Jump to content

ODBC No Longer Working after TLS Encryption Update to Data Sources


bendavid

Recommended Posts

Hi PHP Freaks,

We run a server on Windows and are running PHP 7.4.13.  For several years we've been using PDO_ODBC to use our Windows ODBC data sources to connect to our third-party vendor SQLAnywhere database.  It's been working great.  Recently, our vendor adjusted their connections to use TLS encryption.  We adjusted our Windows data sources to use that encryption method, and they all work great!  That being said, we're now receiving an error:

"SQLSTATE[08S01] SQLConnect: -829 [SAP][ODBC Driver] TLS handshake failure1"

When the PHP function attempts to connect.  Here is the function with sensitive information changed:
 

function c_connect() {    
    global $pdo_conn;    
    
    ini_set('display_errors', 1);
    ini_set('display_startup_errors', 1);
    error_reporting(E_ALL);

    $dsn = "odbc:MyDataSource";
    $odbcusername = "MyUsername";
    $odbcpassword = "MyPassword";
    
    try {    
        $pdo_conn = new PDO($dsn, $odbcusername, $odbcpassword);
        $pdo_conn->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );     
    }
    
    catch(Exception $e)  {   
        echo "Invalid Connection: ";
        die( print_r( $e->getMessage() ) );  
    }
}

I've been trying to find if something specific needs to be done to the "new PDO" line to account for the encryption and get the handshake to work, but can't find any information about it whatsoever.  The manual appears to not give any alternative options for PDO_ODBC other than the dsn, username and password.

Again, I've checked several times and the DSN, Username and Password are correct and the data source it's attempting to access works perfectly.

Does anyone know if additional steps need to be taken to get PDO_ODBC working to access a data source that has TLS encryption?

Kind Regards,

bendavid

Edited by bendavid
Link to comment
Share on other sites

I use neither ODBC or SQL Anywhere, but my initial wild guess would be that it's failing to verify the server certificate.  Some quick googling suggests the trusted_certificate option might help.

Something else to try, though I don't think it'd make a difference, would be to set openssl.cafile to a custom CA bundle that includes your server's certificate.

 

  • Like 1
Link to comment
Share on other sites

  • 4 weeks later...
On 9/22/2023 at 6:26 PM, requinix said:

If your ODBC settings are correct, my first guess would be an outdated version of OpenSSL that doesn't support the TLS configuration you're trying to use.

What version of OpenSSL do you have, and what do your connection settings say about TLS?

PHP is showing OpenSSL 1.1.1h.

For TLS, the PHP registered stream socket transports are "tls, tlsv1.0, tlsv1.1, tlsv1.2, tlsv1.3".  When you say "connection settings" are we talking about that or the ODBC data sources?  The data sources are working correctly so I'm guessing you're talking about something else.

Link to comment
Share on other sites

Just to give some context to anyone else that may encounter the same error, error "Invalid Connection: SQLSTATE[08S01]" is described as:

Quote

The cause of the issue is that the communication link between the driver and the data source to which the driver was attempting to connect failed before the function completed processing.

 

Link to comment
Share on other sites

Looks like I'm likely good to go on the SSL version as TLS1.3 is installed.

On the face of it, it looks like the SAP ODBC driver is failing, but why is it failing in PHP and not in the data sources 🤔.  Especially when PDO ODBC is using the data sources.  🤔  The data sources are already connected to the certificate store and PDO ODBC doesn't appear to have options for pointing to a certificate store.

Does anyone know if applying successfully applying TLS settings to ODBC data sources is typically enough to continue to connect with previous PHP ODBC PDO connections?

  

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.