Information

Title	What version of SSL / TLS does the ABL client use when connecting to WebService?

URL Name	What-version-of-SSL-TLS-does-ABL-client-used-when-connecting-to-WebService

Article Number	000172780

Environment	Product: OpenEdge Version: 10.x, 11.x OS: All supported platforms Other: SSL /TLS

Question/Problem Description

What version of SSL / TLS does ABL client used when connecting to WebService?
Does the ABL client fully support TLS protocol ?

Steps to Reproduce

Clarifying Information

SSLv2 and SSLv3 are no longer considered secure (SSLv3 was broken via the POODLE vulnerability). As result, TLS is becoming the minimum accepted standard.

Error Message

Defect Number	Defect PSC00326235, PSC00332409

Enhancement Number

Cause

Resolution

In OpenEdge versions 11.5 and below to which specific hot fixes listed in this article have not been applied, the ABL client fully supports only SSLv2 and SSLv3 protocols. TLS support is not fully implemented. Specifically, the TLS Hello message / handshake to initialize a connection is not implemented. As a result, the client can not connect to servers that enforce strict mode, accepting only TLS Hello messages when a client attempts to connect to a Web Service, or through an SSL enabled AppServer Internet Adapter).

In the OpenEdge versions listed below, each component can be manually configured to communicate over TLS 1.0 rather than the default SSL 3.0 protocol. Note that for some versions, a service pack and/or hot fix must be applied to enable this fuctionality.

To enable ABL client connections to servers that only accept TLS, upgrade the OpenEdge installation to one of the versions listed below. Then configure the client to create secure connections using TLS 1.0 (or higher in a version where 1.1 or 1.2 is provided), using any cipher that is compatible with that TLS version.

Upgrade to OpenEdge 10.2B0848 (TLSv1.0).
For further details, please reference the whitepaper "Addressing POODLE vulnerability and SHA2 support in Progress OpenEdge 10.2B08".

Upgrade to OpenEdge 11.3.3.026 (TLSv1.0).
For further details, please reference the whitepaper "Addressing POODLE vulnerability and SHA2 support in Progress OpenEdge 11.3.3".

Upgrade to OpenEdge 11.4.0.028 (TLSv1.0).
For further details, please reference the whitepaper "Addressing the POODLE Vulnerability in Progress OpenEdge in 11.4.0.028HF".

Upgrade to OpenEdge 11.5.1 or later (TLSv1.0).
For further details, please reference the document "OpenEdge Service Pack: New Information" which is available on the Service Pack download page or the whitepaper "Addressing POODLE vulnerability and SHA2 support in Progress OpenEdge 11.5.1".

Upgrade to OpenEdge 11.6 (TLSv1.0 , TLSv1.1 and TLSv1.2).
For further details, please reference "OpenEdge Getting Started: Core Business Services - Security and Auditing, Chapter 2, Security in OpenEdge > SSL Security" in the OpenEdge 11.6 documentation set.

Workaround

Notes

Progress Article(s):
How does the POODLE vulnerability affect OpenEdge ?
The OpenEdge client fails to connect to a secure web server which has disabled the SSLv3 protocol
Does OpenEdge 10.x or 11.x support SHA-2 signed certificates?

Keyword Phrase

Last Modified Date	11/20/2020 7:21 AM

What version of SSL / TLS does the ABL client use when connecting to WebService?

Information