Skip to Content

Connecting to Sybase ASE from Tomcat using SSL

We've got a setup with Tomcat client, connecting via jdbc to a Sybase 15.7 SP138 instance which has SSL enabled.

The connection is defined as a URL, but we're having issues with the syntax. Keep getting SSL errors like this:

SSL or Crypto Error Message: 'An SSL protocol error occurred during the underlying SSL operation. Root error: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter'.

The current url looks like this (host:port/db replaced):

jdbc:sybase:Tds:host:port/db?ENABLE_SSL=true&SSL_TRUST_ALL_CERTS=true

The root certificate & intermediate certificates have also been imported to local keystore. We tried also without SSL_TRUST_ALL_CERTS, but no luck

Other clients (not Tomcat) can connect without issue using SSL

Any idea what we're doing wrong?

thanks

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Oct 02, 2017 at 04:26 PM

    Hi Jeroen,

    I haven't used tomcat to test ssl yet, but here is an example for a standard java client using our jdbc driver:
    https://wiki.scn.sap.com/wiki/x/rImyGw

    Looks like you are past this as you have other ssl clients working correctly.

    Are you able to validate what ssl protocol is being used by tomcat?

    In ASE 15.7 SP137 we implemented new ssl protocols TLS1.1, and TLS 1.2.
    https://wiki.scn.sap.com/wiki/x/mo_rGg

    We also deprecated old ssl v2 and v3.
    Default is TLS1.0 (sslv3.1)

    You can check what protocol is supported by ASE with:
    openssl s_client -connect <asehost:><aseport> -ssl3
    openssl s_client -connect <asehost>:<aseport> -tls1_2

    You can check what protocol is being used by the client side using wireshark / the TDS packets.
    Example:

    You may have to tell wireshark what your ssl port is.
    Edit > preferences > Protocols > http > ssl/tls ports = your port

    Hope this helps.

    Regards,
    Ryan

    Add comment
    10|10000 characters needed characters exceeded