Hi,
I am attempting to consume a REST web service on OE11.6 - Windows 10 (production to be Linux RedHat), hosted on amazonaws.com, but it fails to connect due to the following error:
Secure Socket Layer (SSL) failure. error code 29712: SSL routines (9318)
followed by:
Connection failure for host ********.execute-api.eu-west-1.amazonaws.com port 443 transport TCP. (9407)
I tried to find a solution by following some KB solutions without luck. The problem seems to be protocol and cipher difference - from what I understand.
The following is a very dumbed-down version of my program:
USING OpenEdge.Net.HTTP.*.
USING OpenEdge.Net.URI.
USING OpenEdge.Net.HTTP.Lib.ClientLibraryBuilder FROM PROPATH.
USING Progress.Json.ObjectModel.JsonObject.
DEFINE VARIABLE oClient AS IHTTPClient NO-UNDO.
DEFINE VARIABLE oURI AS URI NO-UNDO.
DEFINE VARIABLE oRequest AS IHttpRequest NO-UNDO.
DEFINE VARIABLE oResponse AS IHttpResponse NO-UNDO.
DEFINE VARIABLE vlcRequestData AS LONGCHAR NO-UNDO.
DEFINE VARIABLE oLib AS IHttpClientLibrary NO-UNDO.
DEFINE VARIABLE oJsonParam AS JsonObject NO-UNDO.
oLib = ClientLibraryBuilder:Build()
:AddSslProtocol('TLSv1') /* suggest by KB */
:AddSslCipher('AES128-SHA') /* suggest by KB */
:Library.
oClient = ClientBuilder:Build():Client.
oURI = NEW URI('https', '*****.execute-api.eu-west-1.amazonaws.com',443). /* URL changed for security */
oURI:Path = 'uat?AuthKey=########&Limit=5'.
oRequest = RequestBuilder:Build('GET', oURI)
:ContentType('application/json')
:acceptJson()
:REQUEST.
oResponse = ResponseBuilder:Build():Response.
oClient:execute(oRequest, oResponse).
oResponse = ClientBuilder:Build():Client:Execute(oRequest).
MESSAGE STRING(oResponse:StatusCode) SKIP
STRING(oResponse:StatusReason, "x(30)")
VIEW-AS ALERT-BOX.
IF oResponse:StatusCode <> 200 THEN
DISPLAY "Request Error" + String(oResponse:StatusCode).
ELSE
CAST(oResponse:entity, JsonObject):WriteFile('c:\temp\resp.json', TRUE).
I then did a simple C# program to do the same and that connected first time round. What do I need to do in OE to make this work?
Thanks in advance
Just as some additional info on this - I ran the sslc command as suggested by one of the KBs and this was the result (not sure if it helps someone to understand what I am getting this issue):
sslc s_client -connect ******.execute-api.eu-west-1.amazonaws.com:443
With this result:
Loading 'screen' into random state - done
CONNECTED(000001C0)
236:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:.\ssl\s23_clnt.c:757:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 297 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
|
||||
Brian Maher
|
||||
Principal Engineer, Technical Support
|
||||
Progress
|
||||
14 Oak Park | Bedford, MA 01730 | USA
|
||||
|
||||
|
Just a guess, but it looks like you're trying to use a v2 or v3 hello message with amazon....which I doubt is allowing a v2 hello or an ssl v3 hello since they are both deprecated. Have you tried using TLSv1.2 instead of trying to force TLSv1?
Do you know that amazon allows AES128-SHA? Maybe try removing that and let the server decide via standard negotiation instead of trying to force it.
For your sslc test, trying using the -tls1 switch to force tls instead of the defaults.
https://documentation.progress.com/output/ua/OpenEdge_latest/index.html#page/gscsv/ssl-security.html
mattB
Also, AES128-SHA isn't a valid protocol name for TLSv1.2. Try "AES128-SHA256" instead.
List is here:
documentation.progress.com/.../index.html
Try using the full name from the list.
Hi Matt,
Thanks for the reply.
I have tried as suggested, I removed this from my code to allow it to use defaults - which I'll assume tries the better option:
oLib = ClientLibraryBuilder:Build()
:AddSslProtocol('TLSv1') /* suggest by KB */
:AddSslCipher('AES128-SHA') /* suggest by KB */
:Library.
Just be sure I covered all the suggestions in the replies, I re-imported the cert using the following steps:
Got confirmation that the cert was imported and can see it in $DLC\certs
However, running the code again yielded the same error.
I then also ran SSLC again with the -tls1 switch and got a different result:
sslc s_client -connect ******.execute-api.eu-west-1.amazonaws.com:443 -tls1
Loading 'screen' into random state - done
CONNECTED(000001C0)
11648:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:.\ssl\s3_pkt.c:1289:SSL alert number 40
11648:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:.\ssl\s3_pkt.c:626:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1526444229
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
Any ideas or suggested would be greatly appreciated.
Thanks