Consume a REST service on amazonaws.com - SSL Connection failure - Forum - OpenEdge General - Progress Community

Consume a REST service on amazonaws.com - SSL Connection failure

 Forum

Consume a REST service on amazonaws.com - SSL Connection failure

This question is not answered

Hi,

I am attempting to consume a REST web service on OE11.6 - Windows 10 (production to be Linux RedHat), hosted on amazonaws.com, but it fails to connect due to the following error:

Secure Socket Layer (SSL) failure. error code 29712:  SSL routines (9318)

followed by:

Connection failure for host ********.execute-api.eu-west-1.amazonaws.com port 443 transport TCP. (9407)

I tried to find a solution by following some KB solutions without luck. The problem seems to be protocol and cipher difference - from what I understand. 

The following is a very dumbed-down version of my program:

USING OpenEdge.Net.HTTP.*.
USING OpenEdge.Net.URI.
USING OpenEdge.Net.HTTP.Lib.ClientLibraryBuilder FROM PROPATH.
USING Progress.Json.ObjectModel.JsonObject.

DEFINE VARIABLE oClient AS IHTTPClient NO-UNDO.
DEFINE VARIABLE oURI AS URI NO-UNDO.
DEFINE VARIABLE oRequest AS IHttpRequest NO-UNDO.
DEFINE VARIABLE oResponse AS IHttpResponse NO-UNDO.
DEFINE VARIABLE vlcRequestData AS LONGCHAR NO-UNDO.
DEFINE VARIABLE oLib AS IHttpClientLibrary NO-UNDO.
DEFINE VARIABLE oJsonParam AS JsonObject NO-UNDO.

oLib = ClientLibraryBuilder:Build()
:AddSslProtocol('TLSv1') /* suggest by KB */
:AddSslCipher('AES128-SHA') /* suggest by KB */
:Library.

oClient = ClientBuilder:Build():Client.
oURI = NEW URI('https', '*****.execute-api.eu-west-1.amazonaws.com',443). /* URL changed for security */
oURI:Path = 'uat?AuthKey=########&Limit=5'.

oRequest = RequestBuilder:Build('GET', oURI)
:ContentType('application/json')
:acceptJson()
:REQUEST.

oResponse = ResponseBuilder:Build():Response.

oClient:execute(oRequest, oResponse).

oResponse = ClientBuilder:Build():Client:Execute(oRequest).

MESSAGE STRING(oResponse:StatusCode) SKIP
STRING(oResponse:StatusReason, "x(30)")
VIEW-AS ALERT-BOX.

IF oResponse:StatusCode <> 200 THEN
DISPLAY "Request Error" + String(oResponse:StatusCode).
ELSE
CAST(oResponse:entity, JsonObject):WriteFile('c:\temp\resp.json', TRUE).

 

 

I then did a simple C# program to do the same and that connected first time round. What do I need to do in OE to make this work?

Thanks in advance

Regards,

Mark Davies

All Replies
  • Just as some additional info on this - I ran the sslc command as suggested by one of the KBs and this was the result (not sure if it helps someone to understand what I am getting this issue):

    sslc s_client -connect ******.execute-api.eu-west-1.amazonaws.com:443

    With this result:

    Loading 'screen' into random state - done

    CONNECTED(000001C0)

    236:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:.\ssl\s23_clnt.c:757:

    ---

    no peer certificate available

    ---

    No client certificate CA names sent

    ---

    SSL handshake has read 7 bytes and written 297 bytes

    ---

    New, (NONE), Cipher is (NONE)

    Secure Renegotiation IS NOT supported

    Compression: NONE

    Expansion: NONE

    ---

    Regards,

    Mark Davies

  • Did you import the certs the site uses into $DLC/certs directory using certutil command?
     
     
    Brian Maher
    Principal Engineer, Technical Support
    Progress
    Progress
    14 Oak Park | Bedford, MA 01730 | USA
    phone
    +1 781 280 3075
     
     
    Twitter
    Facebook
    LinkedIn
    Google+
     
     
    ProgressNext2018_Email_Signature
     

  • Just a guess, but it looks like you're trying to use a v2 or v3 hello message with amazon....which I doubt is allowing a v2 hello or an ssl v3 hello since they are both deprecated.  Have you tried using TLSv1.2 instead of trying to force TLSv1?

    Do you know that amazon allows AES128-SHA?  Maybe try removing that and let the server decide via standard negotiation instead of trying to force it.

    For your sslc test, trying using the -tls1 switch to force tls instead of the defaults.

    https://documentation.progress.com/output/ua/OpenEdge_latest/index.html#page/gscsv/ssl-security.html

    mattB

  • Also, AES128-SHA isn't a valid protocol name for TLSv1.2.  Try "AES128-SHA256" instead.

    List is here:

    documentation.progress.com/.../index.html

    Try using the full name from the list.

  • Hi Matt,

    Thanks for the reply.

    I have tried as suggested, I removed this from my code to allow it to use defaults - which I'll assume tries the better option:

    oLib = ClientLibraryBuilder:Build()

    :AddSslProtocol('TLSv1') /* suggest by KB */

    :AddSslCipher('AES128-SHA') /* suggest by KB */

    :Library.

    Just be sure I covered all the suggestions in the replies, I re-imported the cert using the following steps:

    1. Downloaded the base64 encoded X.509 .cer and save .cer file from the site
    2. Renamed the saved .cer file to .pem
    3. Ran mkhashfile sitecert.pem
    4. Ran certutil -format PEM -import sitecert.pem

    Got confirmation that the cert was imported and can see it in $DLC\certs 

    However, running the code again yielded the same error. 

    I then also ran SSLC again with the -tls1 switch and got a different result:

    sslc s_client -connect ******.execute-api.eu-west-1.amazonaws.com:443 -tls1
    Loading 'screen' into random state - done
    CONNECTED(000001C0)
    11648:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:.\ssl\s3_pkt.c:1289:SSL alert number 40
    11648:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:.\ssl\s3_pkt.c:626:
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 7 bytes and written 0 bytes
    ---
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
    Protocol : TLSv1
    Cipher : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1526444229
    Timeout : 7200 (sec)
    Verify return code: 0 (ok)
    ---

    Any ideas or suggested would be greatly appreciated. 

    Thanks

    Regards,

    Mark Davies