Expand my Community achievements bar.

SOLVED

Adobe Classic v6: Enforce TLS 1.2 with HttpClientRequest

Avatar

Level 1

We are using HttpClientRequest to consume an external REST API in JavaScript. The external provider recently pulled support for SSL and our remote call now fails, we're told because we must now use the TLS 1.2 protocol when consuming their service.

IOB-090020 Error in SSL library: 'IOB-090013 error: 14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (code 336032784)

Can we force HttpClientRequest to use TLS 1.2 in code? Or does this require a ServerConf.xml file change?

We're on v6 build 8931, and that build uses the latest 1.x OpenSSL libraries (so we're told).

Thanks!

8931

1 Accepted Solution

Avatar

Correct answer by
Level 10

Hi Martin,

You need to upgrade your build to 8896 or high¨re to use TLS 1.2.

Regards,

Amit

View solution in original post

8 Replies

Avatar

Employee

Hi ,

The issue happens because Adobe Campaign does not support SNI (server name indication) . If we use Open SSL and indicate the servername like this : openssl s_client -connect <http_url>:443 -servername <url of server> it would work and get the SSL certificate details however a call like this fails :

openssl s_client -connect <http_url>:443 .

So you need to include and pass the server name as a parameter in your HttpClientRequest

By the way , SNI for Campaign was introduced on build 8891 and above , so can you double check the server version because it should work in 8931 without SNI.

Also, TLS1.2 is already supported as I verified in the SSL cipher suites for Campaign.

Regards,
Adhiyan

Avatar

Level 1

Hi Adhiyan, and thanks for the reply.

Can you please let us know how to do this? Thanks!

Oli

Avatar

Level 1

Hi Adhiyan,

Any thoughts on this? I'm hoping that you have a documented object property of HttpClientRequest to implement your solution, as I cannot find any documentation that says how to pass the ServerName parameter into the call. Is the server name passed as a property of HttpClientRequest or via an HTTP header?

From how I understand it, the Adobe CM JS engine exposes "HttpClientRequest" for our use and you've built the implementation around functions exposed by OpenSSL. Therefore, the only way as an Adobe CM customer to implement your recommendation is through the HttpClientRequest object, as we have no access to your implementation to directly provide the OpenSSL parameters that you describe in your reply.

An example of passing this parameter through HttpClientRequest would be ideal, if you don't have formal documentation.

BTW, I was wrong with our build number: we're on 8795.

Thank you again!

Avatar

Level 1

I'm also very interested on how to achieve this. I currently get the same error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (code 336032784)

We're on build number 8721.

Documentation or example would be highly appreciated.

Avatar

Employee

Hi Mrow,

I was checking for documentation but could not find one but can you double check and confirm the build you are on. It has worked for me with any server name in build 8896 so I am not sure which version you are on.

Also , you can try formatting the httpclientrequest into a curl request using the execCommand function like this :

execCommand("curl https://www.myapiaddress.com > /tmp/file")

res = loadFile("/tmp/file")

Regards,

Adhiyan

Avatar

Correct answer by
Level 10

Hi Martin,

You need to upgrade your build to 8896 or high¨re to use TLS 1.2.

Regards,

Amit

Avatar

Level 1

So, we upgraded to v6 8993 yesterday and were able to consume our TLS 1.2 Web Service endpoint. We couldn't find any way whatsoever to influence the web service call via code.

Avatar

Level 3

Is there also a solution without upgrading?
I'm on build 8863 and I'm getting this error.

Not sure how to proceed from here.

Thanks!