Supported protocols, ciphers, and certificates for Progress OpenEdge clients and servers

Core Business Services - Security and Auditing

Security : Security in OpenEdge : SSL Security : Changing the cryptographic protocol, ciphers, and certificates : Supported protocols, ciphers, and certificates for Progress OpenEdge clients and servers

The default protocol is TLS 1.2.

The default ciphers for client and servers are:

Ciphers for clients	Ciphers for servers
AES128-SHA256	AES128-SHA256
DHE-RSA-AES128-SHA256	DHE-RSA-AES128-SHA256
AES128-GCM-SHA256	AES128-GCM-SHA256
DHE-RSA-AES128-GCM-SHA256	DHE-RSA-AES128-GCM-SHA256
ADH-AES128-SHA256	AES256-SHA256
ADH-AES256-SHA256	DHE-RSA-AES256-SHA256
ADH-AES128-GCM-SHA256	ADH-AES128-SHA256
AES256-SHA256	ADH-AES128-GCM-SHA256
DHE-RSA-AES256-SHA256	ADH-AES256-SHA256
AES256-GCM-SHA384
DHE-RSA-AES256-GCM-SHA384
ADH-AES256-GCM-SHA384

The default certificate default_server.pem (SHA256 signed-certificates). The following certificates are also supported:

test-server-SHA.pem (SHA1 signed-certificate)

test-server-SHA384.pem (SHA384 signed-certificates)

Note: TLS 1.2 protocol works only with the above ciphers to be able to work with SHA256 signed certificate.

When you install OpenEdge, all the default protocols are used. You can change the default to the other supported protocols, ciphers, or certificates. The following table lists the compatibility matrix between ciphers, protocols, and ciphers.

Note: All the cryptographic protocols and ciphers are supported by default. You can use either the short name or the long name of the ciphers.

Protocols	Ciphers	Certificates
TLSv1.2	AES128-SHA256 DHE-RSA-AES128-SHA256 AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 ADH-AES128-SHA256 ADH-AES128-GCM-SHA256 ADH-AES256-SHA256 AES256-SHA256 DHE-RSA-AES256-SHA256	Default server certificate is signed with SHA256 ($DLC/keys/default_server.pem). If you use your own certificates, make sure they are signed with SHA256.
TLSv1.2	AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 ADH-AES256-GCM-SHA384	The default server certificate must be signed with SHA384. Do the following for server certificates: 1. Take a backup of $DLC/keys/default_server.pem (that is signed with SHA256) 2. Rename $DLC/keys/test_server_SHA384.pem to $DLC/keys/default_server.pem.
TLSv1.1 TLSv1.0 SSLv3	AES128-SHA RC4-SHA DES-CBC3-SHA DES-CBC-SHA EXP-DES-CBC-SHA	The server certificates must be signed with SHA1. Do the following: 1. Take a backup of $DLC/keys/default_server.pem (that is singed with SHA256) 2. Rename $DLC/keys/test_server_SHA.pem file to $DLC/keys/default_server.pem.

The list of ciphers depend upon the ciphers supported by the vendor that you are using, for example, RSA or JSSE.

If the OpenEdge 11.7 JSSE library's TLS restrictions do not allow network connections, you may temporarily revert to using the RSA library by setting values as follows:

For AppServer and WebSpeed brokers, set the following in the Environment.asbroker1 section of the ubroker.properties file:

[Environment.asbroker1]
PSC_SSL_PROVIDER=rsa

For Java OpenClient, AppServer Internet Adapter (AIA), REST Adapter, and Web Services Adapter (WSA), set the following in your runtime environment:

set PSC_SSL_PROVIDER=rsa

Here are the supported ciphers for JSSE and RSA.

Note: The list of ciphers are updated across releases, see release-specific OpenEdge documentation for supported ciphers.

Network library	Ciphers
JSSE	AES128-SHA256 DHE-RSA-AES128-SHA256

RSA	AES128-SHA256 AES256-SHA256 DHE-RSA-AES128-SHA256 AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-SHA256 ADH-AES128-GCM-SHA256 ADH-AES256-SHA256

The following ciphers are not supported for JSSE:

AES128-GCM-SHA256

ADH-AES128-GCM-SHA256

DHE-RSA-AES128-GCM-SHA256

If you want to use clients prior to 11.6 with 11.6 servers, you must downgrade to use TLS 1.0 and AES128-SHA and the default server certificate must be changed from SHA256 to SHA1.

OpenEdge 11.7 does not support AES128-SHA cipher with SSLv3 protocol on the AIX platform.

If you update a protocol, the supported ciphers are not updated automatically, you must update to one of the supported ciphers (as listed in the table above) for the changed protocol manually.

If you use any AES256-* ciphers or a server certificate on any platform with more than 2048 keysize, do the following:

1. Take a backup of the local_policy.jar file in $DLC/jdk/jre/lib/security and $DLC/jre/lib/security locations.

2. Copy the local_policy.jar file in the $DLC/java/ext/ location to $DLC/jdk/jre/lib/security and $DLC/jre/lib/security locations.

3. Restart the admin server and other related components.

OpenEdge suppprts TLS 1.0 for .NET Framework 4.0 and TLS 1.2 for .NET Framework 4.5. If you want 11.6 .Net client to connect to 11.6 AppServer, either upgrade your .NET Framework 4.0 to 4.5 or downgrade the server to TLSv1.0.

If you use Apache Web Server, see the Apache documentation for the security considerations.

In this section:

Example: Working with 11.4 ABL client and 11.6 AppServer