Information

Title	SSL errors after upgrading to OpenEdge 11.6 or later

URL Name	SSL-errors-after-upgrading-from-OpenEdge-11-5-to-11-6

Article Number	000128295

Environment	Product: OpenEdge Version: 11.6 OS: All supported platforms

Question/Problem Description

SSL errors after upgrading to OpenEdge 11.6 or later

SSL errors after upgrading from OpenEdge 11.5 to 11.6

OpenEdge clients connecting to third-party services using SSL raise errors and fail to connect.

OpenEdge clients connecting to third-party services using TLS raise errors and fail to connect.

OpenEdge clients connecting to third-party services using HTTPS raise errors and fail to connect.

Steps to Reproduce

Clarifying Information

Connection to the same service in OpenEdge 11.5.1 or earlier was successful

Error Message	Secure Socket Layer (SSL) failure. error code 29712: SSL routines (9318) Connection failure for host <host name>:<port> transport <transport>. (9407) Secure Socket Layer (SSL) failure. Error code 0: Unknown SSL error (9318)

Defect Number

Enhancement Number

Cause

OpenEdge 11.6 defaults to the TLS 1.2 protocol (the most secure protocol currently available) for secure connections, but the third-party server does not support this version.

Resolution

1. Open a Proenv environment
2. Use the sslc executable shipped with OpenEdge to connect to the third-party server:

   sslc s_client -connect <host name>:port

3. Check the output for the protocol and cipher that were used to connect. These will be reported on a line that look like the following for a TLS 1.0 connection using the AES128-SHA cipher:

New, TLSv1/SSLv3, Cipher is AES128-SHA

4. Set the protocol and cipher to be used by the client to the most secure versions accepted by the server. These may be set using environment variables PSC_SSLCLIENT_PROTOCOLS and PSC_SSLCLIENT_CIPHERS. See "OpenEdge Getting Started: Core Business Services - Security and Auditing", Chapter 2, "Security in OpenEdge > SSL Security > Changing the cryptographic protocol, ciphers and certificates > Supported protocols, ciphers, and certificates for Progress OpenEdge clients and servers" for the ciphers that are supported by each protocol. The following examples set the protocol to TLSv1 and the cipher to AES128-SHA to match the protocol and cipher used by the successful connection with sslc:

   For Windows:
   set PSC_SSLCLIENT_PROTOCOLS=TLSv1
   set PSC_SSLCLIENT_CIPHERS=AES128-SHA

   For Unix:
   PSC_SSLCLIENT_PROTOCOLS=TLSv1;export PSC_SSLCLIENT_PROTOCOLS
   PSC_SSLCLIENT_CIPHERS="AES128-SHA";export PSC_SSLCLIENT_CIPHERS

6. Run the OpenEdge client again. The connection will be successful using the protocol and cipher specified by the environment variables.

Workaround

Notes

Always use the most secure protocol and cipher supported by both client and server. Multiple protocols and ciphers may be specified using comma-separated lists; they will be tried in the order they are specified.

PSC_SSLCLIENT_PROTOCOLS and PSC_SSLCLIENT_CIPHERS can be set in ABL HTTP client code using the AddSslProtocol and AddSslCipher methods, as in the following example:

def var oLib as IHttpClientLibrary.

oLib = ClientLibraryBuilder:Build()
:AddSslProtocol('TLSv1')
:AddSslCipher('AES128-SHA')
:Library.

oResponse = ClientBuilder:Build()
:UsingLibrary(oLib)
:Client
:Execute(oRequest).

PSC_SSLCLIENT_PROTOCOLS and PSC_SSLCLIENT_CIPHERS can be set in ABL SOAP Web service client code using the -sslprotocols and -sslciphers parameters on the Web service CONNECT method, as in the following example:

hWebService:CONNECT("-WSDL 'https://my.example.com/myservice.wsdl' -sslprotocols TLSv1 -sslciphers AES128-SHA" ).

References to Other Documentation:

OpenEdge Getting Started: Core Business Services - Security and Auditing, Chapter 2, "Security in OpenEdge > SSL Security"

Keyword Phrase

Last Modified Date	5/18/2023 5:07 PM