Adobe Classic v6: Enforce TLS 1.2 with HttpClientRequest

mroshaw

31-05-2018

We are using HttpClientRequest to consume an external REST API in JavaScript. The external provider recently pulled support for SSL and our remote call now fails, we're told because we must now use the TLS 1.2 protocol when consuming their service.

IOB-090020 Error in SSL library: 'IOB-090013 error: 14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (code 336032784)

Can we force HttpClientRequest to use TLS 1.2 in code? Or does this require a ServerConf.xml file change?

We're on v6 build 8931, and that build uses the latest 1.x OpenSSL libraries (so we're told).

Thanks!

8931

Accepted Solutions (1)

Accepted Solutions (1)

Answers (7)

Answers (7)

mroshaw

20-06-2018

So, we upgraded to v6 8993 yesterday and were able to consume our TLS 1.2 Web Service endpoint. We couldn't find any way whatsoever to influence the web service call via code.

Adhiyan

Employee

08-06-2018

Hi Mrow,

I was checking for documentation but could not find one but can you double check and confirm the build you are on. It has worked for me with any server name in build 8896 so I am not sure which version you are on.

Also , you can try formatting the httpclientrequest into a curl request using the execCommand function like this :

execCommand("curl https://www.myapiaddress.com > /tmp/file")

res = loadFile("/tmp/file")

Regards,

Adhiyan

Martin_Wildeman

08-06-2018

I'm also very interested on how to achieve this. I currently get the same error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (code 336032784)

We're on build number 8721.

Documentation or example would be highly appreciated.

mroshaw

04-06-2018

Hi Adhiyan,

Any thoughts on this? I'm hoping that you have a documented object property of HttpClientRequest to implement your solution, as I cannot find any documentation that says how to pass the ServerName parameter into the call. Is the server name passed as a property of HttpClientRequest or via an HTTP header?

From how I understand it, the Adobe CM JS engine exposes "HttpClientRequest" for our use and you've built the implementation around functions exposed by OpenSSL. Therefore, the only way as an Adobe CM customer to implement your recommendation is through the HttpClientRequest object, as we have no access to your implementation to directly provide the OpenSSL parameters that you describe in your reply.

An example of passing this parameter through HttpClientRequest would be ideal, if you don't have formal documentation.

BTW, I was wrong with our build number: we're on 8795.

Thank you again!

Adhiyan

Employee

01-06-2018

Hi ,

The issue happens because Adobe Campaign does not support SNI (server name indication) . If we use Open SSL and indicate the servername like this : openssl s_client -connect <http_url>:443 -servername <url of server> it would work and get the SSL certificate details however a call like this fails :

openssl s_client -connect <http_url>:443 .

So you need to include and pass the server name as a parameter in your HttpClientRequest

By the way , SNI for Campaign was introduced on build 8891 and above , so can you double check the server version because it should work in 8931 without SNI.

Also, TLS1.2 is already supported as I verified in the SSL cipher suites for Campaign.

Regards,
Adhiyan