ODBC No Longer Working after TLS Encryption Update to Data Sources

[bendavid]

Hi PHP Freaks,

We run a server on Windows and are running PHP 7.4.13.  For several years we've been using PDO_ODBC to use our Windows ODBC data sources to connect to our third-party vendor SQLAnywhere database.  It's been working great.  Recently, our vendor adjusted their connections to use TLS encryption.  We adjusted our Windows data sources to use that encryption method, and they all work great!  That being said, we're now receiving an error:

"SQLSTATE[08S01] SQLConnect: -829 [SAP][ODBC Driver] TLS handshake failure1"

When the PHP function attempts to connect.  Here is the function with sensitive information changed:
 

function c_connect() {    
    global $pdo_conn;    
    
    ini_set('display_errors', 1);
    ini_set('display_startup_errors', 1);
    error_reporting(E_ALL);

    $dsn = "odbc:MyDataSource";
    $odbcusername = "MyUsername";
    $odbcpassword = "MyPassword";
    
    try {    
        $pdo_conn = new PDO($dsn, $odbcusername, $odbcpassword);
        $pdo_conn->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );     
    }
    
    catch(Exception $e)  {   
        echo "Invalid Connection: ";
        die( print_r( $e->getMessage() ) );  
    }
}

I've been trying to find if something specific needs to be done to the "new PDO" line to account for the encryption and get the handshake to work, but can't find any information about it whatsoever.  The manual appears to not give any alternative options for PDO_ODBC other than the dsn, username and password.

Again, I've checked several times and the DSN, Username and Password are correct and the data source it's attempting to access works perfectly.

Does anyone know if additional steps need to be taken to get PDO_ODBC working to access a data source that has TLS encryption?

Kind Regards,

bendavid

Edited September 22, 2023 by bendavid

[requinix]

If your ODBC settings are correct, my first guess would be an outdated version of OpenSSL that doesn't support the TLS configuration you're trying to use.

What version of OpenSSL do you have, and what do your connection settings say about TLS?

[kicken]

I use neither ODBC or SQL Anywhere, but my initial wild guess would be that it's failing to verify the server certificate.  Some quick googling suggests the trusted_certificate option might help.

Something else to try, though I don't think it'd make a difference, would be to set openssl.cafile to a custom CA bundle that includes your server's certificate.

 

[bendavid]

Gosh, thank you requinix and kicken!  I got hammered at work for the last several weeks so hard I had no chance to even check back on this thread.  I'm now in troubleshooting mode on this, thank you so much for your responses and help in this!

[bendavid]

On 9/22/2023 at 6:26 PM, requinix said:

If your ODBC settings are correct, my first guess would be an outdated version of OpenSSL that doesn't support the TLS configuration you're trying to use.

What version of OpenSSL do you have, and what do your connection settings say about TLS?

PHP is showing OpenSSL 1.1.1h.

For TLS, the PHP registered stream socket transports are "tls, tlsv1.0, tlsv1.1, tlsv1.2, tlsv1.3".  When you say "connection settings" are we talking about that or the ODBC data sources?  The data sources are working correctly so I'm guessing you're talking about something else.

[bendavid]

Just to give some context to anyone else that may encounter the same error, error "Invalid Connection: SQLSTATE[08S01]" is described as:

Quote

The cause of the issue is that the communication link between the driver and the data source to which the driver was attempting to connect failed before the function completed processing.

 

[bendavid]

Looks like I'm likely good to go on the SSL version as TLS1.3 is installed.

On the face of it, it looks like the SAP ODBC driver is failing, but why is it failing in PHP and not in the data sources 🤔.  Especially when PDO ODBC is using the data sources.  🤔  The data sources are already connected to the certificate store and PDO ODBC doesn't appear to have options for pointing to a certificate store.

Does anyone know if applying successfully applying TLS settings to ODBC data sources is typically enough to continue to connect with previous PHP ODBC PDO connections?