Consume a REST service on amazonaws.com - SSL Connection fai

Posted by Mark Davies on 15-May-2018 14:21

Hi,

I am attempting to consume a REST web service on OE11.6 - Windows 10 (production to be Linux RedHat), hosted on amazonaws.com, but it fails to connect due to the following error:

Secure Socket Layer (SSL) failure. error code 29712:  SSL routines (9318)

followed by:

Connection failure for host ********.execute-api.eu-west-1.amazonaws.com port 443 transport TCP. (9407)

I tried to find a solution by following some KB solutions without luck. The problem seems to be protocol and cipher difference - from what I understand. 

The following is a very dumbed-down version of my program:

USING OpenEdge.Net.HTTP.*.
USING OpenEdge.Net.URI.
USING OpenEdge.Net.HTTP.Lib.ClientLibraryBuilder FROM PROPATH.
USING Progress.Json.ObjectModel.JsonObject.

DEFINE VARIABLE oClient AS IHTTPClient NO-UNDO.
DEFINE VARIABLE oURI AS URI NO-UNDO.
DEFINE VARIABLE oRequest AS IHttpRequest NO-UNDO.
DEFINE VARIABLE oResponse AS IHttpResponse NO-UNDO.
DEFINE VARIABLE vlcRequestData AS LONGCHAR NO-UNDO.
DEFINE VARIABLE oLib AS IHttpClientLibrary NO-UNDO.
DEFINE VARIABLE oJsonParam AS JsonObject NO-UNDO.

oLib = ClientLibraryBuilder:Build()
:AddSslProtocol('TLSv1') /* suggest by KB */
:AddSslCipher('AES128-SHA') /* suggest by KB */
:Library.

oClient = ClientBuilder:Build():Client.
oURI = NEW URI('https', '*****.execute-api.eu-west-1.amazonaws.com',443). /* URL changed for security */
oURI:Path = 'uat?AuthKey=########&Limit=5'.

oRequest = RequestBuilder:Build('GET', oURI)
:ContentType('application/json')
:acceptJson()
:REQUEST.

oResponse = ResponseBuilder:Build():Response.

oClient:execute(oRequest, oResponse).

oResponse = ClientBuilder:Build():Client:Execute(oRequest).

MESSAGE STRING(oResponse:StatusCode) SKIP
STRING(oResponse:StatusReason, "x(30)")
VIEW-AS ALERT-BOX.

IF oResponse:StatusCode <> 200 THEN
DISPLAY "Request Error" + String(oResponse:StatusCode).
ELSE
CAST(oResponse:entity, JsonObject):WriteFile('c:\temp\resp.json', TRUE).

 

 

I then did a simple C# program to do the same and that connected first time round. What do I need to do in OE to make this work?

Thanks in advance

All Replies

Posted by Mark Davies on 15-May-2018 14:25

Just as some additional info on this - I ran the sslc command as suggested by one of the KBs and this was the result (not sure if it helps someone to understand what I am getting this issue):

sslc s_client -connect ******.execute-api.eu-west-1.amazonaws.com:443

With this result:

Loading 'screen' into random state - done

CONNECTED(000001C0)

236:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:.\ssl\s23_clnt.c:757:

---

no peer certificate available

---

No client certificate CA names sent

---

SSL handshake has read 7 bytes and written 297 bytes

---

New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

---

Posted by Brian K. Maher on 15-May-2018 14:28

Did you import the certs the site uses into $DLC/certs directory using certutil command?
 
 
Brian Maher
Principal Engineer, Technical Support
Progress
Progress
14 Oak Park | Bedford, MA 01730 | USA
phone
+1 781 280 3075
 
 
Twitter
Facebook
LinkedIn
Google+
 
 
ProgressNext2018_Email_Signature
 

Posted by Matt Baker on 15-May-2018 14:42

Just a guess, but it looks like you're trying to use a v2 or v3 hello message with amazon....which I doubt is allowing a v2 hello or an ssl v3 hello since they are both deprecated.  Have you tried using TLSv1.2 instead of trying to force TLSv1?

Do you know that amazon allows AES128-SHA?  Maybe try removing that and let the server decide via standard negotiation instead of trying to force it.

For your sslc test, trying using the -tls1 switch to force tls instead of the defaults.

https://documentation.progress.com/output/ua/OpenEdge_latest/index.html#page/gscsv/ssl-security.html

mattB

Posted by Matt Baker on 15-May-2018 14:45

Also, AES128-SHA isn't a valid protocol name for TLSv1.2.  Try "AES128-SHA256" instead.

List is here:

documentation.progress.com/.../index.html

Try using the full name from the list.

Posted by Mark Davies on 15-May-2018 23:48

Hi Matt,

Thanks for the reply.

I have tried as suggested, I removed this from my code to allow it to use defaults - which I'll assume tries the better option:

oLib = ClientLibraryBuilder:Build()

:AddSslProtocol('TLSv1') /* suggest by KB */

:AddSslCipher('AES128-SHA') /* suggest by KB */

:Library.

Just be sure I covered all the suggestions in the replies, I re-imported the cert using the following steps:

  1. Downloaded the base64 encoded X.509 .cer and save .cer file from the site
  2. Renamed the saved .cer file to .pem
  3. Ran mkhashfile sitecert.pem
  4. Ran certutil -format PEM -import sitecert.pem

Got confirmation that the cert was imported and can see it in $DLC\certs 

However, running the code again yielded the same error. 

I then also ran SSLC again with the -tls1 switch and got a different result:

sslc s_client -connect ******.execute-api.eu-west-1.amazonaws.com:443 -tls1
Loading 'screen' into random state - done
CONNECTED(000001C0)
11648:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:.\ssl\s3_pkt.c:1289:SSL alert number 40
11648:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:.\ssl\s3_pkt.c:626:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1526444229
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---

Any ideas or suggested would be greatly appreciated. 

Thanks

This thread is closed