HTTPS Mutual Authentication

[tpb1962]

Hello,

We are currently using Openedge 10.2BSP3 ABL to consume an https web service. All good so far. We loaded the correct cert file using certutil and all Ok.

The next thing is to for the Server to be able to authenticate the client. From everything I've been able to find this is not available using the ABL.

Is that correct? It currently isn't available? If not is it coming soon or is there another way to accomplish?

Thanks in advance,
TPB.

 

[RealHeavyDude]

That is correct.

The OpenEdge platform does not support the SSL client certificate during the SSL handshake. And, AFAIK, there won't be any support for it in the foreseeable future - at least that's the answer I got from Progress the other day.

The only way to work around that is to use third party infrastructure - like STunnel. I did some tests with STunnel but did not achieve a satisfying solution. We needed to tweak STunnel to make it work at all - we must use the SSL client certificate that is stored on a personalized smart card which authenticates the user. The main problem was to ensure that STunnel is up and running when the user needs to present her/his certificate to some backend service.

Obviously this is a real killer when defending the existence of the OpenEdge platform in a hostile environment (hostile means the powers that be in the company I work for don't know the OpenEdge platform at all and neither do they like the usage of some "niche" technology that does not comply with their reference architecture).

Heavy Regards, RealHeavyDude.