How to do not use SSLv3 (force TLS variant) - httpRequest to AWS API Gateway

Question

Question

Ricardo Baehr · Sep 12, 2017

Hi guys

Im trying to use an API running in AWS API Gateway.
This API is over https and i am using the SSL/TLS config of Caché.

set httpRequest = ##class(%Net.HttpRequest).%New()
set httpRequest.Server = server
set httpRequest.Https=1
set httpRequest.SSLConfiguration = "SSLPadraoAdapcon"

do httpRequest.SetHeader("Content-Type","application/json")
do httpRequest.EntityBody.Write(json)
do httpRequest.Post("/dev/router")

But im getting this error:

|   SSLConfiguration = "SSLPadraoAdapcon"
|           SSLError = "SSL/TLS error in SSL_connect(), SSL_ERROR_SSL: protocolerror, error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshakefailure"
|            Timeout = 30

After some research i found in the AWS Forum this: SSLv3 is not supported by API Gateway (SSLv3 is no longer considered secure). Can you double-check that your client is configured to use one of the TLS variants instead...

How do i force httpRequest objetct to use TLS and not SSLv3, any idea?

Best reguards.

Ricardo Baehr
Adapcon Sistemas

P.S.: Caché 2010 in production and Caché 2015 in development.

Discussion (5)0

Log in or sign up to continue

Robert Cemper · Sep 12, 2017

You have to configure your SSLConfiguration = "SSLPadraoAdapcon" in Mgmt Portal.

http://docs.intersystems.com/latest/csp/docbook/DocBook.UI.Page.cls?KEY=...

for 2010.1:

http://docs.intersystems.com/cache20101/csp/docbook/DocBook.UI.Page.cls?KEY=GCAS_ssltls

2 0

score 0 · Answer 1 · 2017-09-13T00:17:37-04:00

Yes.

And i have no problem using other APIs over HTTPS...
But APIs that is hosted in API Gateway from AWS i get this error :/

We need interact with a serverless API that use API Gateway + Lamda and it just do not work.

:/

score 1 · Answer 2 · 2017-09-13T02:38:25-04:00

Could you try to test it with latest version 2017.1 or FieldTest 2017.2?

I would also recommend trying to replace OpenSSL with the latest version in the bin folder. Not sure in this way, but may be it can help.

score 0 · Answer 3 · 2017-09-14T08:07:30-04:00

I tried your two suggestions but I did not succeed.

I'm thinking of using cURL through $ ZF.
It will be a lot of work to handle the returns but this seems to me the quickest solution.

Thanks Dmitry.

score 0 · Answer 4 · 2017-09-14T15:42:24-04:00

Hello

I would like to share the solution I adopted.

I was able to access my API (over AWS API Gateway) by placing an AWS Cloudfront instance in front of it.

The SSL used by the API Gateway needs TLS with SNI (which does not exist in Caché)...
But the SSL used by Cloudfront does not require SNI.

So I was able to keep using httpRequest.

Thanks.