Client connection using HTTPS fails with error 9318

WebClient connection using HTTPS fails with errors.
ABL connection using HTTPS fails with errors.

WebClient connection attempt to secure AIA fails with error:

Secure Socket Layer (SSL) failure. error code 28930: SSL routines (9318)

Adding following parameters to the CONNECT() method clears error 9318:
-sslprotocols TLSv1 -sslciphers AES128-SHA

But results in a different error:

Secure Socket Layer (SSL) failure. error code -55: CONNECT 
HostName: (aia.webclientHost.com) does not match Certificate: (Unknown) (9318)

Per the SSL debug log:

[DDD MMM DD HH:MM:SS YYYY] ID-0x02e94b10 CTX-0x02e82660 BIO-0x02e82a80 INFO  --- The certificate Common Name is: (Unknown)
[DDD MMM DD HH:MM:SS YYYY] ID-0x02e94b10 CTX-0x02e82660 BIO-0x02e82a80 ERROR --- CONNECT HostName: (aia.webclientHost.com) does not match Certificate: (Unknown)
[DDD MMM DD HH:MM:SS YYYY] ID-0x02e94b10 CTX-0x02e82660 BIO-0x02e82a80 BIO   --- write to 02E82A80 [0220DEE0] (7 bytes => 7 (0x7))

[DDD MMM DD HH:MM:SS YYYY] ID-0x02e94b10 CTX-0x02e82660 BIO-0x02e82a80 BIO   --- contents of a BIO dump:
0000 - 15 03 01 00 02 02 2e                              .......
>>> TLS 1.0 Alert [length 0002], fatal certificate_unknown
    02 2e
[DDD MMM DD HH:MM:SS YYYY] INTERNAL STATE OPERATION ---  write:fatal:certificate unknown
[DDD MMM DD HH:MM:SS YYYY] INTERNAL STATE OPERATION --- SSL_connect:error in SSLv3 read server certificate B
[DDD MMM DD HH:MM:SS YYYY] INTERNAL STATE OPERATION --- SSL_connect:error in SSLv3 read server certificate B
[DDD MMM DD HH:MM:SS YYYY] ID-0x02e94b10 CTX-0x02e82660 BIO-0x02e82a80 ERROR --- SSL Client handshake failure (-55) CONNECT HostName: (aia.webclientHost.com) does not match Certificate: (Unknown)
[DDD MMM DD HH:MM:SS YYYY] ID-0x02e94b10 CTX-0x02e82660 BIO-0x02e82a80 INFO  --- Terminated SSL Client session
 

Connection to AIA / Tomcat uses TLSv1.1.

Certificate is installed on the client side as part of the WebClient installation.

The cause of the issue is two-fold. 

OpenEdge 11.6 uses protocol TLSv1.2 and cipher AES128-SHA256 by default, excluding other protocols and ciphers at the connection level, hence the requirement to change SSL protocols and ciphers in the CONNECT() method.

The second error (Secure Socket Layer (SSL) failure. error code -55: CONNECT HostName: (aia.webclientHost.com) does not match Certificate: (Unknown) (9318)) is expected, since OpenEdge does not support certificates with Subject Alternative Names.

Ensure that the client is using the protocols and ciphers supported by the server. 
This can be achieved in a number of ways:

1) Add -sslprotocols and -sslciphers to the URL in the CONNECT() method. For example,

-URL https://aia.webclientHost.com:8443/aia/AiaName1?AppService=MyApplicationService -sslprotocols TLSv1 -sslciphers AES128-SHA

2) Configure the following environment variables on the client machine:

PSC_SSLCLIENT_PROTOCOLS
PSC_SSLCLIENT_CIPHERS

For example,

PSC_SSLCLIENT_PROTOCOLS=TLSv1
PSC_SSLCLIENT_CIPHERS=AES128-SHA

3) Alternatively the protocol and cipher values can be set using the PSC_SSLCLIENT_PROTOCOLS and PSC_SSLCLIENT_CIPHERS environment variables in the ubroker.properties, if -sslprotocols and -sslciphers are not set on the client.

To avoid the hostname not matching the certification issue, specify the -nohostverify parameter in the CONNECT() method.

References to other documentation:

OpenEdge Getting Started: Core Business Services - Security and Auditing, "Security > Security in OpenEdge > SSL Security > Changing the default protocols and ciphers"

Progress articles:
"How to enable SSL debugging in OpenEdge?"
"Error 9318 is returned when specifying an alternative hostname in the CONNECT() method to make an SSL connection against a server that uses Subject Alternative Names"
"Using OpenEdge 11.6.0 and getting error: Secure Socket Layer (SSL) failure. error code 28930: SSL routines (9318)"
 How to use -nohostverify with the ABL HTTPClient?