Salesforce

Connection failure with SSL socket to secure server

Printable View
« Go Back

Information

 
TitleConnection failure with SSL socket to secure server
URL NameConnection-failure-with-SSL-socket-to-secure-developer-server
Article Number000186421
EnvironmentProduct: OpenEdge
Version: 11.6, 11.7
OS: All Supported Platforms
Question/Problem Description
Application upgraded to OpenEdge 11.6 because third party vendor had upgraded their service from SSL to TLS 1.2.  After upgrading, ABL socket connections worked but connections to their development server would fail with error 9318.

 
Steps to Reproduce
Clarifying Information
Error MessageSecure Socket Layer (SSL) failure, error code 0: Unknown SSL error (9318)
Defect Number
Enhancement Number
Cause
After using the UNIX/Linux curl command line utility to test differing encryption protocols (SSLv3, TLSv1, TLSv1.1 and TLSv1.2) it was determined that the production server supported all of these protocols but the development server supported only TLS 1.0 (TLSv1).  

Samples of how to use the curl command are shown below (please note that these variants work for a Mac OS X machine, the curl command on your system may be slightly different so look at the man pages for exact usage):

COMMAND -> curl --sslv3 https://developer.skipjackic.com:443 
OUTPUT  -> curl: (35) Could not negotiate an SSL cipher suite with the server 

COMMAND -> curl --tlsv1.2 https://developer.skipjackic.com:443 
OUTPUT  -> curl: (35) Could not negotiate an SSL cipher suite with the server 

COMMAND -> curl --tlsv1.1 https://developer.skipjackic.com:443 
OUTPUT  -> curl: (35) Could not negotiate an SSL cipher suite with the server 

COMMAND -> curl --tlsv1.0 https://developer.skipjackic.com:443
OUTPUT  -> an HTML page is written out, contents of this page are not included here
 
Resolution
OpenEdge 11.6 uses TLSv1.2 as the default encryption protocol to conform to the current industry standards.  When connecting using ABL sockets to a server which uses the older standards (i.e. SSLv3, TLSv1 or TLSv1.1) you need to use the -sslciphers and -sslprotocols options in your ABL CONNECT method.

The following sample code shows how to do this and works properly for connecting to SkipJack's development server (please note that this is accurate as of November 6, 2015 where their development server only supported TLSv1 connections, this will most likely change in the future):

DEFINE VARIABLE hSocket       AS HANDLE    NO-UNDO. 
DEFINE VARIABLE cPort         AS CHARACTER NO-UNDO INITIAL "443". 
DEFINE VARIABLE lStatus       AS LOGICAL   NO-UNDO. 
DEFINE VARIABLE cSocketString AS CHARACTER NO-UNDO. 
DEFINE VARIABLE cHost         AS CHARACTER NO-UNDO INITIAL "developer.skipjackic.com". 
DEFINE VARIABLE cProtocols    AS CHARACTER NO-UNDO INITIAL "TLSv1".
DEFINE VARIABLE cCiphers      AS CHARACTER NO-UNDO INITIAL "AES128-SHA,RC4-SHA,DES-CBC3-SHA,DES-CBC-SHA,EXP-DES-CBC-SHA,EXP-RC4-MD5".

ASSIGN cSocketString = "-H " + cHost + " -S " + cPort + " -ssl -sslprotocols " + cProtocols + " -sslciphers " + cCiphers. 

CREATE SOCKET hSocket. 
ASSIGN lStatus = hSocket:CONNECT(cSocketString) NO-ERROR. 

IF lStatus THEN 
    MESSAGE "Socket connection OK!" VIEW-AS ALERT-BOX. 
ELSE 
    MESSAGE "Socket connection FAILED!" SKIP ERROR-STATUS:GET-MESSAGE(1) VIEW-AS ALERT-BOX. 

hSocket:DISCONNECT() NO-ERROR. 

DELETE OBJECT hSocket.
Workaround
Notes
References to Other Documentation:

Progress OpenEdge Getting Started: Core Business Services - Security and Auditing, Chapter 2: "Security in OpenEdge > SSL Security"
Keyword Phrase
Last Modified Date4/28/2017 6:55 PM
Powered by