I am attempting to consume a REST web service on OE11.6 - Windows 10 (production to be Linux RedHat), hosted on amazonaws.com, but it fails to connect due to the following error:
Secure Socket Layer (SSL) failure. error code 29712: SSL routines (9318)
Connection failure for host ********.execute-api.eu-west-1.amazonaws.com port 443 transport TCP. (9407)
I tried to find a solution by following some KB solutions without luck. The problem seems to be protocol and cipher difference - from what I understand.
The following is a very dumbed-down version of my program:
USING OpenEdge.Net.HTTP.*.USING OpenEdge.Net.URI.USING OpenEdge.Net.HTTP.Lib.ClientLibraryBuilder FROM PROPATH.USING Progress.Json.ObjectModel.JsonObject.
DEFINE VARIABLE oClient AS IHTTPClient NO-UNDO.DEFINE VARIABLE oURI AS URI NO-UNDO.DEFINE VARIABLE oRequest AS IHttpRequest NO-UNDO.DEFINE VARIABLE oResponse AS IHttpResponse NO-UNDO.DEFINE VARIABLE vlcRequestData AS LONGCHAR NO-UNDO.DEFINE VARIABLE oLib AS IHttpClientLibrary NO-UNDO.DEFINE VARIABLE oJsonParam AS JsonObject NO-UNDO.
oLib = ClientLibraryBuilder:Build():AddSslProtocol('TLSv1') /* suggest by KB */:AddSslCipher('AES128-SHA') /* suggest by KB */:Library.
oClient = ClientBuilder:Build():Client.oURI = NEW URI('https', '*****.execute-api.eu-west-1.amazonaws.com',443). /* URL changed for security */oURI:Path = 'uat?AuthKey=########&Limit=5'.
oRequest = RequestBuilder:Build('GET', oURI) :ContentType('application/json') :acceptJson() :REQUEST.
oResponse = ResponseBuilder:Build():Response.
oResponse = ClientBuilder:Build():Client:Execute(oRequest).
MESSAGE STRING(oResponse:StatusCode) SKIP STRING(oResponse:StatusReason, "x(30)")VIEW-AS ALERT-BOX.
IF oResponse:StatusCode <> 200 THEN DISPLAY "Request Error" + String(oResponse:StatusCode).ELSE CAST(oResponse:entity, JsonObject):WriteFile('c:\temp\resp.json', TRUE).
I then did a simple C# program to do the same and that connected first time round. What do I need to do in OE to make this work?
Thanks in advance
Just as some additional info on this - I ran the sslc command as suggested by one of the KBs and this was the result (not sure if it helps someone to understand what I am getting this issue):
sslc s_client -connect ******.execute-api.eu-west-1.amazonaws.com:443
With this result:
Loading 'screen' into random state - done
236:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:.\ssl\s23_clnt.c:757:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 7 bytes and written 297 bytes
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Just a guess, but it looks like you're trying to use a v2 or v3 hello message with amazon....which I doubt is allowing a v2 hello or an ssl v3 hello since they are both deprecated. Have you tried using TLSv1.2 instead of trying to force TLSv1?
Do you know that amazon allows AES128-SHA? Maybe try removing that and let the server decide via standard negotiation instead of trying to force it.
For your sslc test, trying using the -tls1 switch to force tls instead of the defaults.
Thanks for the reply.
I have tried as suggested, I removed this from my code to allow it to use defaults - which I'll assume tries the better option:
oLib = ClientLibraryBuilder:Build()
:AddSslProtocol('TLSv1') /* suggest by KB */
:AddSslCipher('AES128-SHA') /* suggest by KB */
Just be sure I covered all the suggestions in the replies, I re-imported the cert using the following steps:
Got confirmation that the cert was imported and can see it in $DLC\certs
However, running the code again yielded the same error.
I then also ran SSLC again with the -tls1 switch and got a different result:
sslc s_client -connect ******.execute-api.eu-west-1.amazonaws.com:443 -tls1Loading 'screen' into random state - doneCONNECTED(000001C0)11648:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:.\ssl\s3_pkt.c:1289:SSL alert number 4011648:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:.\ssl\s3_pkt.c:626:---no peer certificate available---No client certificate CA names sent---SSL handshake has read 7 bytes and written 0 bytes---New, (NONE), Cipher is (NONE)Secure Renegotiation IS NOT supportedCompression: NONEExpansion: NONESSL-Session: Protocol : TLSv1 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1526444229 Timeout : 7200 (sec) Verify return code: 0 (ok)---
Any ideas or suggested would be greatly appreciated.