I am trying to setup SSL on two Virtuoso 8 instances. So far so good in terms of implementation but there is one thing. These servers had replication between them, one was publisher and the other was a subscriber. I am searching a lot the documentation today but I cannot find why the repl_subscribe functionality now produces errors regarding connectivity.
I have tried connecting via ISQL from the subscriber to the publisher node with the command:
isql -H publisher.address -S 1111 -E
And it works. SSL is configured on ports 8890 and 1111 as the default HTTP was running on.
I need to know how I can make ISQL invocation to permanently use -E flag and possibly some kind of parameter that enables by default SSL connections between the two nodes. Based on the docs here 6.1.1.Database I tried:
- Adding Encrypt or “Encrypt” inside the odbc.ini file under MASTER_DSN section
- Running isql -E -u SQL_ENCRYPT_CONNECTION=1 prior to running repl_subscribe
- Adding SQL_ENCRYPT_CONNECTION under SQL section in virtuoso.ini file
EDIT 1: I managed to solve the repl_subscribe command and now it works, I think it was the proper addition of Encrypt inside the odbc.ini file but now I get another issue. Even thought the subscriber is connected to the publisher, the publisher produces errors while accepting the connection, rendering the replication useless immediately.
13:55:36 SSL error accepting connection from XXXXXXXXXX error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
13:56:31 SSL error accepting connection from XXXXXXXXXX error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
SSL configuration on both servers for both ISQL and HTTP look like this:
[Parameters] SSLServerPort = 1111 SSLCertificate = ./ssl/XXXXXXXX.crt SSLPrivateKey = ./ssl/XXXXXXXX.key X509ClientVerify = 0 X509ClientVerifyDepth = -1 X509ClientVerifyCAFile = ./ssl/XXXXXXXX_combined_ca.crt ... [HTTPServer] SSLPort = 8890 SSLCertificate = ./ssl/XXXXXXXX.crt SSLPrivateKey = ./ssl/XXXXXXXX.key X509ClientVerify = 0 X509ClientVerifyDepth = -1 X509ClientVerifyCAFile = ./ssl/XXXXXXXX_combined_ca.crt