Client stops reading through the available ciphers list 50% of the time when an unsupported cipher is encountered in the list

« Go Back

Information

Title	Client stops reading through the available ciphers list 50% of the time when an unsupported cipher is encountered in the list

URL Name	Client-stops-reading-through-the-available-ciphers-list-50-of-the-time-when-an-unsupported-cipher-is-encountered-in-the-list

Article Number	000204021

Environment	Product: OpenEdge Version: 11.7.6 and later, 12.0, 12.1 OS: All Supported Platforms

Question/Problem Description

Connecting to a site with one of four different ciphers that are not in the default cipher list, and performing a post using the httpClient.

If using the the last cipher that was added to the list in the PSC_SSLCLIENT_CIPHERS variable, the post fails with SSL errors roughly 50% of the time.

If the cipher is moved higher in the list it succeeds 100% of the time.

List of added ciphers:

ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256

The above list was added to the PSC_SSLCLIENT_CIPHERS environment variable, appended to the default list of ciphers from the documentation:

AES128-SHA256:DHE-RSA-AES128-SHA256:AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:AES256-SHA256:DHE-RSA-AES256-SHA256:AES128-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ADH-AES128-SHA256:ADH-AES128-GCM-SHA256:ADH-AES256-SHA256

The problem is that the ciphers above with ADH in their name are no longer supported by OpenSsl and the C code which is responsible for loading the ciphers from the PSC_SSLCLIENT_CIPHERS variable stops loading when it encounters the unsupported cipher.

Defect OCTA-38279 was logged to have the ADH ciphers removed from the list, but the problem that this causes is that more common ciphers will not be included in the ciphers used for requests if they are not listed in the PSC_SSLCLIENT_CIPHERS environment variable.

For example:

export PSC_SSLCLIENT_CIPHERS=AES128-SHA256:DHE-RSA-AES128-SHA256:AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:AES256-SHA256:DHE-RSA-AES256-SHA256:AES128-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ADH-AES128-SHA256:ADH-AES128-GCM-SHA256:ADH-AES256-SHA256

The above will load all ciphers but those with ADH.

If the ADH ciphers are placed at the beginning :

export PSC_SSLCLIENT_CIPHERS=ADH-AES128-SHA256:ADH-AES128-GCM-SHA256:ADH-AES256-SHA256:AES128-SHA256:DHE-RSA-AES128-SHA256:AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:AES256-SHA256:DHE-RSA-AES256-SHA256:AES128-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384

Client hello will not load any listed ciphers.

Steps to Reproduce

Clarifying Information

Error Message

Defect Number	OCTA-37738

Enhancement Number

Cause

The exact cause is not known at this time.

Resolution

Fixed version(s): OpenEdge 12.5, OpenEdge 12.2.7, OpenEdge 11.7.12

Workaround

Use all of the ciphers from the sslc ciphers command in the PSC_SSLCLIENT_CIPHERS variable:

proenv>export PSC_SSLCLIENT_CPIHERS = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:RSA-PSK-AES256-GCM-SHA384:DHE-PSK-AES256-GCM-SHA384:RSA-PSK-CHACHA20-POLY1305:DHE-PSK-CHACHA20-POLY1305:ECDHE-PSK-CHACHA20-POLY1305:AES256-GCM-SHA384:PSK-AES256-GCM-SHA384:PSK-CHACHA20-POLY1305:RSA-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-GCM-SHA256:AES128-GCM-SHA256:PSK-AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:ECDHE-PSK-AES256-CBC-SHA384:ECDHE-PSK-AES256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:RSA-PSK-AES256-CBC-SHA384:DHE-PSK-AES256-CBC-SHA384:RSA-PSK-AES256-CBC-SHA:DHE-PSK-AES256-CBC-SHA:AES256-SHA:PSK-AES256-CBC-SHA384:PSK-AES256-CBC-SHA:ECDHE-PSK-AES128-CBC-SHA256:ECDHE-PSK-AES128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:RSA-PSK-AES128-CBC-SHA256:DHE-PSK-AES128-CBC-SHA256:RSA-PSK-AES128-CBC-SHA:DHE-PSK-AES128-CBC-SHA:AES128-SHA:PSK-AES128-CBC-SHA256:PSK-AES128-CBC-SHA

Notes

References to Other Documentation:

Progress Article(s):
What TLS/SSL Ciphers does an ABL client support?
Identifying what SSL/TLS ciphers a server supports.
How to set TLS/SSL protocols and ciphers to use in the HTTP client?
How to set Client SSL Protocols and Ciphers in OpenEdge
Identifying what SSL/TLS ciphers a server supports.
Ciphers supported by OpenEdge
ABL client default cipher suites for SSL
ADH* series are not supported ciphers

Keyword Phrase

Last Modified Date	10/25/2023 1:42 PM