OpenEdge uses OpenSSL library for its SSL communication betwen OpenEdge clients and OpenEdge servers. OpenEdge is shipped with the OpenSSL 3.1.x, which uses the concept of providers. A provider collects together various algorithms and makes them available for implementation. It allows you to plugin different cryptographic algorithm and ensures the application security is configured with the latest and strongest cryptographic algorithms.

Note: OpenSSL 3.1.x supports various providers. OpenEdge currently uses only the Default and Legacy providers. The Legacy provider contains legacy algorithms, which will not be supported in the future OpenEdge release. Progress discourages the use of legacy algorithms.

Supported algorithms for different provider

Invoke proenv and use the following sslc commands to view the provider based information:
  • proenv> sslc list -providers—Displays the list of providers loaded with OpenEdge. This command list algorithms from both the Default and Legacy providers.
  • proenv> sslc list -cipher-algorithms—Displays the list of cipher algorithms along with the provider name it belongs to. This command list algorithms from both the Default and Legacy providers.
  • proenv> sslc list -digest-algorithms—Displays the list of digest algorithms along with the provider name it belongs to. This command list algorithms from both the Default and Legacy providers.
  • proenv> sslc list -mac algorithms—Displays the list of mac algorithms along with the provider name it belongs to. This command list algorithms from both the Default and Legacy providers.
Note: Always invoke sslc command line utility with proenv. The sslc command line utility fails to run if you invoke it outside the proenv environment.

The Legacy provider contains legacy algorithms, which will not be supported in the future OpenEdge release. Progress discourages the use of Legacy provider algorithms and recommends the use of more secure algorithms from the Default provider.

Refer to the following to see the complete list of ciphers that OpenEdge supports:
Note: OpenSSL 3.1.x provides an improved security to STS enabled database, which causes a backward compatibility issue between OpenEdge 12.8 and earlier releases. To fix the backward compatibility issue, ensure STS client and STS server are running on the same OpenEdge version. To configure STS enabled database, see the "Enable the database to use the Authentication Gateway" section in Configure your OpenEdge database .

Change in OpenSSL error messages

OpenSSL has introduced new error codes with OpenSSL 3.1.x and the error messages no longer contains the OpenSSL function name in it. These error messages are reflected in the OpenEdge logging.

For example, prior to OpenSSL 3.x release, an error message used to appear like ::
error:0607B083:digital envelope routines:EVP_CipherInit_ex:no cipher set
In OpenSSL 3.1.x, the same error message will appear with a different error code and without the OpenSSL function name:
error:03000083:digital envelope routines::no cipher set
.