SSL Failures - Inconsistencies In Behaviour

Andy Whitcombe

New Member
Morning All,

Customer is looking to move to a new domain.

On their Test system, they are reporting SSL issues.

---------------------------
Error (Press HELP to view stack trace)
---------------------------
Secure Socket Layer (SSL) failure. error code 336151568: SSL routines (9318)
---------------------------
OK Help
---------------------------

Whilst debugging the issue, we are seeing some inconsistencies.

The code in use, hasn't changed in years... as follows
Code:
ASSIGN
    HttpClientLibrary = OpenEdge.Net.HTTP.Lib.ClientLibraryBuilder:Build() 
                        :sslVerifyHost(NO)                                 
                        :ServerNameIndicator(pvWebServiceServer)           
                        :library.
                        
ASSIGN HttpClient = ClientBuilder:Build():UsingLibrary(HttpClientLibrary):Client.

  /* Create the payload */
  ASSIGN RequestBody = NEW String(JSONRequest:GetJsonText()).
 
  // Create The Request
  ASSIGN HttpRequest = RequestBuilder:Post(pvWebServiceServer, RequestBody) 
                                     :ContentType({&WebServiceRequestContentJSON})
                                     :Request.   
 
  // Execute Request
  IF  VALID-OBJECT(HttpClient)
  AND VALID-OBJECT(HttpRequest) THEN           
    HttpResponse = HttpClient:Execute(HttpRequest).

If we run that from within our application, the reported error is seen.

Within our application, run _edit.r, run the same code.

We get a 200 , OK response and a valid repsonse.

Question is, why? PROPATH etc and code are identical

FYI, we have done SSL_DEBUGGING at level 4. On the failure,

Code:
[Thu Jul 24 09:31:34 2025] ID-0x225fda68 CTX-0x00000000 BIO-0x00000000 INFO  --- Set SSL Client CipherSuites: AES128-SHA256:AES256-SHA256:DHE-RSA-AES128-SHA256:AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:ADH-AES128-SHA256:ADH-AES256-SHA256:ADH-AES128-GCM-SHA256:AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ADH-AES256-GCM-SHA384
[Thu Jul 24 09:31:34 2025] ID-0x225fda68 CTX-0x00000000 BIO-0x00000000 INFO  --- Set SSL Client Protocols : TLSv1.2
[Thu Jul 24 09:31:34 2025] ID-0x225fda68 CTX-0x1c1289d0 BIO-0x00000000 INFO  --- SSL Client starting handshake with host (<Customer URL Correctly Formatted>)
[Thu Jul 24 09:31:34 2025] INTERNAL STATE OPERATION --- SSL State: 16 before SSL initialization
[Thu Jul 24 09:31:34 2025] INTERNAL STATE OPERATION --- SSL_connect:before SSL initialization
>>> ??? [length 0005]
    16 03 01 01 3c
>>> ??? [length 013c]
    01 00 01 38 03 03 ae 9c ce 5c 23 92 ce 8b 04 5f
    fd 31 49 ff 40 46 f5 01 b2 2d 98 a0 3c 56 45 12
    36 17 82 34 4e 08 20 dd e7 f7 48 ca 68 a7 a9 7d
    1a 38 39 0e 9f d7 99 35 05 02 87 de 0c 92 b6 12
    e6 09 68 9e 9a fe ec 00 18 13 02 13 03 13 01 00
    3c 00 3d 00 67 00 9c 00 9e 00 6b 00 9d 00 9f 00
    ff 01 00 00 d7 00 00 00 3c 00 3a 00 00 37 68 74
    74 70 73 3a 2f 2f 77 77 77 2e 69 6e 73 69 67 68
    74 74 65 73 74 2e 6f 70 65 6e 66 69 65 6c 64 2e
    63 6f 2e 75 6b 2f 61 70 69 2f 67 6f 6c 64 61 70
    69 2e 70 68 70 00 0b 00 04 03 00 01 02 00 0a 00
    0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 00 23 00
    00 00 16 00 00 00 17 00 00 00 0d 00 30 00 2e 04
    03 05 03 06 03 08 07 08 08 08 09 08 0a 08 0b 08
    04 08 05 08 06 04 01 05 01 06 01 03 03 02 03 03
    01 02 01 03 02 02 02 04 02 05 02 06 02 00 2b 00
    0b 0a 03 04 03 03 03 02 03 01 03 00 00 2d 00 02
    01 01 00 33 00 26 00 24 00 1d 00 20 d7 a5 bb 75
    f3 ad c1 9f 4f 0b 85 a8 bb 00 fb 20 81 18 08 08
    48 55 90 f7 7b 1a 95 30 3c 1d 39 0f
[Thu Jul 24 09:31:34 2025] INTERNAL STATE OPERATION --- SSL_connect:/TLS write client hello
<<< ??? [length 0005]
    15 03 01 00 02
<<< ??? [length 0002]
    02 28
[Thu Jul 24 09:31:34 2025] INTERNAL STATE OPERATION ---  read:fatal:handshake failure
[Thu Jul 24 09:31:34 2025] INTERNAL STATE OPERATION --- SSL_connect:error in error
[Thu Jul 24 09:31:34 2025] ID-0x225fda68 CTX-0x1c1289d0 BIO-0x0f3a8df8 ERROR --- SSL Client handshake failure (336151568) SSL routines
[Thu Jul 24 09:31:34 2025] ID-0x225fda68 CTX-0x1c1289d0 BIO-0x0f3a8df8 INFO  --- Terminated SSL Client session
 
The problem might be
Code:
 :ServerNameIndicator(pvWebServiceServer)


What is the value of pvWebServiceServer?
The new server might have a new certificate that does not align with the subject=cn, But the hostname might exists in the Subject Alternative Name (SAN) of the server certificate.


Have a look at this:

Progress Customer Community
 
Thanks @JamesBowen

You are correct, the issue was down to how I was setting ServerNameIndicator. With the current certificates in the Live Environment, we had no issues, In the Test, with new certificates from an alternate source, the value I was supplying was causing the issue.

I actually posted the issue on here and communities. Unfortunately, I ran out of time to post an update on here, detailing the resolution. Here is the communities thread.

 
Back
Top