17.10 - SSLMODE - Call-Level Interface Version 2

Teradata® Call-Level Interface Version 2 Reference for Workstation-Attached Systems

Product
Call-Level Interface Version 2
Release Number
17.10
Release Date
October 2021
Content Type
Programming Reference
Publication ID
B035-2418-061K
Language
English (United States)

Usage Notes

The SSLMODE parameter specifies the requested SSLMODE used in a connection to a server.

Language Variable Name
COBOL: DBCAREA-SSLMODE
C: DBCAREA.H: sslmode
Routine Action Taken
DBCHINI: writes
DBCHCL: reads (CON)
Used by Action Taken
application program writes

The application sets SSLMODE to the desired sslmode to be used in a connection to a server. It supports the following values:

Value Description
D disable

Establish an unencrypted connection using the non-TLS port. If data_encryption=Y is specified in clispb.dat or DBCAREA, the TeraGSS encryption mechanism is used.

A allow

Establish an unencrypted connection using the non-TLS port. If data_encryption=Y is specified in clispb.dat or DBCAREA, the TeraGSS encryption mechanism is used. If the server is configured to accept connections on the non-TLS port but the attempt to connect to the non-TLS port fails (for example, timeout), the connection attempt will fail and return an error.

This is the default value for CLI.

Encrypted (TLS) connection is used in the fallback scnarios when administrator disabled the non-TLS port and enabled the TLS port.

P prefer

Establish an encrypted (TLS) connection if the server supports TLS and the TLS port is enabled. If the server is configured to accept connections on the TLS port but the attempt to connect to the TLS port fails (for example, timeout), the connection attempt will fail and return an error.

Unencrypted connection to the non-TLS port is used in the following fallback scenarios:

  • Administrator disabled the TLS port
  • The server does not support TLS.
R require

Establish an encrypted (TLS) connection if the server supports TLS connections. The connection attempt fails if TLS connection cannot be established. Do not fallback to the non-TLS port.

C verify-ca

Similar to require, but additionally verify the server Certificate Authority (CA) certificate against the configured trusted CA certificates. The connection attempt fails if no valid matching CA certificates are found.

F verify-full

Similar to verify-ca, but additionally perform host name identity verification by checking the host name the client uses for connecting to the server against the identity in the certificate that the server sends to the client. The client checks whether the host name that it uses for connecting matches either the Subject Alternative Name value or the Common Name value in the server certificate.

The connection fails if there is a mismatch. For encrypted connections, this option helps prevent man-in-the-middle attacks.

In verify-full mode, the host name is matched against the certificate's Subject Alternative Name attribute(s), or against the Common Name attribute if no Subject Alternative Name of type "DNS Name" is present. If the certificate's name attribute starts with an asterisk (*), the asterisk will be treated as a wildcard, which will match all characters except a dot (.). This means the certificate will not match subdomains. If the connection is made using an IP address instead of a host name, the IP address will be matched (without doing any DNS lookups).