We are having an issue with calling web services under heavy load. This issue occurs in version 11.5 and 11.6.3 under AIX.
We have a web service that is called from multiple Progress processes on a single AIX box. When many processes (more than about 5) call the process near-simultaneously, we will periodically receive the dreaded Unknown SSL Error (9318)
Secure Socket Layer (SSL) failure. error code 0: Unknown SSL error (9318)
and then the processes will dump core and terminate.
Every mention of the error above in the knowledge base point to the TLS version change in 11.6. These services support both TLS 1.0 and TLS 1.2, so this is not the issue. I have verified that Progress is attempting to connect with the correct version (turned on SSL debugging to see this).
The certificates are correctly installed as the services will normally connect and process. The issue is intermittent. The web servers show no errors, and load tests were done in another program (LoadUI) that spammed the service with thousands of requests on 10+ threads over several minutes with no issues. When I run 5 Progress sessions simultaneously, I get the error in about 10 seconds.
I turned on SSL debugging with level 5 and was able to capture the cert.client.log file. All of the successful connections work as expected. Connections that fail have the following errors in the cert.client.log file:
INTERNAL STATE OPERATION --- SSL_connect:error in SSLv3 read finished A
ID-0x2f557c10 CTX-0x2f559a70 BIO-0x2f85a1b0 ERROR --- SSL Client handshake failure (0) Unknown SSL error
ID-0x2f557c10 CTX-0x2f559a70 BIO-0x2f85a1b0 INFO --- Terminated SSL Client session
I understand that Progress incorrectly outputs the errors as SSLv3 even though the protocol is TLS 1.0 or TLS 1.2.
I have tried the connections using -nosessionreuse and -nohostverify, but the same issue occurs with or without those options.
Has anyone seen anything like this? Does Progress have a scalability issue connecting to secured SOAP web services.
Thanks,
Nick Watkins
some operating systems have a limit on socket port numbers. in some versions of windows for example, the default limit is 32768.
don’t remember if aix has a low default limit. if the current setting is low, raise it to the maximum possible port number (65535).
Sorry. I have been out of pocket for the last several days.
The AIX systems use the default ephemeral port range, which is 32768 - 65535 for TCP and the same range for UDP.