Salesforce

The ABL client does not support an SNI-enabled Web Service

Printable View
« Go Back

Information

 
TitleThe ABL client does not support an SNI-enabled Web Service
URL NameThe-ABL-client-does-not-support-an-SNI-enabled-Web-Service
Article Number000176691
EnvironmentProduct: OpenEdge
Version: 11.5.x, 11.6.x, 11.7.x, 12.x
OS: All Supported Platforms
Question/Problem Description
When a Web Service provider enables SNI (Server Name Indication) in their webservice, the ABL client is unable to connect.

When SNI is enabled the ABL client fails to connect with error 9831 11748
error code 0: unknown ssl error.(9318)
error loading wsdl document, fatal error: connect operation failed. (winsock reported error=0) (11748)
or 
error code 29712: SSL routines (9318)

Enabling ssl debugging (set SSLSYS_DEBUG_LOGGING=4) shows following error in cert.client.log:
SSL_connect:error in SSLv2/v3 read server hello A
Steps to Reproduce
Clarifying Information
The following connection succeeds:
openssl s_client -servername hostname.com -connect hostname.com:443 -state -nbio

The following connection returns a handshake error:
openssl s_client -connect hostname.com:443 -state -nbio
 
INTERNAL STATE OPERATION --- SSL_connect:error in TLSv1.2 read server hello A
ID-0x03182fc0 CTX-0x030aea00 BIO-0x03185620 ERROR --- SSL Client handshake failure (0) Unknown SSL error
ID-0x03182fc0 CTX-0x030aea00 BIO-0x03185620 INFO --- Terminated SSL Client session

sslc.exe s_client -debug -host hostname.com -port 443 -CApath %DLC%\certs -showcerts > sslc3.log 

no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 297 bytes
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
Error Messageerror code 0: unknown ssl error.(9318)
error loading wsdl document, fatal error: connect operation failed. (winsock reported error=0) (11748)
Defect Number
Enhancement NumberPSC00339142, PSC00360258, PSC00361906
Cause
SNI needs the -servername as part of the handshake, but the ABL client does not have SNI support.
Resolution

Upgrade to OpenEdge 11.7.2.012 or later.

  • OpenEdge 11.7.2.012 introduces support for SNI only for ABL Client and .NET Open Client.
  • OpenEdge 11.7.3 introduces support for SNI with the Java Open Client, ABL Sockets and the HTTP Client.


For the ABL Client CONNECT() method:
Set the -servername parameter in the connection-parameter arguments of the ABL Client’s CONNECT() method.

  • The -servername specifies the server name in SSL connection initialization for client that it sends to the server as part of the TLS negotiation.
happsrv1:CONNECT("-URL https://www.example.com -servername www.example.com").


For ABL Web Services client WSDL and SOAP connections:
Where WSDL and SOAP services are configured in two machines, using two different Tomcat servers, use the -wsdlServername and -soapServername respectively:

hWebService:CONNECT("-WSDL https://www.example.com/wsdl -wsdlServername www.example.com -soapServername www.example.com").


For a .NET client:
Use the Progress.Open4GL.RunTimeProperties.ServerName property:

Progress.Open4GL.RunTimeProperties.ServerName = "www.example.com";


For the HTTP Client:
In OpenEdge 11.7.3, a ServerNameIndicator property has been added to the ClientSocketConnectionParameters object. This sets the ABL socket's -servername property if set and when the connection is via HTTPS.
Support for the same setting has been added to the ClientLibraryBuilder and related types.

oLib = ClientLibraryBuilder:Build()
                           :sslVerifyHost(NO)
                           :ServerNameIndicator('www.example.com')
                           :library.


 

Workaround

Use one of the available workarounds:

  1. Use the System.Net.WebClient class from .NET to call the web service.
  2. Connect to the web service via a (secure) proxy. 
Notes
Keyword Phrase
Last Modified Date6/11/2025 3:59 PM
Powered by