SHA256
- DH-DSS-DES-CBC3-SHA
- DH-DSS-SEED-SHA
- DHE-DSS-AES128-GCM-SHA256
- DHE-DSS-AES128-SHA
- DHE-DSS-AES128-SHA256
- DHE-DSS-AES256-GCM-SHA384
- DHE-DSS-AES256-SHA
- DHE-DSS-AES256-SHA256
- DHE-DSS-SEED-SHA
- DHE-RSA-SEED-SHA
- DH-RSA-AES128-GCM-SHA256
- DH-RSA-AES128-SHA
- DH-RSA-AES128-SHA256
- DH-RSA-AES256-GCM-SHA384
- DH-RSA-AES256-SHA
- DH-RSA-AES256-SHA256
- DH-RSA-DES-CBC3-SHA
- DH-RSA-SEED-SHA
- ECDH-ECDSA-AES128-GCM-SHA256
- ECDH-ECDSA-AES128-SHA
- ECDH-ECDSA-AES128-SHA256
- ECDH-ECDSA-AES256-GCM-SHA384
- ECDH-ECDSA-AES256-SHA
- ECDH-ECDSA-AES256-SHA384
- ECDH-ECDSA-DES-CBC3-SHA
- ECDH-ECDSA-RC4-SHA
- ECDHE-ECDSA-DES-CBC3-SHA
- ECDHE-ECDSA-RC4-SHA
- ECDHE-RSA-DES-CBC3-SHA
- ECDHE-RSA-RC4-SHA
- ECDH-RSA-AES128-GCM-SHA256
- ECDH-RSA-AES128-SHA
- ECDH-RSA-AES128-SHA256
- ECDH-RSA-AES256-GCM-SHA384
- ECDH-RSA-AES256-SHA
- ECDH-RSA-AES256-SHA384
- ECDH-RSA-DES-CBC3-SHA
- ECDH-RSA-RC4-SHA
- EDH-DSS-DES-CBC3-SHA
- EDH-RSA-DES-CBC3-SHA
- PSK-3DES-EDE-CBC-SHA
- PSK-RC4-SHA
- RC2-CBC-MD5
- RC4-MD5
- RC4-SHA
- SEED-SHA
- SRP-3DES-EDE-CBC-SHA
- SRP-DSS-3DES-EDE-CBC-SHA
- SRP-DSS-AES-128-CBC-SHA
- SRP-DSS-AES-256-CBC-SHA
- SRP-RSA-3DES-EDE-CBC-SHA
The libcurl library is a pre-existing library shipped as part of the ODBC installations. It now statically links OpenSSL 1.1.1.The files for the libcurl library are <yy>curl<xx>.dll on Windows and lib<yy>curl<xx>.so [.sl | .a ] on Unix.
The libcurl library is used by several drivers, including:
- Drivers using HTTP proxy support
- SQL Serve Wire Protocol: Used by the Always Encrypted feature to communicate with the Azure KeyVault, as well as by Azure Active Directory authentication
- Apache Hive and Apache Spark SQL Wire Protocol: Used for HTTP Transport Mode.