Supported protocols, ciphers, and certificates for OpenEdge clients and servers

Protocols define which security rules OpenEdge can use during a connection, and each protocol restricts the set of ciphers that can be negotiated between the client and server. Cipher suites specify the exact encryption and hashing algorithms used to protect the connection, and OpenEdge automatically chooses a mutually supported suite during the TLS handshake based on the protocol level. Certificates provide the authenticated server (and optionally client) identity; during the handshake, OpenEdge validates the certificate chain, hostname, key usage, and signature algorithm to confirm the peer is trusted before allowing encrypted communication.

This section describes the protocols, ciphers, and certificate requirements supported by OpenEdge clients and servers. These settings apply to OpenSSL based components, including ABL clients, PAS for OpenEdge agents, OpenEdge databases, and ABL socket servers.

Supported protocols

OpenEdge supports the following TLS protocols:

  • TLS 1.3
  • TLS 1.2

The following protocols are not supported and cannot be enabled:

  • TLS 1.1
  • TLS 1.0
  • SSLv3

The default protocol configuration is enabled during installation. You can update protocol settings as needed.

Default cipher listings

Use the sslc utility to view the default ciphers for each supported protocol. The following examples show how to list server and client ciphers configured through OpenSSL.

TLS 1.3 cipher commands

Server (security level 3)

$DLC/bin/sslc ciphers -s -tls1_3 'DEFAULT:@SECLEVEL=3'

Client

$DLC/bin/sslc ciphers -s -tls1_3 'DEFAULT'
TLS 1.2 cipher commands

Server (security level 3)

$DLC/bin/sslc ciphers -s -tls1_2 'DEFAULT:@SECLEVEL=3'

Client

 $DLC/bin/sslc ciphers -s -tls1_2 'DEFAULT'

Cipher support

The following ciphers are supported for each protocol.

TLS 1.3 ciphers

  • TLS_AES_256_GCM_SHA384
  • TLS_CHACHA20_POLY1305_SHA256
  • TLS_AES_128_GCM_SHA256
TLS 1.2 ciphers
  • AES128-SHA256
  • DHE-RSA-AES128-SHA256
  • AES128-GCM-SHA256
  • DHE-RSA-AES128-GCM-SHA256
  • AES256-SHA256
  • DHE-RSA-AES256-SHA256
  • AES256-GCM-SHA384
  • DHE-RSA-AES256-GCM-SHA384
Note: You can use either the short or long name of each cipher.

Certificate requirements

OpenEdge requires server certificates signed with an approved hashing algorithm. Certificate requirements depend on the protocol and selected cipher suites.

TLS 1.3 certificates

TLS 1.3 requires a server certificate signed with SHA384.

To update the default server certificate:

  1. Back up the existing certificate: 
    $DLC/keys/default_server.pem
  2. Replace it with the SHA384 certificate: 
    $DLC/keys/test_server_SHA384.pem $DLC/keys/default_server.pem
TLS 1.2 certificates

TLS 1.2 supports certificates signed with SHA256 or SHA384, depending on your selected cipher suites.

If you supply your own certificates, ensure they use one of the supported signature algorithms.

Configuration notes

  • Updating a protocol setting does not automatically update the cipher configuration. You must manually select ciphers that are valid for the updated protocol.
  • Cipher availability depends on the OpenSSL stack used by the component.
  • Certificate updates require restarting affected components.