Supported protocols, ciphers, and certificates for OpenEdge clients and servers

Protocols define which security rules OpenEdge can use during a connection, and each protocol restricts the set of ciphers that can be negotiated between the client and server. Cipher suites specify the exact encryption and hashing algorithms used to protect the connection, and OpenEdge automatically chooses a mutually supported suite during the TLS handshake based on the protocol level. Certificates provide the authenticated server (and optionally client) identity; during the handshake, OpenEdge validates the certificate chain, hostname, key usage, and signature algorithm to confirm the peer is trusted before allowing encrypted communication.

This section describes the protocols, ciphers, and certificate requirements supported by OpenEdge clients and servers. These settings apply to OpenSSL based components, including ABL clients, PAS for OpenEdge agents, OpenEdge databases, and ABL socket servers.

Supported protocols

OpenEdge supports the following TLS protocols:

  • TLS 1.3
  • TLS 1.2

The following protocols are not supported and cannot be enabled:

  • TLS 1.1
  • TLS 1.0
  • SSLv3

The default protocol configuration is enabled during installation. You can update protocol settings as needed.

Default cipher listings

Use the sslc utility to view the default ciphers for each supported protocol. The following examples show how to list server and client ciphers configured through OpenSSL.

TLS 1.3 cipher commands

Server (security level 3)

$DLC/bin/sslc ciphers -s -tls1_3 'DEFAULT:@SECLEVEL=3'

Client

$DLC/bin/sslc ciphers -s -tls1_3 'DEFAULT'
TLS 1.2 cipher commands

Server (security level 3)

$DLC/bin/sslc ciphers -s -tls1_2 'DEFAULT:@SECLEVEL=3'

Client

 $DLC/bin/sslc ciphers -s -tls1_2 'DEFAULT'
Note: When FIPS mode is enabled, the list of available ciphers differs from when FIPS mode is disabled. For more information, see Check FIPS mode .

Certificate requirements

OpenEdge requires server certificates signed with an approved hashing algorithm. Certificate requirements depend on the protocol and selected cipher suites.

TLS 1.3 certificates

TLS 1.3 requires a server certificate signed with SHA384.

To update the default server certificate:

  1. Back up the existing certificate: 
    $DLC/keys/default_server.pem
  2. Replace it with the SHA384 certificate: 
    $DLC/keys/test_server_SHA384.pem $DLC/keys/default_server.pem
TLS 1.2 certificates

TLS 1.2 supports certificates signed with SHA256 or SHA384, depending on your selected cipher suites.

If you supply your own certificates, ensure they use one of the supported signature algorithms.

ABL Socket Client protocol behavior

ABL Socket Clients support TLS 1.3, but their ability to successfully complete a TLS 1.3 handshake depends on network performance and the time it takes to complete negotiation. If TLS 1.3 negotiation fails due to network latency or intermediate device behavior, you can manually configure TLS 1.2 using either the PSC_SSLCLIENT_PROTOCOLS environment variable or the -sslprotocols option in the CONNECT() method.

Configuration notes

  • Updating a protocol setting does not automatically update the cipher configuration. You must manually select ciphers that are valid for the updated protocol.
  • Cipher availability depends on the OpenSSL stack used by the component.
  • Certificate updates require restarting affected components.