Information

Title	What version of SSL and/or TLS does Progress OpenEdge use ?

URL Name	What-version-of-SSL-and-or-TLS-does-Progress-OpenEdge-use

Article Number	000192938

Environment	Product: OpenEdge Version: All supported versions OS: All supported platforms Other: TLS, SSL, Encryption

Question/Problem Description

What version of SSL and/or TLS does Progress OpenEdge use ?
Which versions of Progress support TLS 1.1 and 1.2?
Which OpenEdge releases use TLS 1.1, TLS 1.2 protocols ?
Does Progress support the TLS encryption standard ?
Does Progress support the SSL version 2 encryption standard ?
Does Progress support the SSL version 3 encryption standard ?

Steps to Reproduce

Clarifying Information

TLS (Transport Layer Security) is the successor to SSLv3.
SSL 2.0 was deprecated in 2011 and is no longer considered secure
SSL 3.0 is no longer considered secure due to the POODLE vulnerability, and was deprecated in June 2015. See also article How does the POODLE vulnerability affect OpenEdge ?

Error Message

Defect Number

Enhancement Number

Cause

Resolution

Support for TLS 1.1 and TLS 1.2 is implemented starting with OpenEdge 11.6

OpenEdge 10.2B, and OpenEdge 11.3 through 11.5 can support TLS 1.0 with appropriate hotfixes applied. See article How does the POODLE vulnerability affect OpenEdge ? for further details.

For all earlier versions the ABL client only fully supports SSLv2 and SSLv3 protocols when connecting a OpenEdge client to an OpenEdge Server. These do not provide full TLS support.
Specifically, the TLS Hello message/handshake to initialize a connection is not implemented. As a result, the client can not connect to servers that enforce strict mode.
However, if strict mode is not enforced the OE client can connect to an external non-OE server configured for TLSv1.0, and use TLSv1.0. This can be tested with Progress customized version of OpenSSL, for example:

sslc s_client -connect hostname:443

Look for the following section at the bottom of the output:

SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA

Workaround

Notes

References to Other Documentation:

Progress Article(s):
How does the POODLE vulnerability affect OpenEdge ?
Progress OpenEdge and SSL / TLS
What version of SSL / TLS does the ABL client use when connecting to WebService?
ACTION REQUIRED: TLS & SHA-2 support in OpenEdge 10.2B (Critical Alert)

Please note, versions of OpenEdge prior to 11.6 do not implement TLS 1.2. Customers looking for TLS 1.2 support using versions of OpenEdge prior to version 11.6, can look to third party products, which can act as a proxy server and through which OpenEdge can gain access to TLS 1.2 support. An example of such a third part product is stunnel. stunnel is a 3rd-party tool, so it is outside the scope of Progress Technical Support. Information about stunnel can be found at:

https://www.stunnel.org/howto.html
https://www.stunnel.org/static/stunnel.html

Keyword Phrase

Last Modified Date	12/14/2020 7:53 PM