Try OpenEdge Now
skip to main content
Core Business Services - Security and Auditing
Security : Security in OpenEdge : SSL Security
 

SSL Security

The SSL security in OpenEdge includes:
*Support for SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2 protocols by default that also secure applications against the Padding Oracle On Downgraded Legacy Encryption (POODLE) vulnerability. For a list of all supported ciphers for each protocol, see Supported protocols, ciphers, and certificates for Progress OpenEdge clients and servers.
*Default support for digital certificate validation if signatures use SHA1 and SHA2 (256 or 512) message digest algorithms
POODLE is a vulnerability can affect secure communications making use of the Secure Socket Layer (SSL) 3.0 or TLS 1.0. However, newer releases of secure communication protocols, including Transport Layer Security (TLS) 1.1 and TLS 1.2, are increasingly less susceptible. An OpenEdge application is vulnerable to POODLE attack if it establishes secure communications over SSL 3.0.
OpenEdge now communicates over TLS 1.2 by default that makes it safe against this vulnerability. However, you can change the defaults if you are using an OpenEdge client prior to 11.6 to work with 11.6 OpenEdge server. To achieve this, you must downgrade the 11.6 OpenEdge servers to use TLS 1.0 and AES128-SHA and change the default server certificate from SHA256 to SHA1.
POODLE allows an attacker to decrypt cipher text using a padding oracle side-channel attack. Applications that use cipher-block chaining with the SSL 3.0 communication protocol are vulnerable to POODLE attacks. The SSL 3.0 protocol does not adequately check the padding bytes that are sent with encrypted messages. These padding bytes can be replaced by the attacker. So, an attacker can exploit this vulnerability to decrypt and extract information from inside an encrypted transaction.
Note: For more information on the encryption flaws that POODLE takes advantage of, see https://www.openssl.org/~bodo/ssl-poodle.pdf.
* Changing the cryptographic protocol, ciphers, and certificates