Troubleshooting
Problem
DataDirect ODBC Drivers now install the latest versions of the OpenSSL 3.0.9 library (VMopenssl30.so file version 08.02.0486).
Symptom
The ODBC connection fails.
Cause
The minimum required length for the Diffie-Hellman key exchange was increased to 1024 bits.
When accessing databases that have not been fixed to address the "Logjam" vulnerability, this change can cause connections to fail.
When accessing databases that have not been fixed to address the "Logjam" vulnerability, this change can cause connections to fail.
Resolving The Problem
Upgrade to the latest DataDirect ODBC Driver Set, which includes OpenSSL 3.0.9 version.
Note: OpenSSL 1.0.2d binaries are dropped from the DataDirect Driver Set starting April 2023, as the support for OpenSSL 1.0.2d stopped long back by OpenSSL org.
Refer to - https://www.openssl.org/policies/releasestrat.html for more information.
Also, refer to Deprecation of OpenSSL 1.0.2 in DataDirect ODBC 8.0 and 7.1 drivers- https://community.progress.com/s/article/Deprecation-of-OpenSSL-1-0-2-in-DataDirect-ODBC-8-0-and-7-1-drivers
Common error messages after upgrading DataDirect ODBC to OpenSSL 3.0 -
https://community.progress.com/s/article/Common-error-messages-after-upgrading-DataDirect-ODBC-to-OpenSSL-3-0
Advantages and Risks involved with different versions of libraryhttps://community.progress.com/s/article/Common-error-messages-after-upgrading-DataDirect-ODBC-to-OpenSSL-3-0
The following table involves the advantages and risks involved with the different versions of the library:
| Library Version | Advantages | Risks |
| 1.0.2d |
|
- To resolve the Logjam vulnerability, the minimum required length for the Diffie-Hellman key exchange was increased to 768 bits. Upgrade can cause connections to some databases such as MySQL 5.5, build 45 or earlier to fail. - Alterations to the SSL handshake resulting from TLS 1.1 and 1.2 support can cause connections to certain databases such as Oracle 11g R2 (11.2.0.1) to fail. |
| 1.0.2h | Upgrading to 1.0.2h provides the following advantages, in addition to the advantages of 1.0.2d: - Padding oracle in AES-NI CBC MAC check (CVE-2016-2107) - EVP_EncodeUpdate overflow (CVE-2016-2105) - EVP_EncryptUpdate overflow (CVE-2016-2106) - ASN.1 BIO excessive memory allocation (CVE-2016-2109) - EBCDIC overread (CVE-2016-2176) - Provides stronger cryptographic assurance against the "Logjam" vulnerability (CVE-2015-4000) - Fixes the "DH small subgroups" vulnerability (CVE-2016-0701) - Fixes the "SSLv2 doesn't block disabled ciphers" vulnerability (CVE-2015-3197) - Fixes the "BN_mod_exp may produce incorrect results on x86_64" vulnerability (CVE-2015-3193) - Fixes the "Certificate verify crash with missing PSS parameter" vulnerability (CVE-2015-3194) - Fixes the "X509_ATTRIBUTE memory leak" vulnerability (CVE-2015-3195) - Fixes the "missing Memory allocation success checks in doapr_outch function in crypto/bio/b_print.c" (CVE-2016-2842) - Fixes the "Cross-protocol attack on TLS using SSLv2 (DROWN)" (CVE-2016-0800) - Fixes the "memory issues in BIO_*printf functions" (CVE-2016-0799) - Fixes the "Memory leak in SRP database lookups" (CVE-2016-0798) - Fixes the "Double-free in DSA code" (CVE-2016-0705) - Fixes the "Side channel attack on modular exponentiation" (CVE-2016-0702) |
In addition to the risks associated with 1.0.2d, upgrading to version 1.0.2h includes the following risk: - To improve protection against the "Logjam" vulnerability, the minimum required length for the Diffie-Hellman key exchange was increased to 1024 bits. When accessing databases that have not been fixed to address the "Logjam" vulnerability, this change can cause connections to fail. You can work around this issue by disabling Diffie-Hellman cipher suites. |
| 1.0.2j | Upgrading to 1.0.2j provides the following advantages, in addition to the advantages of 1.0.2h and 1.0.2d: - Fixes pointer arithmetic for heap-buffer boundary checks (CVE-2016-2177) - Fixes improper use of constant-time operations (CVE-2016-2178) - Fixes out-of-bounds read in the TS_OBJ_print_bio function (CVE-2016-2180) - Fixes an out of bounds write in BN_bn2dec() function (CVE-2016-2182) - Fixes an out of bounds write in MDC2_Update() function (CVE-2016-6303) - Fixes an out of bounds message reads (CVE-2016-6306) |
In addition to the risks associated with 1.0.2h and 1.0.2d, upgrading to version 1.0.2j includes the following risk: CVE-2016-2183 - SWEET32 Mitigation - This flaw is related to the design of the DES/3DES cipher and is not an implementation flaw. To avoid this vulnerability, it is advised to disable the DES/3DES and consider is bad as "RC4". - To disable them from client, users can use hidden connection option "CipherList". If users are currently not using this option, they should add "DEFAULT:-DES:-3DES" to their DSN. If users are already using this option, they can just add ":-DES:-3DES" to the existing list. |
| 1.0.2k | - Truncated packet could crash via OOB read (CVE-2017-3731) - BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732) - Montgomery multiplication may produce incorrect results (CVE-2016-7055) |
No new risks. |
| 1.0.2n | - Malformed X.509 IPAddressFamily could cause OOB read (CVE-2017-3735) - bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736) - rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738) |
No new risks. |
| 1.0.2r |
- Client DoS due to large DH parameter (CVE-2018-0732)
- Timing vulnerability in DSA signature generation (CVE-2018-0734) - Microarchitecture timing vulnerability in ECC scalar multiplication (CVE-2018-5407) |
CVE-2018-0732 – Turn off use of DHE cipher suites, either in the driver or on the server.
CVE-2018-0734 – Turn off use of DSA cipher suites, either in the driver or on the server. CVE-2018-5407 – Turn off use of ECDSA and ECDH cipher suites, either in the driver or on the server.
|
| 1.1.1d |
Upgrading to OpenSSL 1.1.1d has the following advantages in addition to the ones that are already supported.
- Windows builds with insecure path defaults (CVE-2019-1552)
- ECDSA remote timing attack (CVE-2019-1549)
Additionally, it has the following new features: Complete rewrite of the OpenSSL random number generator to introduce the following capabilities, Support for various new cryptographic algorithms
|
- SSLv2 support is discontinued
- Few ciphers are deprecated. Check the Progress KB article for more details: Support for OpenSSL 1.1.1 |
| 1.1.1g |
Upgrading to OpenSSL 1.1.1g has the following advantages in addition to the ones that are already supported.
- Overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (CVE-2019-1551)
|
CVE-2019-1551 – Turn off use of DHE cipher suites, either in the driver or on the server. |
| 1.1.1k |
Upgrading to OpenSSL 1.1.1k has the following advantages in addition to the ones that are already supported.
- OpenSSL is vulnerable to a denial of service, caused by an integer overflow in CipherUpdate. By sending an overly long argument, an attacker could exploit this vulnerability to cause the application to crash. (CVE-2021-23840) - OpenSSL could allow a remote attacker to bypass security restrictions, caused by a missing check in the validation logic of X.509 certificate chains by the X509_V_FLAG_X509_STRICT flag. By using any valid certificate or certificate chain to sign a specially crafted certificate, an attacker could bypass the check that non-CA certificates must not be able to issue other certificates and override the default purpose (CVE-2021-3450) |
|
| 1.1.1l |
Upgrading to OpenSSL 1.1.1l has the following advantages in addition to the ones that are already supported.
- Fix to SM2 Decryption Buffer Overflow (CVE-2021-3711)
|
|
| 1.1.1n |
Upgrading to OpenSSL 1.1.1n has the following advantages in addition to the ones that are already supported.
- OpenSSL infinite loop vulnerability when parsing an invalid certificate and can result in a Denial-of-Service (DoS) to the application ( CVE-2022-0778 )
|
|
| 1.1.1t |
Upgrading to OpenSSL 1.1.1t has the following advantages in addition to the ones that are already supported.
- X.400 address type confusion in X.509 GeneralName (CVE-2023-0286)
- Timing Oracle in RSA Decryption (CVE-2022-4304)
- Use-after-free following BIO_new_NDEF (CVE-2023-0215) - Double free after calling PEM_read_bio_ex (CVE-2022-4450) |
|
| 3.0.9 |
Upgrading to OpenSSL 3.0.9 has the following advantages in addition to the ones that are already supported.
- Processing some specially crafted ASN.1 object identifiers or data containing them may be very slow (CVE-2023-2650)
- Input buffer over-read in AES-XTS implementation on 64 bit ARM (CVE-2023-1255)
- Invalid certificate policies in leaf certificates are silently ignored (CVE-2023-0465)
- Certificate policy check not enabled (CVE-2023-0466)
- Invalid certificate policies in leaf certificates are silently ignored (CVE-2023-0465)
- Excessive Resource Usage Verifying X.509 Policy Constraints (CVE-2023-0464)
|
For more information, refer to the ODBCREADME.TXT/ODBC64README.TXT shipped with the product.
Notes:
1. The OpenSSL library files provided by Progress combines the cryptographic and SSL libraries into a single file. Therefore, when your drivers are using a Progress library file, the values specified for the CryptoLibName and SSLLibName options must be the same.
For non-Progress library files, the libraries may use separate files, which would require unique values to be specified.
2. This option can be used to designate OpenSSL libraries not installed by the product. However, the drivers are certified only against libraries provided by Progress.
Change History:
07 February 2017 Published updated drivers for OpenSSL versions 1.0.2j, 1.0.2d, 1.0.0r
24 February 2017 No further updates will be provided for OpenSSL version 1.0.0r
26 May 2017 OpenSSL drivers upgrade to 1.0.2k version
20 April 2018 OpenSSL drivers upgrade to 1.0.2n version
08 May 2019 OpenSSL drivers upgrade to 1.0.2r version
13 January 2020 OpenSSL drivers upgrade to 1.1.1d version
02 November 2020 OpenSSL drivers upgrade to 1.1.1g version
22 July 2021 OpenSSL drivers upgrade to 1.1.1k version
12 November 2021 OpenSSL drivers upgrade to 1.1.1l version
01 June 2022 OpenSSL drivers upgrade to 1.1.1n version
14 April 2023 OpenSSL drivers upgrade to 1.1.1t version
28 November 2023 OpenSSL drivers upgrade to 3.0.9 version
Related Information
Latest DataDirect ODBC Drivers
ODBC Drivers post installation
Determinig DataDirect ODBC Driver Version
OpenSSL dropped support for 1.0.2
Deprecation of OpenSSL 1.0.2 in DataDirect ODBC 8.0 and 7.1 drivers
Common error messages after upgrading DataDirect ODBC to OpenSSL 3.0
Progress DataDirect announces the GA release of OpenSSL 3.0 including support f…
Progress DataDirect announces the GA release of OpenSSL 3.0 including support f…
[{"Type":"MASTER","Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSVSEF","label":"IBM InfoSphere DataStage"},"ARM Category":[{"code":"a8m500000008gobAAA","label":"DataStage-\u003EOEM - 3rd Party Products-\u003EDataDirect ODBC-\u003EODBC Driver Issues"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"11.7.0;11.7.1"},{"Product":{"code":"SSVSEF","label":"IBM InfoSphere DataStage"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]
Was this topic helpful?
Document Information
Modified date:
23 November 2023
UID
swg21980217