Information

Title	Ciphers supported by OpenEdge

URL Name	000046214

Article Number	000163812

Environment	Product: OpenEdge Version: 10.x, 11.x, 12.x OS: All supported platforms Other: SSL, TLS, Ciphers

Question/Problem Description

How to find which Ciphers are supported by OpenEdge clients and servers?
Where to find a list of supported Cipher suite names?
How can a list of OpenEdge supported Ciphers be found?

How to find a list of supported Ciphers to configure for Environment Variables:

PSC_SSLCLIENT_CIPHERS, PSC_SSLSERVER_CIPHERS, PSC_SQL_SSLSERVER_CIPHERS

How to find the relationship between OpenEdge OpenSSL Cipher names and SSL/TLS cipher suite names:

OpenSSL cipher suite name: AES128-SHA
SSL/TLS cipher suite name: TLS_RSA_WITH_AES_128_CBC_SHA

Steps to Reproduce

Clarifying Information

Error Message

Defect Number

Enhancement Number

Cause

Resolution

SSLC is included in OpenEdge installation with the same functionality as openSSL

A full list of cipher-suite names for the OpenEdge version installed can be generated by running:

$ $DLC/bin/sslc ciphers
$ %DLC%\bin\sslc ciphers

Example: OpenEdge 11.7.5

proenv>sslc ciphers

ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:
ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:
ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:
ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:
ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:
AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA

A list of supported ciphers and cipher versions in table form, is provided with the Verbose listing of the SSL/TLS ciphers:

proenv>sslc ciphers -v

ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(256)             Mac=AEAD  
ECDHE-RSA-AES256-GCM-SHA384    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(256)             Mac=AEAD  
DHE-RSA-AES256-GCM-SHA384      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(256)             Mac=AEAD  
ECDHE-ECDSA-CHACHA20-POLY1305  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=CHACHA20/POLY1305(256)  Mac=AEAD  
ECDHE-RSA-CHACHA20-POLY1305    TLSv1.2  Kx=ECDH  Au=RSA    Enc=CHACHA20/POLY1305(256)  Mac=AEAD  
DHE-RSA-CHACHA20-POLY1305      TLSv1.2  Kx=DH    Au=RSA    Enc=CHACHA20/POLY1305(256)  Mac=AEAD  
ECDHE-ECDSA-AES128-GCM-SHA256  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(128)             Mac=AEAD  
ECDHE-RSA-AES128-GCM-SHA256    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(128)             Mac=AEAD  
DHE-RSA-AES128-GCM-SHA256      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(128)             Mac=AEAD  
ECDHE-ECDSA-AES256-SHA384      TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(256)                Mac=SHA384
ECDHE-RSA-AES256-SHA384        TLSv1.2  Kx=ECDH  Au=RSA    Enc=AES(256)                Mac=SHA384
DHE-RSA-AES256-SHA256          TLSv1.2  Kx=DH    Au=RSA    Enc=AES(256)                Mac=SHA256
ECDHE-ECDSA-AES128-SHA256      TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(128)                Mac=SHA256
ECDHE-RSA-AES128-SHA256        TLSv1.2  Kx=ECDH  Au=RSA    Enc=AES(128)                Mac=SHA256
DHE-RSA-AES128-SHA256          TLSv1.2  Kx=DH    Au=RSA    Enc=AES(128)                Mac=SHA256
ECDHE-ECDSA-AES256-SHA         SSLv3    Kx=ECDH  Au=ECDSA  Enc=AES(256)                Mac=SHA1  
ECDHE-RSA-AES256-SHA           SSLv3    Kx=ECDH  Au=RSA    Enc=AES(256)                Mac=SHA1  
DHE-RSA-AES256-SHA             SSLv3    Kx=DH    Au=RSA    Enc=AES(256)                Mac=SHA1  
ECDHE-ECDSA-AES128-SHA         SSLv3    Kx=ECDH  Au=ECDSA  Enc=AES(128)                Mac=SHA1  
ECDHE-RSA-AES128-SHA           SSLv3    Kx=ECDH  Au=RSA    Enc=AES(128)                Mac=SHA1  
DHE-RSA-AES128-SHA             SSLv3    Kx=DH    Au=RSA    Enc=AES(128)                Mac=SHA1  
AES256-GCM-SHA384              TLSv1.2  Kx=RSA   Au=RSA    Enc=AESGCM(256)             Mac=AEAD  
AES128-GCM-SHA256              TLSv1.2  Kx=RSA   Au=RSA    Enc=AESGCM(128)             Mac=AEAD  
AES256-SHA256                  TLSv1.2  Kx=RSA   Au=RSA    Enc=AES(256)                Mac=SHA256
AES128-SHA256                  TLSv1.2  Kx=RSA   Au=RSA    Enc=AES(128)                Mac=SHA256
AES256-SHA                     SSLv3    Kx=RSA   Au=RSA    Enc=AES(256)                Mac=SHA1  
AES128-SHA                     SSLv3    Kx=RSA   Au=RSA    Enc=AES(128)                Mac=SHA1

Similarly ciphers supported by the JSSE engine can be listed the the SSLJ utility:

proenv> sslj list-ciphers

Mappings between OpenSSL cipher suite names and SSL/TLS cipher suite names can be found on the web. For example:

Mapping OpenSSL cipher suite names to IANA names

https://testssl.sh/openssl-iana.mapping.html

Workaround

Notes

References to Other Documentation:

Learn About Security and Auditing: Security in OpenEdge, TLS Security - Change cryptographic protocol, ciphers, and certificates
https://docs.progress.com/bundle/openedge-security-and-auditing/page/Change-cryptographic-protocol-ciphers-and-certificates.html

Progress Article:
ADH* series are not supported ciphers
Identifying what SSL/TLS ciphers a server supports.
How to set TLS/SSL protocols and ciphers to use in the HTTP client?
How to set Client SSL Protocols and Ciphers in OpenEdge
Identifying what SSL/TLS ciphers a server supports.
ABL client default cipher suites for SSL
Client stops reading through the available ciphers list 50% of the time when an unsupported cipher is encountered in the list

Keyword Phrase

Last Modified Date	8/12/2021 2:20 PM

Ciphers supported by OpenEdge

Information