Secure Socket Layer (SSL) failure. error code -55: CONNECT H

Posted by Niall Morgan on 04-Jun-2017 10:57

Hi

I'm trying to get Progress Openedge to authenticate with our Office 365 so we can programatically upload files to Sharepoint.

I am stuck at the first hurdle as I cannot seem to get Progress to accept the url https://login.microsoftonline.com.  It returns an error saying the certificate is graph.windows.net.

Secure Socket Layer (SSL) failure. error code -55: CONNECT HostName: (login.microsoft.com) does not match Certificate: (graph.windows.net) (9318)

I only receive this error for login.microsoftonline.com, it works for portal.azure.com, portal.office365.com and if I retrieve the needed cookie that login.microsoftonline returns it even works with the sharepoint url.

This is the code i've been using and I can get it to return status 200 when I use portal.azure.com .  Any help is appreciated, i'm guessing its some sort of certificate config error but i'm not sure where to start as it is working for some of the other Microsoft Urls

BLOCK-LEVEL ON ERROR UNDO, THROW.

USING OpenEdge.Core.String.
USING OpenEdge.Net.HTTP.ClientBuilder.
USING OpenEdge.Net.HTTP.IHttpRequest.
USING OpenEdge.Net.HTTP.IHttpResponse.
USING OpenEdge.Net.HTTP.RequestBuilder.

DEFINE VARIABLE httpUrl AS CHARACTER NO-UNDO.
DEFINE VARIABLE oRequest AS IHttpRequest NO-UNDO.
DEFINE VARIABLE oResponse AS IHttpResponse NO-UNDO.
DEFINE VARIABLE oRequestBody AS String NO-UNDO.

DEFINE VARIABLE JsonString AS LONGCHAR NO-UNDO.

SESSION:DEBUG-ALERT = TRUE.
httpUrl = "https://portal.azure.com".

oRequestBody = new String('t=EwD4Ak6hBwAUNfDkMme61kIdXqvj9tWnUbHtXWEAAfCsKf9ngq9TDjSshoWijUD5+tMZomSy9vHCiAD5+Km58zSXUNygBTdyq4/oRg9ZAzOBHXtTi7skXgasVKg/1rQJA4f8i1Y7MI7gM94cLsrjJ4DEt0T/jAstwyWcy58oltrWSPazHX5krKh71EDgD86up4Ept92yT0nXvOQApYjNchBrnqiDIWhYl6hsFKzEJJB2qP5n3fvUz0csBQKc+CN71gdE3keBgfWbz2DeqAPOvQDcFOjvw0e7LRceEnZg8C7qbdRj0pX1syCoiASEHQBJgp2gTUAERjpD8ls1ZvWn/Spu4vQElVf6bDzpNVK8eFiKVxtG6UUqZC1AlndDUcMDZgAACF0vDnzzsfn6yAEClfeHkRScDEadksgmdN6uE6vNXLIFMTw0JCfiN62RwNjd1c1TsQUFQnN/iKKtc3jFTFonnY7EWT3GFjhe4bkVtyGE/+xc3yziRP/6WgSlfxih7veQpxcjJN0SP+FaET5ITIG8Fzrcf4H0QQl/3HBjMtCBpRIbNmbEp8zUR6LuSJp7wOJrB2VJeZkc5doiJXO0S/ryPpr1RL1IhgodLQOvcahjzO8DiCKbaZyu5tLhkK/xz2vhFOcDXiQ+4eXJ7Ttp6wZ0qeFaIsauM3Mszm9LxPs7c+5hE2fkewe2eA5geRMBHOUEM+S83E6SBpmsebSVLnNnJXzGspWcDtDr77ofu2t5Z4ktUkUc2u6+GtZH8UNypOitcQU0bK04CWpYR1zIWQXqV/CkJX6dg4GGyNWAWmJYUDAyfzQB1lEdMMAmwBBPiwMzp62x13lwxIoHKF/Y1sE7eKtxjIcoeFSCtVNlVUtVlIXpD4C9rngo2dAPsPkrTPRIRh4EFmsf6HO16aqoDq4RxASl2gAdhLL4a9OXkRJ3QPgxy0oQ3pge1cEvicgSQYDSJDZOJIOrKoIo8ouSCTVzoJcIZI4uwlipP4eZjGSgF5zCzdQmAg==&p=').

oRequest = RequestBuilder:Post(httpUrl, oRequestBody)
:AddHeader("Pragma", "no-cache")
:AddHeader("Accept-Language", "en-US,en;q=0.8")
:AddHeader("Content-Type", "application/x-www-form-urlencoded")
:AddHeader("Accept", "*/*")
:AddHeader("Connection", "keep-alive")
:AddHeader("Cache-Control", "no-cache")
:Request.

oResponse = ClientBuilder:Build():Client:Execute(oRequest).

MESSAGE
oResponse:StatusCode SKIP
oResponse:StatusReason SKIP
VIEW-AS ALERT-BOX.

All Replies

Posted by Srinivas Munigala on 04-Jun-2017 20:58

Hi Niall,

Here, ABL client is verifying the Hostname of the service with the Hostname in the certificate as part of the SSL / TLS handshake. It is expected behavior. If you don't want it to be verified, you need to set "sslVerifyHost" parameter value to "false", please follow the below kbase to do so:

knowledgebase.progress.com/.../How-to-use-nohostverify-with-the-ABL-HTTPClient

Hope, it helps.

Thanks,

Srinivas Munigala

Posted by Niall Morgan on 05-Jun-2017 03:04

Hi Srinivas, I don't think disabling SSL is the solution especially for a login request.  I agree that the client is verifying the host however using the same set of certificates curl can correctly verify login.microsoftonline.com for the request.

Posted by marian.edu on 05-Jun-2017 03:36

It’s not host verify then, it’s the certificate authority chain that you need to import… progress only trusts certificates that are added to it’s trust store, you need to add the full CA issuers chain so the certificate can be trusted.


Check out `certutil import`, easiest to get the server certificate and all issuers ones up the CA chain is to use you web browser… once you have saved all certificates (cert files) be sure you import those on all clients making requests to that server.

It does look like the certificate is issues for stamp2.login.microsoftonline.com though, so probably using ‘-nohostverify’ on your connect statement is still required.
 
Marian Edu

Acorn IT 
+40 740 036 212

Posted by Niall Morgan on 05-Jun-2017 05:59

Hi Marian Thanks for the info, So are you saying that this is probably an issue with Openedge and not a certificate issue ?  

Posted by onnodehaan on 05-Jun-2017 06:06

Hi Niall,

Just checking. Have you tried the suggest -nohostverify parameter

hServer:connect( "-H test.com  -S 443  -nohostverify " )

It is not disabeling SSL, is only applying a slightly less strict verification method for hostnames.

Posted by Niall Morgan on 06-Jun-2017 08:00

No it still produces the same error

Posted by Niall Morgan on 07-Jun-2017 12:24

It looks like its not supported in 11.6.3.

knowledgebase.progress.com/.../000051139

This thread is closed