tags:

views:

657

answers:

2
+2  Q: 

secure ODBC connection -- oxymoron?

Hello -

There are times we need to create an ODBC connection over the "tubes" to one of our customer sites. We would like to provide as much security as possible to our customers, given we are using ODBC and, well...

Anyway, there is a checkbox setting in the SQL Server DSN that says "Use strong encryption for data", but absolutely no documentation for it. The only references I can find on the Google nets are unanswered questions -- not very encouraging. Does anybody have a clue what it does or how it works? If that isn't a way to encrypt the data stream, is there another way?

BTW, we cannot rely on our customers to force encryption from their end, and dealing with security certificates would be a real nightmare.

Thanks in advance, Dave

A: 

There is no reason you can't have a secure connection while using ODBC. Basically, the responsibility for over-the-wire security would fall under the ODBC driver (basically the database-specific part). If the driver doesn't already provide for this (SQL Server may or may not - I don't know what "Use strong encryption for data" applies to) you can probably add your own. One possibility would be to create a SSH bridge, e.g. using ssh -L. I don't know if this counts as a "nightmare", but it would probably be an effective and fairly simple technique.

Matthew Flaschen  2009-06-11 23:12:22
+1  A: 

Is it SQL 2000 or 2005/2008?

The encryption enforcement can be requested by the client or enforced by the server. The encryption is based on Schannel protocol (ssl) and as such requires an valid certificate deployed on the server and trusted by the client, there is no way out of that. The certificate has to be signed by an authority that is trusted by the client and, amongst other typical server certificate requirements, must have the FQDN name used to connect by the client as its subject.

In SQL 2005 How to: Enable Encrypted Connections In SQL 2000 Configure the Server and Request encryption by client

Remus Rusanu  2009-06-11 23:34:15
Awesome information, Remus.
RBarryYoung  2009-06-11 23:36:57
Thanks for the information, that's exactly what I was looking for.Some of our clients could still be running SQL 2000, but that number is dwindling fast. We will be using a SQL 2008 client piece to connect to all of them, and 'requiring' our customers to upgrade to at least 2005 within the next 6 months or so. That doesn't mean they actually will do so, however...
DaveN59  2009-06-12 15:24:04
Unfortunately, it still requires that certificates be installed on the client side for each customer. The other gotcha is the FQDN -- we always use the IP address to connect, and certs generally don't like that...
DaveN59  2009-06-12 15:28:14
The cert has to be only *trusted* by client, not necessarily installed. But I don't think any authority is going to sign a cert for an IP (as opposed to DNS)
Remus Rusanu  2009-06-12 17:18:14

related questions

Backup SQL Schema Only?
Sql to query a dbs scheme
Timer-based event triggers
Sql query, count and group by
Paging SQL Server 2005 Results
SQL 2005 For XML Explicit - Need help formatting
How do I use T-SQL Group By
What all do I need to escape when sending a (My)SQL query?
Split String in SQL
Datatable vs Dataset
ASP.NET MVC "CRUD" Database Sample
Convert HashBytes to VarChar
Best Book for a new Database Developer
What is the best way to avoid SQL injection attacks?
What language do you use for Postgresql triggers and stored procedures?
What is the best way to handle multiple permission types?
How do I index a database field
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
Is there a version control system for database structure changes?
How to export data from SQL Server 2005 to MySQL
ASP.NET Site Maps
Decoding T-SQL CAST in C#/VB.net
Flat File Databases in PHP