I'm trying to connect to the google apps api using ssl.
I can establish a connection to www.google.com on port 443 with an ABL socket, using -ssl, post some data and get my AuthToken back, so I know that part is working.
However, I then need to connect to another host on apps-apis.google.com using port 443. When I try to connect this time, I get a 9318 error , with the message
"c Secure Socket Layer (SSL) failure. error code -54: unable to get
local issuer certificate for 594f1775.0 in C:\Progress\Openedge\certs (9318)"
this error message gives me
Secure Socket Layer (SSL) failure. error code <err_number>: <ssl_error_message> (9318)
An error occurred processing an SSL API request. This could be a general TCP network
error or an error processing the validation of the digital certificate.
What am I doing wrong here ?
TIA
Julian
Message was edited by: Julian Lyndon-Smith : formatted nicely
P123529 looks like it may be a solution to my problem, but which certificate do I need to export ?
Urg, seems as if it is a problem with the ABL sockets, as a curl version works just fine
Anyone from Progress got any clues ?
Julian,
I suppose you didn't import a corresponding certificate before connecting with the use of SSL. PROGRESS supports its own certificate storage - $DLC/certs, and in order to import a cerificate there you should use '$DLC/mkhashfile' command.
HTH
Hmm, my question is where I get the certificate from ? It works ok with curl
Julian
On 19 February 2010 10:58, Sergey Klimov
Well, Julian, the first thing you can do is generate it using $DLC/bin/sslc. Then you'll have to import it on both ends of your connection.
HTH
Unfortunately, the error message isn't very helpful. In fact, it is not useful at all. It is means that the OE certificate store doesn't have a certificate for the issuer of the cert presented by the Google site, so the google cert cannot be validated.
curl has a certificate store that gets put somewhere when you install it and it has the one you need.
The certificate store that comes with OpenEdge has only about half a dozen certificates in it. The one you need is apparently not one of those.
What you might try is the following:
Connect to the site with Firefox or some other browser. Then examine the certificate to see who issued it. Then find that certificate in Firefox's certificate store. Preferences/Advanced/Encryption, click on view certificates. When you find the one you want, export it and the load into the OpenEdge certificate store.
Alternatively, maybe curl with the right verbose options turned on will tell you who issued the google certificate.
One other thing I should add:
There is a tool in the dlc directory that can tell you about the certificate chain for the server you are trying to connect with;
Do this:
$DLC/bin/sslc s_client -connect hostname:port -showcerts -CApath $DLC/certs
-gus
it was the certificates. I think that openedge is missing the GeoTrust certificate. I've attached the .pem file for this. The chicken-bones, run around naked chanting "DLC DLC DLC" dance you then need to perform is
mkhashfile geotrust.pem
Thanks Gus
Glad you got it going.
The OpenEdge certificate store does not contain all of the issuer certificates you will see in Firefox for example. In my Firefox, there are lots of certificates from companies I never heard of and some from countries I never heard of. I have one from NetLock Kozjegyzoi (Class A) Tanusitvanykiado. Why would I trust them?
We made the decision to include only a few because their presence implies you trust certificate issued by them. You will have to add others yourself. When you use OpenEdge SSL connections, OpenEdge will trust the ones issued by the issuers in the certificate store.
Unfortunately, the documentation does not discuss this and it should.
Hello!
I'm facing the same error as Julian had, but even after import the certificate I'm still getting the same error message:
"...54: unable to get local issuer certificate: for dd54b6d5.0 inC:\Progress\OpenEdge\certs (9318)"
This is what I'm trying to do:
CREATE SERVER hWebService.
hWebService:CONNECT("-WSDL '" + cWSDL + "'").
Using the certutil -list It's possible to see the certificate there, but it has a different alias name (05b3220c).
Seems that Progress doesn't recognize it....
Could you help me please?
Thanks!