Encrypted Communication

SQL/R supports encryption of the communication between the driver (running on the client system) and the ODBC backend (running on the server).

The ODBC server defines which connection uses encryption. This may be configured specific to the client IP address or per data source.

When using an encrypted connection, the server uses an RSA public/private key pair to distribute an AES key that is used to encrypt the actual communication. The encryption keys are replaced periodically.

Configuration directives

The ODBC server defines which connection uses encryption. This may be configured for a client IP address (or range) or per data source.

The following config items may be specified:

[encryption] RsaExchangeKeySize

Specifies the size of the RSA key (in bits) that is used to encrypt the AES session key. Valid values must be a multiple of 512. The default is 1024.
The default should only be changed if generating the RSA key is found to be a performance issue.

[encryption] KeyRefreshInterval

Specifies the interval after which a new RSA key is generated. The default is 60 minutes.

[encryption] AesSessionKeySize

Specifies the length (in bits) of the AES key that is used to encrypt the driver communication. Valid values are: 128, 192, 256 The default is 128 bits.

The [encryption] section also allows to specify the IP addresses that use encrypted communication. In addition, a data source may be configured to require an encrypted connection.

The following syntax is supported:

{on|off} = { All | hostname | ip-address [/{addrbits|netmask]} }

Multiple Allow/Deny entries are recognized and combined.

hostname is the name of a host or network that is resolved into one or more ip addresses.

ip-address is either an IPv4 or IPv6 address.

• An IPv6 address, enclosed in square brackets, such as [::1]. The addrbits option may be used to specify the number of relevant bits in the IP address.

• An IPv4 address, such as 127.0.0.1. The addrbits option may be used to specify the number of relevant bits in the IP address. The netmask option allows to specify an IPv4 network mask, such as 255.255.255.0.

If not matched an unencrypted connection is used by default. The On = All directive may be used to specify encrypted communication to be used by default and to specify the exceptions separately.

By default, clients do not use encryption.

Off = All

For example:

On = All
Off = localhost
Off = 194.64.71.101
Off = 10.64.72.0/24

In this example, encryption is used by default except for the specified addresses.

In addition, the Encryption config item may be used in a data source to require an encrypted connection.

Platform dependencies

Linux

The OpenSSL software is used on Linux for cryptographic functions. It must be installed to use encrypted communication. SQL/R was tested with the OpenSSL 1.1 and 3.0 library versions. SQL/R dynamically adapts to the OpenSSL library and does not depend on a specific version.

To use encryption, the server process or the driver dynamically load the libcrypto.so library. The SQL/R specific lib directory has precedence in locating the library. The LD_LIBRARY_PATH environment variable may be used to select a specific library to be loaded.

HP-UX

The OpenSSL software is used on HP-UX for cryptographic functions. It must be installed to use encrypted communication.

To use encryption, the server process or the driver dynamically load the libcrypto.so library. The SQL/R specific lib directory has precedence in locating the library. The LD_LIBRARY_PATH environment variable may be used to select a specific library to be loaded.

Windows

The Windows cryptographic functionality is used. No additional software needs to be installed.