Progress Client calling SSL API endpoint - Forum - OpenEdge Development - Progress Community

Progress Client calling SSL API endpoint

 Forum

Progress Client calling SSL API endpoint

This question is not answered

Hi,

I have looked at the supported cipher list here:

https://docs.progress.com/bundle/security-auditing-introduction/page/Supported-protocols-ciphers-and-certificates-for-Progress-OpenEdge-clients-and-servers.html

Is it fair to say that an endpoint with the following results from an SSL Lab is not supported:

Certificate #1: RSA 2048 bits (SHA256withRSA)
Key RSA 2048 bits (e 65537)
Signature algorithm SHA256withRSA

Protocols
TLS 1.3 No
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3 No
SSL 2 No
For TLS 1.3 tests, we only support RFC 8446.

Cipher Suites
# TLS 1.2 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH secp256r1 (eq. 3072 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp256r1 (eq. 3072 bits RSA) FS 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK 112

I've seen this link but as far as I can tell, whilst the question is answered, it does not provide a solution and the links to the knowledgebase don't result in a solution either.
community.progress.com/.../57841

From what I can tell, there are standard ciphers supported and then you can change them to any other value in the supported list, but all the above are not supported.

I have exported the cert into the DLC certs directory using the tools.

I get Error 9318 or if I add the non-suppported ciphers the Progress client crashes and disappears with no error.

Is someone able to verify whether it should work in the first place, the best workaround approaches and the direction of support going forwards.

Thanks

All Replies
  • This what I used to negotiate an transparant proxy, which implies that the handshake is done by Apache (iirc).

  • Thanks bronco - I'll give it a go.