Article

Error accessing an AppServer broker with SSL enabled

Information

 
Article Number000093515
EnvironmentProduct: OpenEdge
Version: 11.6.3
OS: UNIX
Other: SSL
Question/Problem Description
Trying to connect to an AppServer, which SSL was enabled, from an ABL procedure an error is thrown. The code to test the connection is shown below: 
 
DEFINE VARIABLE hServer AS HANDLE NO-UNDO.

CREATE SERVER hServer.
hServer:CONNECT('-AppService asbroker1 -H <server-ip> ') NO-ERROR.

MESSAGE hServer:CONNECTED()
VIEW-AS ALERT-BOX.

DELETE OBJECT hServer NO-ERROR.

 
Steps to ReproduceTry to CONNECT to the AppServer from ABL.
It's only reproducible on customer's site. Appserver is not reachable from outside.
Clarifying Information
- AppServer works before enabling SSL
- Self-signed certificate was imported and created following the steps in Article 000027719 , Steps to create a self signed SSL certificate from scratch on unix or linux
- Using  SSL Debugging the broker is loading several certificates and there's an error:
                 java.security.InvalidKeyException: Illegal key size. (8080) 


-  The following sslc commands reports errors:
1. sslc s_client -connect <server>:<port> 
Loading 'screen' into random state - done 
CONNECTED(0000014C) 
21472:error:14077417:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert illegal parameter:.\ssl\s23_clnt.c:757: 
--- 
no peer certificate available 
--- 
No client certificate CA names sent 
--- 
SSL handshake has read 7 bytes and written 297 bytes 
--- 
New, (NONE), Cipher is (NONE) 
Secure Renegotiation IS NOT supported 
Compression: NONE 
Expansion: NONE 

2. sslc s_client -connect <server>:<port> -tls1_2 
Loading 'screen' into random state - done 
CONNECTED(00000150) 
27652:error:14094417:SSL routines:SSL3_READ_BYTES:sslv3 alert illegal parameter: .\ssl\s3_pkt.c:1289:SSL alert number 47 
27652:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:.\ssl\s 
3_pkt.c:626: 
--- 
no peer certificate available 
--- 
No client certificate CA names sent 
--- 
SSL handshake has read 7 bytes and written 0 bytes 
--- 
New, (NONE), Cipher is (NONE) 
Secure Renegotiation IS NOT supported 
Compression: NONE 
Expansion: NONE 
SSL-Session: 
Protocol : TLSv1.2 
Cipher : 0000 
Session-ID: 
Session-ID-ctx: 
Master-Key: 
Key-Arg : None 
PSK identity: None 
PSK identity hint: None 
SRP username: None 
Start Time: 1544728249 
Timeout : 7200 (sec) 
Verify return code: 0 (ok) 

3. sslc s_client -showcerts -servername <server> -connect <server>:<port> 2>/dev/null | \ 

Loading 'screen' into random state - done 
CONNECTED(0000014C) 
30372:error:14077417:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert illegal parameter:.\ssl\s23_clnt.c:757: 
--- 
no peer certificate available 
--- 
No client certificate CA names sent 
--- 
SSL handshake has read 7 bytes and written 316 bytes 
--- 
New, (NONE), Cipher is (NONE) 
Secure Renegotiation IS NOT supported 
Compression: NONE 
Expansion: NONE 

4. sslc s_client -connect <server>:<port> -ssl3
Loading 'screen' into random state - done 
CONNECTED(0000014C) 
30928:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:.\ssl\s3_ 
pkt.c:348: 
--- 
no peer certificate available 
--- 
No client certificate CA names sent 
--- 
SSL handshake has read 5 bytes and written 7 bytes 
--- 
New, (NONE), Cipher is (NONE) 
Secure Renegotiation IS NOT supported 
Compression: NONE 
Expansion: NONE 
SSL-Session: 
Protocol : SSLv3 
Cipher : 0000 
Session-ID: 
Session-ID-ctx: 
Master-Key: 
Key-Arg : None 
PSK identity: None 
PSK identity hint: None 
SRP username: None 
Start Time: 1545054031 
Timeout : 7200 (sec) 
Verify return code: 0 (ok) 
 
Error MessageSecure Socket Layer (SSL) failure. error code 17464: SSL routine (9318)
Connection failure for host <host> port <port> transport TCP. (9407)
Defect/Enhancement Number
Cause
The ciphers used in the client. The error 9318 is not very clear pointing to a conflict with ciphers. The CONNECT Method is missing some parameters to adjust the ciphers and protocols (if needed) and indicating an SSL connection. 
 
Resolution
1. Modify CONNECT Method as follows:

hServer:CONNECT('-AppService asbroker1 -H <host>-S <port> -ssl -sslprotocols TLSv1.2 -sslciphers ADH-AES128-GCM-SHA256') . 

** sslciphers might differ depending on the configuration on the server to be accessed and ciphers required to communicate. 

2. Adjust the correct cipher and protocol to be used by adding the -sslprotocols and -sslciphers in the statement. 

** For Unix/Linux users, the attached shell script will help to identify valid cipher(s) to be used for the communication. To run the script: 

- Download the file attached to the article and run it indicating the server and port where the AppServer is running on, for example: - 

./test_ciphers.sh localhost:3090 

** Give execute permissions: chmod 755 test_ciphers.sh 

This will list all the ciphers and will show a similar message as the one below when the cipher is valid to be used: 

Testing ADH-AES128-GCM-SHA256...YES 

It might show a longer list with messages including something similar to this: NO (sslv3 alert illegal parameter). That means this can’t be used. 


 
Workaround
Notes
Last Modified Date1/7/2019 10:38 PM


Feedback
 
Did this article resolve your question/issue?

   

Your feedback is appreciated.

Please tell us how we can make this article more useful. Please provide us a way to contact you, should we need clarification on the feedback provided or if you need further assistance.

Characters Remaining: 1025