OpenEdge uses OpenSSL library for its TLS communication betwen OpenEdge clients and OpenEdge servers. OpenEdge is shipped with the OpenSSL 3.5.x, which uses the concept of providers. A provider collects together various algorithms and makes them available for implementation. It allows you to plugin different cryptographic algorithm and ensures the application security is configured with the latest and strongest cryptographic algorithms.

Note: OpenSSL 3.5.x supports various providers. OpenEdge currently uses only the Default and Legacy providers. The Legacy provider contains legacy algorithms, which will not be supported in the future OpenEdge release. Progress discourages the use of legacy algorithms. When FIPS mode is enabled, the list of providers changes. For more information, see Check FIPS mode

Supported algorithms for different provider

Use the following sslc commands to view the provider based information:
  • proenv> sslc list -providers—Displays the list of providers loaded with OpenEdge. This command list algorithms from both the Default and Legacy providers.
  • proenv> sslc list -cipher-algorithms—Displays the list of cipher algorithms along with the provider name it belongs to. This command list algorithms from both the Default and Legacy providers.
  • proenv> sslc list -digest-algorithms—Displays the list of digest algorithms along with the provider name it belongs to. This command list algorithms from both the Default and Legacy providers.
  • proenv> sslc list -mac-algorithms—Displays the list of mac algorithms along with the provider name it belongs to. This command list algorithms from both the Default and Legacy providers.

The Legacy provider contains legacy algorithms, which will not be supported in the future OpenEdge release. Progress discourages the use of Legacy provider algorithms and recommends the use of more secure algorithms from the Default provider.

Refer to the following to see the complete list of ciphers that OpenEdge supports:

Change in OpenSSL error messages

OpenSSL has introduced new error codes with OpenSSL 3.x and the error messages no longer contains the OpenSSL function name in it. These error messages are reflected in the OpenEdge logging.

For example, prior to OpenSSL 3.x release, an error message used to appear like ::
error:0607B083:digital envelope routines:EVP_CipherInit_ex:no cipher set
In OpenSSL 3.x, the same error message will appear with a different error code and without the OpenSSL function name:
error:03000083:digital envelope routines::no cipher set