B
Brian K. Maher
Guest
David, I'm not certain if the "server" is just a socket connection or a web service connection, but lets start from the top... 1) For the server you are trying to connect to, what SSL protocols does it accept for the connect process? This would be one or more of SSLv3, TLSv1, TLSv1.1 and TLSv1.2. This is important information to understand because we send the SSL "hello" message in whatever format you tell us to use. If you don't specify anything we use the default which pre-11.6 would be SSLv3 and for 11.6 would be TLSv1.2. If both sides are not using the same protocol for this "hello" exchange then you aren't going to get anywhere (i.e. it would be like two blind people trying communicate when one speaks urdu and the other one speaks latin, just not going to happen). Search google using "site:knowledgebase.progress.com skipjack" and use the article which will come back to help you determine the protocols that are acceptable for the "hello" process. The curl command is not part of Windows but I think you can download it (search google) or if you have access to a unix/linux box you can run the command from there. 2) Once you get the "hello" stuff resolved we then need to know what SSL protocols the server side allows for the post-connect communication. The options are the same as in #1. We need to know this so that you can specify what values we will support so that the negotiation between us and the server can come up with a mutually acceptable protocol to use. If we cannot find one that both sides support then we will fail. Note that when negotiating what protocol to use we go from most secure to least secure. 3) You need to ask whomever controls the server side for ALL of the certificates required to connect (there can be many .. i have seen up to 11 of them needed for some services). Every required certificate MUST be imported into our certificate store (i.e. the %DLC%\certs directory using the certutil -import command from the proenv command line). 4) Find out if the server requires client side certificate support. If so, for web services there some special parameters you need to use in the CONNECT() method. See the documentation for details. For a socket connection I believe you are out of luck but I am not 100% certain of that and need to do some checking. If this is a web service and requires the client side certificate then the certificate goes into %DLC%\keys (I think) and not %DLC%\certs. 5) If you have not tried using the -nohostverify parameter in the CONNECT() method, do so. The above is all I have to suggest for now. Let me know the results, point by point, along with your code and we can move forward from there. Brian
Continue reading...
Continue reading...