Salesforce

Client run from command line cannot connect via SSL

Printable View
« Go Back

Information

 
TitleClient run from command line cannot connect via SSL
URL NameThe-OpenEdge-client-fails-to-connect-to-an-SSL-server-that-uses-an-SHA256-certificate
Article Number000177540
EnvironmentProduct: OpenEdge
Version: 10.2B , 11.0 through 11.5.1
OS: All supported platforms
Question/Problem Description
The OpenEdge client fails to connect to an SSL server that uses a SHA256 certificate when the client is run from the command line.
The OpenEdge client fails to connect to an SSL server that uses a SHA2 certificate when the client is run from the command line.
The WSDL Analyzer (bprowsdldoc) fails to connect to an SSL-enabled Web Service that uses a SHA256 certificate.
The WSDL Analyzer (bprowsdldoc) fails to connect to an SSL-enabled Web Service that uses a SHA2 certificate.
Steps to Reproduce
Clarifying Information
The connection is successful when the ABL code is executed from within a Procedure Editor.
Error MessageSecure Socket Layer (SSL) failure. error code -54: unable to get local issuer certificate: for <hash file> in <path> (9318)

Error message: 9318
Error message: 9407
Error loading WSDL document <WSDL document>: Fatal Error: connect operation
failed (WinSock reported error=0)
location: <WSDL document> (11748)
Defect NumberDefect PSC00334000
Enhancement Number
Cause
The OpenEdge client does not initialize the OpenSSL library with all required ciphers when the client session is started directly from the command line.

The problem does not occur in the Procedure Editor because the Procedure Editor code makes a connection to an internal temp-table at startup. The temp-table connection, which is internally the same as a database connection, causes all of the necessary initialization code to run. All required ciphers are then available to any ABL code that is run in the Procedure Editor for the rest of the session.
Resolution
Upgrade to OpenEdge 10.2B0848.
For further details, please reference the whitepaper "Addressing POODLE vulnerability and SHA2 support in Progress OpenEdge 10.2B08".

Upgrade to OpenEdge 11.3.3.026.
For further details, please reference the whitepaper "Addressing POODLE vulnerability and SHA2 support in Progress OpenEdge 11.3.3​".

Upgrade to OpenEdge 11.4.0.028.
For further details, please reference the whitepaper  "Addressing the POODLE Vulnerability in Progress OpenEdge in 11.4.0.028HF".

Upgrade to OpenEdge 11.5.1.015 .
For further details, please reference the whitepaper  "Addressing POODLE vulnerability and SHA2 support in Progress OpenEdge 11.5.1".

Upgrade to OpenEdge 11.6 or later.
For further details, please reference "OpenEdge Getting Started: Core Business Services - Security and Auditing, Chapter 2, Security in OpenEdge > SSL Security" in the OpenEdge 11.6 documentation set.


 
Workaround
For an ABL client
Define an arbitrary temp-table at the beginning of the ABL application code. The connection to this temp-table will force the session to properly initialize the OpenSSL library, as happens when the ABL code is run within the Procedure Editor. For example:
 
DEFINE TEMP-TABLE tt1 NO-UNDO 
FIELD f1 AS CHARACTER.

DEF VAR svURL AS CHARACTER.
DEF VAR lvok AS LOGICAL.

CREATE SERVER svSRV_H.
lvOK = svSRV_H:CONNECT("-URL https://www.myhost.com/progress/Aia?AppService=asbroker1"). 
MESSAGE lvok VIEW-AS ALERT-BOX INFO BUTTONS OK.

svSRV_H:DISCONNECT().

Alternatively, make a connection to any database at the beginning of the ABL application code.


For the WSDL Analyzer
  1. Open the WSDL URL in a browser.
  2. Save the WSDL document to a local file.
  3. Run the WSDL Analyzer against the local copy of the WSDL document. For example:
bprowsdldoc wsdlcopy.xml
Notes
Keyword Phrase
Last Modified Date11/20/2020 7:23 AM
Powered by