HTTPS REST request viaproxy using "System.Net.WebClient" or "OpenEdge.Net.HTTP" SSL issue. - Forum - OpenEdge Development - Progress Community

HTTPS REST request viaproxy using "System.Net.WebClient" or "OpenEdge.Net.HTTP" SSL issue.

 Forum

HTTPS REST request viaproxy using "System.Net.WebClient" or "OpenEdge.Net.HTTP" SSL issue.

This question is not answered

Hello All,

I'm using OE 1.5.1. 

I need to get the data from a rest service that that uses https. 

USING System.*. 

DEFINE VARIABLE HttpClient      AS CLASS System.Net.WebClient. 
DEFINE VARIABLE webResponse AS LONGCHAR NO-UNDO. 
FIX-CODEPAGE (webResponse) = "UTF-8". 

HttpClient = NEW System.Net.WebClient(). 
HttpClient:Proxy:Credentials = System.Net.CredentialCache:DefaultNetworkCredentials.

/* call CashPro Flow - guaranteed FX Rates REST API*/
webResponse = HttpClient:DownloadString("SomeCompanyURL/.../10").

HttpClient:Dispose(). 
DELETE OBJECT HttpClient. 

/* save as local file*/
COPY-LOB FROM webResponse  TO FILE ('c:/temp/webResponse.txt') NO-CONVERT.

I get the following error: "System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel."

I have received a certificate and a password certificate from the company and imported that certificate into "Trusted root certification authorities".

Using the export option I have exported all the required certificates in the certificate chain and imported them via "certutil" utility in the OpenEdge certs folder.
When I enter the same URL in my browser I'm able to see the requested data. If I make a call to another https rest service from openedge I can download the data "webResponse = HttpClient:DownloadString("https://postman-echo.com/time/now")."

Can anyone give me some suggestions on how to debug the SSL connection?
I have tried Fiddler with no success.
I cannot "openssl s_client connect" because I'm behind a corporate proxy that requires NTLM authorization.
I can only access this https URL from a determined list of Ip addresses all within the corporate network.

Any help is greatly appreciated!

All Replies
  • Probably the service is TLS 1.1. or higer. Only from 11.6+ TLS 1.1 and higher are supported. See knowledgebase.progress.com/.../What-version-of-SSL-and-or-TLS-does-Progress-OpenEdge-use

  • The problem may be that the system you're talking to requires a higher lever of SSL (TLS) than is supported by the WebClient by default

    When using System.Net.WebClient, code similar to the following is needed to enable higher levels of TLS.

    Note that this change is global to your session so could possibly impact other uses of WebClient in your session.

    The code below should work in 11.5. In 11.6 it can be simplified because of the built in support for enums.

    
    
    DEFINE VARIABLE protocolType AS System.Net.SecurityProtocolType NO-UNDO.  
    
        protocolType = CAST(
          Progress.Util.EnumHelper:Or(
          System.Net.SecurityProtocolType:Tls12, System.Net.SecurityProtocolType:Tls11),
          System.Net.SecurityProtocolType).
        protocolType = CAST(
          Progress.Util.EnumHelper:Or(protocolType, System.Net.SecurityProtocolType:Tls),
          System.Net.SecurityProtocolType).
        System.Net.ServicePointManager:SecurityProtocol = protocolType.
         
  • The connection information displayed by the Chrome browser are this.

    Your connection to "company-endpoint.url" is encrypted with 256-bit encryption.
    The connection uses TLS 1.2
    The connection is encrypted using AES_256_CBC with SHA1 for message Authentication and RSA as the key exchange mechanism.

    Setting the "System.Net.ServicePointManager:SecurityProtocol" to Tls12 does not help I get the same error.

    I've also tried the same code posted in the first post using OpenEdge 11.7 and I'm getting the same error.

  • When using System.Net.WebClient, the Progress version, Progress certificate cache and the use of Certutil are irrelevant.

    In my experience, if you can get to the site using IE, you should be able to get to it using WebClient. The same may be true when using Chrome but I'm less certain of this. While using IE, it might be worth adjusting the TLS options under Internet Options/Advanced to see what's actually required for the site. If you can connect with only TLS1.2 enabled, then the same should be true in the WebClient. If not, you may need to enable more than one TLS version as shown in the code I sent. When testing with IE, be sure to clear the cache between tests.

    I'm not at all sure what, if any, impact the proxy might have on all this.

  • Thank you confirming that "System.Net.WebClient" does not use Openedge certificate store. The main challenge is how to figure what the problem is since While using IE I can also access REST endpoint URL.

  • Hello,

    I'm using OpenEdge 11.7  in order to test an https connection using OpenEdge.Net library.

    Here is the code:

    USING OpenEdge.Net.HTTP.IHttpRequest.
    USING OpenEdge.Net.HTTP.IHttpResponse.
    USING OpenEdge.Net.HTTP.ClientBuilder.
    USING OpenEdge.Net.HTTP.IHttpClientLibrary.
    USING OpenEdge.Net.HTTP.lib.ClientLibraryBuilder.
    USING OpenEdge.Net.HTTP.RequestBuilder.
    using OpenEdge.Net.HTTP.Cookie.
    using OpenEdge.Net.URI.
    
    DEFINE VARIABLE oLib        AS OpenEdge.Net.HTTP.IHttpClientLibrary NO-UNDO.
    DEFINE VARIABLE oHttpClient AS OpenEdge.Net.HTTP.IHttpClient        NO-UNDO.
    DEFINE VARIABLE oRequest    AS IHttpRequest                         NO-UNDO.
    DEFINE VARIABLE oResponse   AS IHttpResponse                        NO-UNDO.
    DEFINE VARIABLE oUri        AS URI                                  NO-UNDO.
    
    DEFINE VARIABLE cAuth AS CHARACTER NO-UNDO.
    
    LOG-MANAGER:logfile-name = 'mylog1.log'.
    LOG-MANAGER:logging-level = 6.
    MESSAGE "session:temp-dir" SESSION:TEMP-DIR VIEW-AS ALERT-BOX.
    
    
    ASSIGN oUri = new URI('http', 'appproxy.bank.com', 8080).
    
    ASSIGN
         oLib        = ClientLibraryBuilder:Build():sslVerifyHost(NO):library
         oHttpClient = ClientBuilder:Build():UsingLibrary(oLib):Client
         oRequest    = RequestBuilder:Get("https://registry.npmjs.org"):AddHeader("Proxy-Connection", 'Keep-Alive'):ViaProxy(oUri):Request
         oResponse   = oHttpClient:Execute(oRequest).
    
    
    MESSAGE /*got 407 Proxy Authentication Required*/
        oResponse:StatusCode SKIP   
        oResponse:StatusReason SKIP
       VIEW-AS ALERT-BOX.
    
    cAuth = "Basic base64_encoded_user:password".
    oRequest    = RequestBuilder:Get("https://registry.npmjs.org/")
                                               :AddHeader("Proxy-Connection", 'Keep-Alive')
                                               :AddHeader("Proxy-Authorization", cAuth)
                                               :AddHeader("Accept-Encoding", "gzip,deflate")
                                               :AddHeader("Connection", "Keep-Alive")
                                               :ViaProxy(oUri):Request.
    
    oResponse   = oHttpClient:Execute(oRequest).
    
    
    MESSAGE /* got 400  bad request */
        oResponse:StatusCode SKIP   
        oResponse:StatusReason SKIP
        oResponse:ContentType SKIP
        oResponse:GetHeader("Set-Cookie")
        STRING(oResponse:Entity)   /* this is the response */
        VIEW-AS ALERT-BOX. 
    
    CATCH oError as Progress.Lang.Error :
        MESSAGE  "Progress.Lang.Error " SKIP 
            oError:GetMessage(1) SKIP(2)
            oError:CallStack
        VIEW-AS ALERT-BOX.		
    END CATCH. 



    The raw request looks like this.

    GET https://registry.npmjs.org/ HTTP/1.1

    User-Agent: OpenEdge-HttpClient/0.4.0 (WIN32/32) OpenEdge/11.7.0.0.1388 Lib-ABLSockets/0.4.0

    Proxy-Connection: Keep-Alive

    Proxy-Authorization: Basic base64_encoded_user:password

    Host: registry.npmjs.org

    Connection: Keep-Alive

    Accept: */*

    Accept-Encoding: gzip,deflate

    Using the same code to make an HTTP request works. Does anyone have any idea why is not working?

    I've tried with curl (openSSL 1.1.0f) to get the data from the same endpoint and I get a response back.

    Can anyone confirm that "Two-way SSL authentication (server <-> client)" is supported with OpenEdge.Net client?

  • Sadly client-side certs are not supported yet in ABL (and the OpenEdge.Net client uses an ABL socket ). There's an idea at community.progress.com/.../improve_abl_sockets_to_support_client-side_certificate_authentication  for this.