Article

Unknown SSL error connecting HTTP client to third party API Service

Information

 
Article Number000093774
EnvironmentProduct: OpenEdge
Version: 11.7
OS: All supported platforms
Question/Problem Description
Connecting to a 3rd party API service with the HTTP Client fails with error:
Secure Socket Layer (SSL) failure. error code 0: Unknown SSL error (9318)
Steps to Reproduce
Clarifying Information
Verifying the connection using the sslc command shows the following (truncated) output:
PROENV>sslc s_client -connect <domain>:443 -state -nbio

CONNECTED(00000144) 
Turned on non blocking io 
write R BLOCK 
read R BLOCK 
--- 
Certificate chain 
...
--- 
Server certificate 
-----BEGIN CERTIFICATE----- 

-----END CERTIFICATE----- 
subject=...
issuer=...
--- 
No client certificate CA names sent 
Peer signing digest: SHA256 
Server Temp Key: ECDH, P-256, 256 bits 
--- 
SSL handshake has read 2916 bytes and written 302 bytes 
Verification error: unable to get local issuer certificate 
--- 
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 
Server public key is 2048 bit 
Secure Renegotiation IS supported 
Compression: NONE 
Expansion: NONE 
No ALPN negotiated 
SSL-Session: 
Protocol : TLSv1.2 
Cipher : ECDHE-RSA-AES256-GCM-SHA384 
...
...
Timeout : 7200 (sec) 
Verify return code: 20 (unable to get local issuer certificate) 
Extended master secret: no
Error MessageSecure Socket Layer (SSL) failure. error code 0: Unknown SSL error (9318)
Connection failure for host <domain> port 443 transport TCP. (9407)
Defect/Enhancement Number
Cause
The HTTP Client session is using the wrong SSL protocol and/or cipher.

The 3rd part API requires the following session params (see sslc outptu):
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384

The ABL client normally checks a default list of ciphers which contains: DHE-RSA-AES256-GCM-SHA384.
This list can be seen in the cert.client.log when enabling SSL Debugging (article 000011391).

But for the 3rd party API service the required cipher is slightly different as it contains an extra "EC" in front.
Resolution
Add the cipher to the code before running the request (article 000070614):

DEFINE VARIABLE cCiphers AS CHARACTER NO-UNDO 
    EXTENT 2 INITIAL ["ECDHE-RSA-AES256-GCM-SHA384"].

oLib = ClientLibraryBuilder
    :Build()
    :SetSslCiphers(cCiphers)
    :Library.
Workaround
Notes
Reference to other documentation:
Article 000011391: How to enable SSL debugging in OpenEdge?
Article 000070614: How to set SSL Protocols and Ciphers to use in the HTTP client?
Attachment 
Last Modified Date1/11/2019 1:58 PM


Feedback
 
Did this article resolve your question/issue?

   

Your feedback is appreciated.

Please tell us how we can make this article more useful. Please provide us a way to contact you, should we need clarification on the feedback provided or if you need further assistance.

Characters Remaining: 1025