Consultor Eletrônico

Status: Unverified

SYMPTOM(s):

SSL Socket connection fails with errors 9318, 9407 in OpenEdge 10.1A / 10.1B

Secure Socket Layer (SSL) failure. error code <err_number>: <ssl_error_message> (9318)

Secure Socket Layer (SSL) failure. error code 0: Unknown network error (9318)

Connection failure for host <host_name> port <port> transport <transport_name>. (9407)

Following entries are recorded in cert.client.log when SSLSYS_DEBUG_LOGGING=4 is set:

[DDD MMM DD HH:MM:SS YYYY] ID-0x01b59008 CTX-0x00000000 BIO-0x00000000 INFO --- Initialized client logging
[DDD MMM DD HH:MM:SS YYYY] ID-0x01b59008 CTX-0x00000000 BIO-0x00000000 INFO --- Enabling SSL Client session reuse
[DDD MMM DD HH:MM:SS YYYY] ID-0x01b59008 CTX-0x01b5b1b0 BIO-0x00000000 ERROR --- SSL Client connect failure to host: <hostname> and port: <port> error (268857450) SIO routines

FACT(s) (Environment):

Using following code to create secure socket and connect:

CREATE SOCKET hWebSocket.
hWebSocket:CONNECT('-ssl -H <hostname> -S <port>').
Starting session with -sslverify (values 0-4) has no effect
Same code works as expected in OpenEdge 10.1C; a secure socket connection is established
Same code works as expected in OpenEdge 10.1A on IBM AIX; a secure socket connection is established
Same code works as expected in OpenEdge 10.1A on Linux; a secure socket connection is established
IBM AIX and Linux use OpenSSL libraries
Other operating systems (HP-UX, Solaris, Windows) use RSA libraries
OpenEdge 10.1A
OpenEdge 10.1B
HP-UX
Solaris
Windows

CAUSE:

The exact cause is unknown at the time of this writing but is likely related to a difference between how RSA libraries handle SSL compared to OpenSSL libraries, given that the same code that fails in 10.1A on Windows (RSA) works when executed in 10.1A on Red Hat Linux (OpenSSL).

FIX:

Add the -nohostverify parameter to the connection parameters used in the CONNECT() method:

CREATE SOCKET hWebSocket.
hWebSocket:CONNECT('-ssl -nohostverify -H <hostname> -S <port>').