Information

Title	How to debug ABL SSL/TLS connection issues on Progress Application Server for OpenEdge (PAS for OE)

URL Name	How-to-debug-ABL-SSL-connection-issues-on-Progress-Application-Server-for-OpenEdge-PAS-for-OE

Article Number	000118475

Environment	Product: OpenEdge Version: 11.5, 11.6, 11.7, 12.0 OS: All Supported Platforms

Question/Problem Description

How to debug ABL SSL/TLS connection issues on Progress Application Server for OpenEdge (PAS for OE)

Steps to Reproduce

Clarifying Information

Error Message

Defect Number

Enhancement Number

Cause

Resolution

Debugging SSL connection issues when the SSL connection using ABL code runs on PASOE

SSL connection issues normally fall into one of these areas:

Missing host, intermediate or root digital certificates in the OpenEdge certificate store ($DLC/certs directory)
Failure negotiating the protocol and/or cipher to be used

To debug SSL Connection issues, run the following steps on the machine running the PASOE instance. This is important because certificates may be installed on one machine and not another.

1) The SSL connection (which will include validating the certificate chain):

sslc s_client -connect <hostname:port> -CApath <certificate_directory> -debug -msg -state

Start by referring to the following Article which explains how to use the 'sslc s_client' command line utility to test the connection. This utility will show when a missing certificate is detected or if there is a protocol/cipher negotiation error:

How to test connectivity when using SSL

2) If the 'sslc s_client' command shows missing certificates, talk to the vendor of the service which the PASOE instance is connecting to and ask them for all of the required certificates.

Qualys provides an online SSL Server Test which can be useful in this regard: https://www.ssllabs.com/ssltest/

When all the certificates within the certificate chain are available, import them into the OpenEdge certificate store. The PASOE instance in this case is effectively the 'client' when consuming external web services. Instructions to import a certificate keys into <DLC>\certs are outlined in Article:

How to import certificate into OpenEdge cert store

3) If the 'sslc s_client' command succeeds, enable SSL debug logging:

How to turn on SSLSYS_DEBUG_LOGGING in PASOE

Enable the logging then restart the PASOE instance and run the program which is attempting to make an SSL connection. A file named cert.client.log will be generated in the working directory, which will provide further information as to what is going wrong where during the SSL handshake negotiation (most likely a protocol / cipher negotiation failure).

4) If the cert.client.log file indicates a protocol negotiation failure, the following Articles provide different ways to determine the correct protocol to use.

5) If the cert.client.log file indicates a cipher negotiation failure, the following Articles provide different ways to determine the correct cipher to use.

6) After confirming protocols, ciphers, certificates please refer to the documentation link which provides information on SSL Security including how to change the default protocols and ciphers the SSL connection will use:

Core Business Services - Security and Auditing Security : Security in OpenEdge : SSL Securityhttps://documentation.progress.com/output/ua/OpenEdge_latest/index.html#page/gscsv%2Fssl-security.html%23

Workaround

Notes

Progress Article:

How to configure and test a PASOE instance for secure communications?

Keyword Phrase

Last Modified Date	11/20/2020 7:07 AM