Question Openedge HTTP client - Supported ciphers.

[Cecil]

OE 11.7.18 64bit
OS Windows10

Hi all,

I access a REST API and the service provider is narrowing down the list of ciphers that it's going to support.

They are only going to allow TLS 1.2 & 1.3 and the following ciphers.

OpenSSL Cipher Name

TLS13-AES-256-GCM-SHA384

TLS13-AES-128-GCM-SHA256

TLS13-CHACHA20-POLY1305-SHA256

ECDH-ECDSA-AES256-GCM-SHA384

ECDH-ECDSA-AES128-GCM-SHA256

ECDHE-ECDSA-CHACHA20-POLY1305

How can I be sure that Openedge HTTP Client will work with the ciphers listed above?

 

[Stefan]

TLS 1.3 will not work with 11.7.
I think you have two typos in your remaining ciphers:

ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES128-GCM-SHA256

11.7.17 uses OpenSSL 1.1.1q - not sure about 11.7.18 -> proenv

sslc version

You will need to force the Progress client to use these ciphers, the easiest way is to use environment variables:

set psc_sslclient_protocols=TLSv1.2
set psc_sslclient_ciphers=ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256

 

[Cecil]

Funny. I too queried about missing E, and apparently, the ciphers are correct "ECDH-ECDSA-AES256-GCM-SHA384" & "ECDH-ECDSA-AES128-GCM-SHA256".

Here is a table mapping Mapping OpenSSL cipher suite names to IANA names of ciphers and "ECDH-ECDSA-AES256-GCM-SHA384" is number [0xc02e].

proenv>sslc version
OpenSSL 1.1.1t  7 Feb 2023

How do I know what TLS version & cipher was being used during the TLS handshake?

This is my Test bed code:

/*------------------------------------------------------------------------
    File        : TLSConnect.p
    Purpose     :

    Syntax      :

    Description :

    Author(s)   : James Bowen
    Created     : Wed Nov 22 16:28:37 NZDT 2023
    Notes       :
  ----------------------------------------------------------------------*/

/* ***************************  Definitions  ************************** */

block-level on error undo, throw.

/* ********************  Preprocessor Definitions  ******************** */


/* ***************************  Main Block  *************************** */
using OpenEdge.Net.HTTP.IHttpRequest.
using OpenEdge.Net.HTTP.IHttpResponse.
using OpenEdge.Net.HTTP.ClientBuilder.
using OpenEdge.Net.HTTP.RequestBuilder.
using OpenEdge.Net.HTTP.IHttpClientLibrary.
using OpenEdge.Net.HTTP.Lib.ClientLibraryBuilder from propath.

define variable oRequest        as IHttpRequest       no-undo.
define variable oResponse       as IHttpResponse      no-undo.
define variable oLib            as IHttpClientLibrary no-undo.

define variable cSSLProtocols   as character          extent 2 no-undo.
define variable cCiphers        as character          extent no-undo .
define variable cAllowedCiphers as character          no-undo.

define variable inArrayIndex    as integer            no-undo.

assign
    cSSLProtocols[1] = "TLSv1.3":U
    cSSLProtocols[2] = "TLSv1.2":U.
   
Assign  
    //cAllowedCiphers = "TLS13-AES-256-GCM-SHA384, TLS13-AES-128-GCM-SHA256, TLS13-CHACHA20-POLY1305-SHA256, ECDH-ECDSA-AES256-GCM-SHA384, ECDH-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-CHACHA20-POLY1305"
    //cAllowedCiphers = "ECDH-ECDSA-AES256-GCM-SHA384, ECDH-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-CHACHA20-POLY1305"
    cAllowedCiphers = "ECDH-ECDSA-AES256-GCM-SHA384, ECDH-ECDSA-AES128-GCM-SHA256":U
    .

extent(cCiphers) = num-entries(cAllowedCiphers).

do inArrayIndex = 1 to extent(cCiphers):
    cCiphers[inArrayIndex] = trim( entry(inArrayIndex, cAllowedCiphers ) ).
end.  
.

oRequest = RequestBuilder:Get('https://services.ird.govt.nz/gateway2/gws/returns/?WSDL'):Request.

oLib = ClientLibraryBuilder:Build()
            :SetSslCiphers(cCiphers)
            :SetSSLProtocols(cSSLProtocols)
            :Library.

oResponse = ClientBuilder:Build()
                :UsingLibrary(oLib)
                :Client
                :Execute(oRequest).

message
    substitute("&1 &2",oResponse:StatusCode, oResponse:StatusReason) skip
    oResponse:GetHeader("content-length":U) skip
    oResponse:GetHeader("content-type":U) skip
    oResponse:GetHeader("Date":U) skip
    view-as alert-box info.
   
finally:
   
    if valid-object(oResponse) then
        delete object oResponse.
    if valid-object(oRequest) then
        delete object oRequest.        
       
end finally.

 

[Stefan]

I used the OpenSSL manual.

As to which ciphers are actually used when you allow two, I'm not sure if this shows up with logging-level 5.
Maybe this will show in Fiddler.

 

[peterjudge]

As to which ciphers are actually used when you allow two, I'm not sure if this shows up with logging-level 5.
Maybe this will show in Fiddler.

Sadly, this info is not available from the AVM. YOu have to use an env var ... Progress Customer Community has info on SSL debugging. This will tell you the actual cipher and protocol used.

Logging-level 5 will tell you what the HTTP client is trying to use (ie passed to the CONNECT statement).

 

[Cecil]

Sadly, this info is not available from the AVM. YOu have to use an env var ... Progress Customer Community has info on SSL debugging. This will tell you the actual cipher and protocol used.

Logging-level 5 will tell you what the HTTP client is trying to use (ie passed to the CONNECT statement).

Thanks! Something for me to try this evening.

 

[peterjudge]

Thanks! Something for me to try this evening.

Isn't it morning? Or at least lunch? There?

 

[Cecil]

Isn't it morning? Or at least lunch? There?

"Afternoon" UTC+13:00

 

[peterjudge]

"Afternoon" UTC+13:00

So 18 hours ahead of the US East Coast. I think
.
Closer to the weekend than we are, at any rate ...

 

[Cecil]

Can someone please help me understand why the cipher "ECDHE-ECDSA-CHACHA20-POLY1305" is a "Bad Algorithm" but is listed as one of the available ciphers.

sslc ciphers -s

 

[Cecil]

I used the OpenSSL manual.

As to which ciphers are actually used when you allow two, I'm not sure if this shows up with logging-level 5.
Maybe this will show in Fiddler.

To my surprise, the cert.client.log file showed that the OE HTTP Client did in fact connect using TSL1.3

SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_128_GCM_SHA256
    Session-ID:
    Session-ID-ctx:
    Resumption PSK:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1700723213
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0