You can translate the document:

Introduction

The protocol used by the Denodo ODBC driver always starts with no-SSL sockets. The ODBC client will send an SSL request message and wait for a response from the Denodo Virtual DataPort server about its SSL capabilities (both messages are sent in clear).

Some load balancers that support TLS, like the Amazon Elastic Load Balancer (ELB), are not able to answer anything but a ClientHello message (from the SSL protocol), so an ODBC client using the Denodo ODBC driver, after sending the SSL request message, will be waiting forever because the load balancer will not answer.

To avoid this situation a TLS tunnel (like stunnel) can be used.

The main purpose of this TLS proxy is to negotiate and open an SSL connection to the Load balancer and then the Denodo ODBC driver protocol will be used in that ciphered channel.

TLS tunnel configuration

The TLS tunnel will have to be configured on each of the ODBC clients' hosts connecting to Denodo through the load balancer.

Stunnel configuration examples

If you decide to use stunnel, the following examples can be useful to understand how it works.

For any configuration change, follow these steps:

  • Modify the stunnel.conf file (Where all the TLS proxy configuration is done).
  • Restart the stunnel application.

Simple configuration

The following configuration will accept all the requests received in the port 9996 and will be redirected to the load balancer IP address into the same port.

[amazon-elb-odbcvdp]

accept = localhost:9996

connect = <Load balancer IP>:9996

sslVersion = all

client = yes

Configuration with SNI headers

In some scenarios, the load balancer would require a SNI header to be sent by the client to determine how to redirect the request. In that case, the following configuration could be used to set the SNI header to a specific value (in this example is set to ‘ODBCService’).

[sni-client]

client = yes

accept = 127.0.0.1:9996

connect = <Load balancer IP>:9996

sni = ODBCService

CAfile = ca-certs-odbc.pem

References

Stunnel TLS Proxy documentation

Questions

Ask a question

You must sign in to ask a question. If you do not have an account, you can register here