Learn about Security and Auditing

Supported protocols, ciphers, and certificates for OpenEdge clients and servers

Save PDF

Supported protocols, ciphers, and certificates for OpenEdge clients and servers

Save PDF

Last Updated: September 9, 2022
2 minute read

OpenEdge
Version 12.2
Documentation

Supported protocols, ciphers, and certificates for OpenEdge clients and servers

In OpenEdge 12.0, an ABL socket client or server supports TLS 1.3 and can communicate with any server or client that supports TLS 1.3.

You can use to obtain the list of default ciphers for different OpenSSL clients, such as ABL clients and PAS for OpenEdge agents, using the following sslc or OpenSSL command:

$DLC/bin/sslc ciphers -s <-protocol> ‘ALL’

For example, to get a list of default client ciphers for the TLSv1.3 protocol, use the following command:

$DLC/bin/sslc ciphers -s -tls1_3 ‘ALL’

Following is the list of default cilent and server ciphers for the different protocols:


Protocols	Default Client Ciphers	Default Server Ciphers
`TLSv1.3`	`TLS_AES_256_GCM_SHA384` `TLS_CHACHA20_POLY1305_SHA256` `TLS_AES_128_GCM_SHA256`	`TLS_AES_256_GCM_SHA384` `TLS_CHACHA20_POLY1305_SHA256` `TLS_AES_128_GCM_SHA256`
`TLSv1.2`	`ECDHE-ECDSA-AES256-GCM-SHA384` `ECDHE-RSA-AES256-GCM-SHA384` `DHE-DSS-AES256-GCM-SHA384` `DHE-RSA-AES256-GCM-SHA384` `ECDHE-ECDSA-CHACHA20-POLY1305` `ECDHE-RSA-CHACHA20-POLY1305` `DHE-RSA-CHACHA20-POLY1305` `ECDHE-ECDSA-AES256-CCM8` `ECDHE-ECDSA-AES256-CCM` `DHE-RSA-AES256-CCM8` `DHE-RSA-AES256-CCM` `ECDHE-ECDSA-ARIA256-GCM-SHA384` `ECDHE-ARIA256-GCM-SHA384` `DHE-DSS-ARIA256-GCM-SHA384` `DHE-RSA-ARIA256-GCM-SHA384` `ECDHE-ECDSA-AES128-GCM-SHA256` `ECDHE-RSA-AES128-GCM-SHA256` `DHE-DSS-AES128-GCM-SHA256` `DHE-RSA-AES128-GCM-SHA256` `ECDHE-ECDSA-AES128-CCM8` `ECDHE-ECDSA-AES128-CCM` `DHE-RSA-AES128-CCM8` `DHE-RSA-AES128-CCM` `ECDHE-ECDSA-ARIA128-GCM-SHA256` `ECDHE-ARIA128-GCM-SHA256` `DHE-DSS-ARIA128-GCM-SHA256` `DHE-RSA-ARIA128-GCM-SHA256` `ECDHE-ECDSA-AES256-SHA384` `ECDHE-RSA-AES256-SHA384` `DHE-RSA-AES256-SHA256` `DHE-DSS-AES256-SHA256` `ECDHE-ECDSA-CAMELLIA256-SHA384` `ECDHE-RSA-CAMELLIA256-SHA384` `DHE-RSA-CAMELLIA256-SHA256` `DHE-DSS-CAMELLIA256-SHA256` `ECDHE-ECDSA-AES128-SHA256` `ECDHE-RSA-AES128-SHA256` `DHE-RSA-AES128-SHA256` `DHE-DSS-AES128-SHA256` `ECDHE-ECDSA-CAMELLIA128-SHA256` `ECDHE-RSA-CAMELLIA128-SHA256` `DHE-RSA-CAMELLIA128-SHA256` `DHE-DSS-CAMELLIA128-SHA256` `ECDHE-ECDSA-AES256-SHA` `ECDHE-RSA-AES256-SHA` `DHE-RSA-AES256-SHA` `DHE-DSS-AES256-SHA` `DHE-RSA-CAMELLIA256-SHA` `DHE-DSS-CAMELLIA256-SHA` `ECDHE-ECDSA-AES128-SHA` `ECDHE-RSA-AES128-SHA` `DHE-RSA-AES128-SHA` `DHE-DSS-AES128-SHA` `DHE-RSA-SEED-SHA` `DHE-DSS-SEED-SHA` `DHE-RSA-CAMELLIA128-SHA` `DHE-DSS-CAMELLIA128-SHA` `ECDHE-ECDSA-RC4-SHA` `ECDHE-RSA-RC4-SHA` `ECDHE-ECDSA-DES-CBC3-SHA` `ECDHE-RSA-DES-CBC3-SHA` `DHE-RSA-DES-CBC3-SHA` `DHE-DSS-DES-CBC3-SHA` `AES256-GCM-SHA384` `AES256-CCM8` `AES256-CCM` `ARIA256-GCM-SHA384` `AES128-GCM-SHA256` `AES128-CCM8` `AES128-CCM` `ARIA128-GCM-SHA256` `AES256-SHA256` `CAMELLIA256-SHA256` `AES128-SHA256` `CAMELLIA128-SHA256` `AES256-SHA` `CAMELLIA256-SHA` `AES128-SHA` `SEED-SHA` `CAMELLIA128-SHA` `RC4-SHA` `DES-CBC3-SHA`	`ECDHE-ECDSA-AES256-GCM-SHA384` `ECDHE-RSA-AES256-GCM-SHA384` `ECDHE-ECDSA-CHACHA20-POLY1305` `ECDHE-RSA-CHACHA20-POLY1305` `ECDHE-ECDSA-AES128-GCM-SHA256` `ECDHE-RSA-AES128-GCM-SHA256` `ECDHE-ECDSA-AES256-SHA384`
`TLSv1.1`	`ECDHE-ECDSA-AES256-SHA` `ECDHE-RSA-AES256-SHA` `DHE-RSA-AES256-SHA` `DHE-DSS-AES256-SHA` `DHE-RSA-CAMELLIA256-SHA` `DHE-DSS-CAMELLIA256-SHA` `ECDHE-ECDSA-AES128-SHA` `ECDHE-RSA-AES128-SHA` `DHE-RSA-AES128-SHA` `DHE-DSS-AES128-SHA` `DHE-RSA-SEED-SHA` `DHE-DSS-SEED-SHA` `DHE-RSA-CAMELLIA128-SHA` `DHE-DSS-CAMELLIA128-SHA` `ECDHE-ECDSA-RC4-SHA` `ECDHE-RSA-RC4-SHA` `ECDHE-ECDSA-DES-CBC3-SHA` `ECDHE-RSA-DES-CBC3-SHA` `DHE-RSA-DES-CBC3-SHA` `DHE-DSS-DES-CBC3-SHA` `AES256-SHA` `CAMELLIA256-SHA` `AES128-SHA` `SEED-SHA` `CAMELLIA128-SHA` `IDEA-CBC-SHA` `RC4-SHA` `DES-CBC3-SHA`	There are no default ciphers for these protocols. To use ciphers, either use the `PSC_SERVERCIPHERS_VALUE` environment variable or use the `-sslprotocols` connection parameter in the `CONNECT()` method.
`TLSv1`	`ECDHE-ECDSA-AES256-SHA` `ECDHE-RSA-AES256-SHA` `DHE-RSA-AES256-SHA` `DHE-DSS-AES256-SHA` `DHE-RSA-CAMELLIA256-SHA` `DHE-DSS-CAMELLIA256-SHA` `ECDHE-ECDSA-AES128-SHA` `ECDHE-RSA-AES128-SHA` `DHE-RSA-AES128-SHA` `DHE-DSS-AES128-SHA` `DHE-RSA-SEED-SHA` `DHE-DSS-SEED-SHA` `DHE-RSA-CAMELLIA128-SHA` `DHE-DSS-CAMELLIA128-SHA` `ECDHE-ECDSA-RC4-SHA` `ECDHE-RSA-RC4-SHA` `ECDHE-ECDSA-DES-CBC3-SHA` `ECDHE-RSA-DES-CBC3-SHA` `DHE-RSA-DES-CBC3-SHA` `DHE-DSS-DES-CBC3-SHA` `AES256-SHA` `CAMELLIA256-SHA` `AES128-SHA` `SEED-SHA` `CAMELLIA128-SHA` `IDEA-CBC-SHA` `RC4-SHA` `DES-CBC3-SHA`	There are no default ciphers for these protocols. To use ciphers, either use the `PSC_SERVERCIPHERS_VALUE` environment variable or use the `-sslprotocols` connection parameter in the `CONNECT()` method.
`SSLv3`	`ECDHE-ECDSA-AES256-SHA` `ECDHE-RSA-AES256-SHA` `DHE-RSA-AES256-SHA` `DHE-DSS-AES256-SHA` `DHE-RSA-CAMELLIA256-SHA` `DHE-DSS-CAMELLIA256-SHA` `ECDHE-ECDSA-AES128-SHA` `ECDHE-RSA-AES128-SHA` `DHE-RSA-AES128-SHA` `DHE-DSS-AES128-SHA` `DHE-RSA-SEED-SHA` `DHE-DSS-SEED-SHA` `DHE-RSA-CAMELLIA128-SHA` `DHE-DSS-CAMELLIA128-SHA` `ECDHE-ECDSA-RC4-SHA` `ECDHE-RSA-RC4-SHA` `ECDHE-ECDSA-DES-CBC3-SHA` `ECDHE-RSA-DES-CBC3-SHA` `DHE-RSA-DES-CBC3-SHA` `DHE-DSS-DES-CBC3-SHA` `AES256-SHACAMELLIA256-SHA` `AES128-SHA` `SEED-SHA` `CAMELLIA128-SHA` `IDEA-CBC-SHA` `RC4-SHA` `DES-CBC3-SHA`	There are no default ciphers for these protocols. To use ciphers, either use the `PSC_SERVERCIPHERS_VALUE` environment variable or use the `-sslprotocols` connection parameter in the `CONNECT()` method.

For Java components, such as PAS for OpenEdge Server, OpenEdge Explorer, and OpenEdge Management Server, you can use the following sslj command to list down the default ciphers:

$DLC/bin/sslj list-ciphers

When you install OpenEdge, the current default protocols are enabled. You can change the default to the other supported protocols, ciphers, or certificates. The following table lists examples of the compatibility matrix between protocols, ciphers, and certificates.

Note: You can use either the short name or the long name of the ciphers.


Protocols	Ciphers	Certificates
`TLSv1.3`	`TLS_AES_256_GCM_SHA384`	The default server certificate must be signed with `SHA384`. Do the following for the server certificate: Take a backup of $DLC/keys/default_server.pem (that is signed with `SHA256`) Rename $DLC/keys/test_server_SHA384.pem to $DLC/keys/default_server.pem.
`TLSv1.3`	`TLS_CHACHA20_POLY1305_SHA256` `TLS_AES_128_GCM_SHA256`	The server certificates are signed with `SHA256` ($DLC/keys/default_server.pem). If you use your own certificates, make sure they are signed with `SHA256`.
`TLSv1.2`	`AES128-SHA256` `DHE-RSA-AES128-SHA256` `AES128-GCM-SHA256` `DHE-RSA-AES128-GCM-SHA256` `AES256-SHA256` `DHE-RSA-AES256-SHA256`	Default server certificate is signed with `SHA256` ($DLC/keys/default_server.pem). If you use your own certificates, make sure they are signed with `SHA256`.
`TLSv1.2`	`AES256-GCM-SHA384` `DHE-RSA-AES256-GCM-SHA384`	The default server certificate must be signed with `SHA384`. Do the following for server certificates: Take a backup of $DLC/keys/default_server.pem (that is signed with `SHA256`) Rename $DLC/keys/test_server_SHA384.pem to $DLC/keys/default_server.pem.
`TLSv1.1` `TLSv1.0` `SSLv3`	`AES128-SHA` `RC4-SHA` `DES-CBC3-SHA`	The server certificates must be signed with `SHA1`. Do the following: Take a backup of $DLC/keys/default_server.pem (that is singed with `SHA256`) Rename $DLC/keys/test_server_SHA.pem file to $DLC/keys/default_server.pem.

The list of ciphers depend upon the ciphers supported by the vendor that you are using, for example, JSSE.

Here are the ciphers supported for JSSE:

AES128-SHA256
DHE-RSA-AES128-SHA256

Note: The list of ciphers is updated across releases, see release-specific OpenEdge documentation for supported ciphers.

Note:

OpenEdge 12.1 and OpenEdge 12.0 do not support the RSA library for TLS connections.
OpenEdge 11.7 and later releases do not support AES128-SHA cipher with SSLv3 protocol on the AIX platform.
If you update a protocol, the supported ciphers are not updated automatically, you must update to one of the supported ciphers (as listed in the table above) for the changed protocol manually.
If you use any AES256-* ciphers or a server certificate on any platform with more than 2048 keysize, do the following:
1. Take a backup of the local_policy.jar file in your JDK installation directory (the default path is JDK_install_directory\jre\lib\security\policy\unlimited\local_policy.jar).
2. Copy the local_policy.jar file from your OpenEdge installation directory ($DLC/java/ext/) to the JDK installation directory (JDK_install_directory\jre\lib\security\policy\unlimited).
3. Restart the admin server and other related components.
Note: Replacing the local_policy.jar file affects the security for every product that uses the same JDK installation. If you don’t want programs other than OpenEdge to use the higher encryptions, set up one JDK installation for OpenEdge with the modified local_policy.jar, and use a different JDK installation for other products.
For information on the TLS versions supported by .NET Framework, see https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls.
If you use Apache Web Server, see the Apache documentation for the security considerations.