Feedback

Feedback

Did this article resolve your question/issue?

   

Article

Support for OpenSSL 1.1.1

Printable View

Information

 
TitleSupport for OpenSSL 1.1.1
URL NameSupport-for-OpenSSL-1-1-1
Article Number000149879
EnvironmentProduct: Connect for ODBC Drivers
Version: 7.1, 8.0
O/S: All Supported
Database: All Supported
Application: N/A
Question/Problem Description
Changes to support for OpenSSL
Steps to Reproduce
Clarifying Information
Error Message
Defect Number
Enhancement Number
Cause
Resolution

Details for security related changes in the Progress DataDirect products as noted below.

  • OpenSSL library has been upgraded to 1.1.1
  • Java 1.7 is no longer supported


OpenSSL Related Changes

Version 1.0.2 of the OpenSSL library is scheduled to reach the end of its product life cycle in December 2019. As a result, we will no longer be able to deliver security and bug fixes to products using this library after that date. To address this issue, patches for the 8.0 and 7.1 versions of the ODBC drivers are now available that provide support for the latest version of the OpenSSL library, 1.1.1. In addition to shipping a fully supported version of the library, we will continue to ship version 1.0.2 to allow you to continue to access your data until you are ready to migrate to the newest version.


Below is the list of 8.0 and 7.1 drivers that are updated to include OpenSSL 1.1.1:

  • Connect ODBC 7.1 Drivers - Oracle, SQL Server, Redshift, Hive, Db2, Greenplum, PostgreSQL, Impala, Informix, MySQL, OpenEdge, SybaseASE, SybaseIQ, Teradata
  • Connect ODBC 8.0 Drivers – Oracle, SQL Server, Redshift, Hive, Spark


About the Library Files

The following contains general information about the OpenSSL library files.

Note: The 8.0 and 7.1. versions of the installer program install both versions of the OpenSSL libraries.

New OpenSSL Library (1.1.1)
  • Windows: ivtls<xx>.dll (32-bit) | ddtls<xx>.dll (64-bit)
  • UNIX: libivtls<xx>.so [ .sl | .a ] (32-bit) | libddtls<xx>.so [ .a ] (64-bit)
  • Uses version 1.1.1d, which is the latest patch release of OpenSSL.

Earlier OpenSSL Library (1.0.2)

  • Windows: ivssl<xx>.dll (32-bit) | ddssl<xx>.dll (64-bit)
  • UNIX: libivssl<xx>tls.so [ .sl | .a ] (32-bit) | libddssl<xx>.so [ .a ] (64-bit)
  • Uses OpenSSL 1.0.2r:

OpenSSL is planning on releasing an update to version 1.0.2 of the library (1.0.2t). A final patch will be released once OpenSSL has made that update available.NOTE: Filename suffixes will be based on driver version. For 7.1, the suffix is 27 and for version 8.0, the suffix is 28. For example: ivssl28.dll is for version 8.0 while ivssl27.dll is for version 7.1.

    Two reasons for having different name:
         1)  When we released support for OpenSSL version 1.1.1, we were supporting both OpenSSL 1.0.2 and OpenSSL 1.1.1 at the same time so we cannot have the same name for both the libraries.
         2) Also technically there were changes to OpenSSL APIs and we need a way to distinguish the libraries to determine best way to load them.

    Designating an OpenSSL Library

    OpenSSL 1.1.1 will now be the default version of SSL loaded by the drivers; however, the drivers will transparently fall back to using OpenSSL 1.0.2 for now. In a future update, the drivers will be changed to no longer transparently fall back to using 1.0.2.

    You can specify which version of the OpenSSL library the drivers use via the following connection options:


    AllowedOpenSSLVersions

    New connection option that allows for specification of which version of the OpenSSL library file the driver uses for data encryption. This is a string value with the possible valid values:

    • latest
    This is a special value that indicates to the driver to use the latest supported version. Currently, this is a synonym for 1.1.1.
    • (Default)1.1.1,1.0.2

    The driver attemtps to use version 1.1.1. If it’s not found, it transparently falls back to using version 1.0.2.

    • 1.1.1:

    The driver uses version 1.1.1 (the new ivtls28.dll library)

    • 1.0.2

    The driver uses version 1.0.2 (the existing ivssl28.dll library)

    If the OpenSSL library specified by the value used for AllowedOpenSSLVersions is not found, then the connection will fail.


    SSLLibName

    • Specifies the absolute path for the OpenSSL library file containing the SSL library to be used by the data source or connection when SSL is enabled.

    CryptoLibName

    • Specifies the absolute path for the OpenSSL library file containing the cryptographic library to be used by the data source or connection when SSL is enabled.

     

    Miscellaneous

    Several ODBC drivers also make use of the OpenSSL library for purposes that are not strictly SSL related. Below is the list of drivers that use cryptographic functions in the OpenSSL library.

    • DB2 driver
    • AES Encryption
    • Oracle driver
    • Oracle Advanced Security
    • Oracle Wallet

    OpenSSL 1.1.1 includes support for TLS version 1.3 and discontinues support for SSLv2.However, TLS version 1.3 is not currently supported in the DataDirect ODBC drivers (this is noted in the product documentation). As a result, the updated drivers support SSLv3, TLSv1.0, TLSv1.1 and TLSv1.2.


    Following is the list of ciphers that are reported in the build of OpenSSL 1.0.2 that are not reported in the build of OpenSSL 1.1.1, so these can be considered unsupported by OpenSSL 1.1.1.

    • DES-CBC3-MD5
    • DES-CBC3-SHA
    • DH-DSS-AES128-GCM-SHA256
    • DH-DSS-AES128-SHA
    • DH-DSS-AES128-SHA256
    • DH-DSS-AES256-GCM-SHA384
    • DH-DSS-AES256-SHA
    • DH-DSS-AES256-SHA256
    • DH-DSS-DES-CBC3-SHA
    • DH-DSS-SEED-SHA
    • DHE-DSS-AES128-GCM-SHA256
    • DHE-DSS-AES128-SHA
    • DHE-DSS-AES128-SHA256
    • DHE-DSS-AES256-GCM-SHA384
    • DHE-DSS-AES256-SHA
    • DHE-DSS-AES256-SHA256
    • DHE-DSS-SEED-SHA
    • DHE-RSA-SEED-SHA
    • DH-RSA-AES128-GCM-SHA256
    • DH-RSA-AES128-SHA
    • DH-RSA-AES128-SHA256
    • DH-RSA-AES256-GCM-SHA384
    • DH-RSA-AES256-SHA
    • DH-RSA-AES256-SHA256
    • DH-RSA-DES-CBC3-SHA
    • DH-RSA-SEED-SHA
    • ECDH-ECDSA-AES128-GCM-SHA256
    • ECDH-ECDSA-AES128-SHA
    • ECDH-ECDSA-AES128-SHA256
    • ECDH-ECDSA-AES256-GCM-SHA384
    • ECDH-ECDSA-AES256-SHA
    • ECDH-ECDSA-AES256-SHA384
    • ECDH-ECDSA-DES-CBC3-SHA
    • ECDH-ECDSA-RC4-SHA
    • ECDHE-ECDSA-DES-CBC3-SHA
    • ECDHE-ECDSA-RC4-SHA
    • ECDHE-RSA-DES-CBC3-SHA
    • ECDHE-RSA-RC4-SHA
    • ECDH-RSA-AES128-GCM-SHA256
    • ECDH-RSA-AES128-SHA
    • ECDH-RSA-AES128-SHA256
    • ECDH-RSA-AES256-GCM-SHA384
    • ECDH-RSA-AES256-SHA
    • ECDH-RSA-AES256-SHA384
    • ECDH-RSA-DES-CBC3-SHA
    • ECDH-RSA-RC4-SHA
    • EDH-DSS-DES-CBC3-SHA
    • EDH-RSA-DES-CBC3-SHA
    • PSK-3DES-EDE-CBC-SHA
    • PSK-RC4-SHA
    • RC2-CBC-MD5
    • RC4-MD5
    • RC4-SHA
    • SEED-SHA
    • SRP-3DES-EDE-CBC-SHA
    • SRP-DSS-3DES-EDE-CBC-SHA
    • SRP-DSS-AES-128-CBC-SHA
    • SRP-DSS-AES-256-CBC-SHA
    • SRP-RSA-3DES-EDE-CBC-SHA

     

    The libcurl library is a pre-existing library shipped as part of the ODBC installations. It now statically links OpenSSL 1.1.1.The files for the libcurl library are <yy>curl<xx>.dll on Windows and lib<yy>curl<xx>.so [.sl | .a ] on Unix.

    The libcurl library is used by several drivers, including:
    • Drivers using HTTP proxy support
    • SQL Serve Wire Protocol: Used by the Always Encrypted feature to communicate with the Azure KeyVault, as well as by Azure Active Directory authentication
    • Apache Hive and Apache Spark SQL Wire Protocol: Used for HTTP Transport Mode.
    Workaround
    Notes
    Last Modified Date7/7/2023 1:55 PM
    Files
    Disclaimer The origins of the information on this site may be internal or external to Progress Software Corporation (“Progress”). Progress Software Corporation makes all reasonable efforts to verify this information. However, the information provided is for your information only. Progress Software Corporation makes no explicit or implied claims to the validity of this information.

    Any sample code provided on this site is not supported under any Progress support program or service. The sample code is provided on an "AS IS" basis. Progress makes no warranties, express or implied, and disclaims all implied warranties including, without limitation, the implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample code is borne by the user. In no event shall Progress, its employees, or anyone else involved in the creation, production, or delivery of the code be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample code, even if Progress has been advised of the possibility of such damages.


    Copyright © 2022 Progress Software Corporation and/or its subsidiaries or affiliates.
    All Rights Reserved.

    Progress, Telerik, Ipswitch, Chef, Kemp, Flowmon and certain product names used herein are trademarks or registered trademarks of Progress Software Corporation and/or one of its subsidiaries or affiliates in the U.S. and/or other countries. See Trademarks for appropriate markings.

    Terms of Use Privacy Center Security Center Trademarks License Agreements Code of Conduct Careers Offices
    Do Not Sell My Personal Information