HTTPClient / RESTClient to old internal TLS1.0 server

Resolved HTTPClient / RESTClient to old internal TLS1.0 server

How-to

Votes

Undo

Hugo Moors
PowerBuilder
Thursday, 13 October 2022 13:50 PM UTC

I'm having some problems connecting to an old Radius server that is stuck on TLS1.0

I'm getting error -19 in HTTPClient mode and -33 in RESTClient = "TLS 1.3 error. The server does not support TLS 1.3."

I've set both SecureProtocol and IgnoreServerCertificate to 0 (setting SecureProtocol to 3 TLS1.0, or any other setting = same result -33 or -19)

If I set IgnoreServerCertificate to anything else I get -14 (http) or -25 (rest) = The application experienced an internal error loading the SSL libraries.

The application was using an OleObject (Msxml2.XMLHTTP) which started failing (runtime error on obj.send() command), we are thinking the cause is a windows update that started blocking TLS1.0

I changed the code to HTTPClient and RESTClient but keep running into that -33 -19

We know this server will have to be retired and are working to do so but I'm able to get FireFox through so why is PowerBuilder not going through?

(in Firefox I've had to change security.tls.version.max to 3 and min to 1) In Chrome it is not even possible to set those settings.

Using the demo site https://demo.appeon.com/PB/webapi_client/employee/102 I get the expected result.

(PB2022 22.0.0.1878 32bit application)

Accepted Answer

Mark Lee @Appeon Accepted Answer Pending Moderation

Thursday, 5 October 2023 05:44 AM UTC
PowerBuilder
# Permalink

Hi Hugo, Thanks for your feedback. At present, we can reproduce this problem, when the Windows client does not support TLS1.0, and the Server client only supports TLS1.0, this -19 error occurs. Therefore, we recommend you check whether the Windows client is set to disable TLS1.0, or verify this problem using other Windows clients. You can refer to the following link to check whether the Enabled value of the following path in the registry is 1: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS1.0\Client https://windowsreport.com/how-to-disable-tls-1-0 https://learn.microsoft.com/en-us/answers/questions/47472/how-to-disable-protocols.html You need to set the value to 1, then restart the computer and test the problem again. Regards,

Comment

There are no comments made yet.

Responses (5)

Hugo Moors Accepted Answer Pending Moderation

Monday, 17 October 2022 07:38 AM UTC
PowerBuilder
# 1

Thanks for the suggestions

This is what I get for the Security Protocol:

Just want to confirm it. Please open FireFox's Web Developer Tools (F12) and track your actual application request to see if its SecureProtocol is 1.0.

In FireFox I also get this in the headers tab

Also, check whether the Request headers content set in the PB code is the same as the actual Request headers content captured in FireFox.

I'm not sure where to look in PowerBuilder for this with the RestClient object?

I am setting the content type to application/xml same as in FF

lrest_client.setrequestheader("Content-Type","application/xml",TRUE)

When I do a getrequestheaders() I only get this Content-Type header.

It is the same as in Firefox

I keep getting the -33 for httpclient or -19 for restclient return value.

Comment

Hugo Moors
Friday, 21 October 2022 06:45 AM UTC

Thanks this worked

Helpful 0

There are no comments made yet.

Mark Lee @Appeon Accepted Answer Pending Moderation

Friday, 14 October 2022 07:05 AM UTC
PowerBuilder
# 2

Hi Hugo,

Just want to confirm it. Please open FireFox's Web Developer Tools (F12) and track your actual application request to see if its SecureProtocol is 1.0.

Also, check whether the Request headers content set in the PB code is the same as the actual Request headers content captured in FireFox.

Most of the time it's due to some setup, but it could also be a bug.

Regards,

Comment

Armeen Mazda @Appeon
Friday, 14 October 2022 14:23 PM UTC

Please try what Mark suggested, and if problem still persists then open support ticket as it might be a bug of PowerBuilder: https://www.appeon.com/standardsupport/newbug

Helpful 1

There are no comments made yet.

Hugo Moors Accepted Answer Pending Moderation

Thursday, 13 October 2022 18:11 PM UTC
PowerBuilder
# 3

One thing I'm thinking about is that this server requires a login that is provided in the url https://user:pwd@server perhaps that is not allowed but I don't know or found examples how to authenticate in another way to this server.

Comment

There are no comments made yet.

Armeen Mazda @Appeon Accepted Answer Pending Moderation

Thursday, 13 October 2022 16:24 PM UTC
PowerBuilder
# 4

Since you know the server is expecting TLS 1.0, what happens when you set SecureProtocol property to 3 (so it forces TLS 1.0): https://docs.appeon.com/pb2022/objects_and_controls/ch03s266s01.html

Comment

Hugo Moors
Thursday, 13 October 2022 18:06 PM UTC

Tried it, same result -19 or -33

" I've set both SecureProtocol and IgnoreServerCertificate to 0 (setting SecureProtocol to 3 TLS1.0, or any other setting = same result -33 or -19) "

I don't understand why it's an error that mentions TLS1.3 ...

Helpful 0

Hugo Moors
Thursday, 13 October 2022 18:09 PM UTC

I made a little script looping all possible values of SecureProtocol and IgnoreServerCertificate

Nothing worked any other value for IgnoreServerCertificate results in -14/25, any value for SecureProtocol gives -19/33

Helpful 0

There are no comments made yet.

Page :
1

There are no replies made for this question yet.
However, you are not allowed to reply to this question.

Please login to post a reply

You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here. Register Here »

Forgot Password?

Resolved HTTPClient / RESTClient to old internal TLS1.0 server

Find Questions by Tag