Estudo para avaliação dos procedimentos e configurações de conexões utilizando o protocolo SSL/TLS possibilitou o entendimento das anomalias encontradas ao longo do parque de clientes em produção. Apresentaremos abaixo alguns passos do estudo junto com os argumentos utilizados na nova implementação que estará disponível a partir da versão 13.1.3.26 e 13.2.3.26.
Utilizamos no processo de investigação a última versão do TOTVS | Application Server disponível no portal de downloads e atualizações da TOTVS, correspondente ao código P12 Windows x86 versão 13.2.3.25. Também utilizamos a ferramenta OpenSSL 1.1.0f para simular o par de conexão, quer seja server quer client.
1. Porque o uso do TryProtocols?
Iniciamos com a configuração do Application Server (AppServer) na tentativa de estabelcer conexões seguras SSL/TLS na versão TLS1.2. Essa versão de protocolo é a mais segura disponível. Abaixo a sessão SSLConfigure utilizada. Observe que não habilitaremos a chave TryProtocols.
[SSLConfigure] Verbose = 1 SSL2 = 0 SSL3 = 0 TLS1 = 3 Bugs = 0 State = 1 TryProtocols = 0
Para utilizarmos o AppServer como um client na conexão SSL/TLS, codicamos um programa ADVPL simples para uso da função HTTPSGet:
#include 'protheus.ch'
#include 'parmtype.ch'
user function GetSSL01()
Local cURL := "https://127.0.0.1:8443"
Local aHeadOut := {}
Local cHeadRet := ""
Local cGetRet := ""
AAdd( aHeadOut, 'User-Agent: Mozilla/4.0 (compatible; Protheus ' + GetBuild() + ')' )
cGetRet := HTTPSGet( cURL, "", "", "", "WSDL", 120, aHeadOut, @cHeadRet )
if Empty( cGetRet )
conout( "Fail HTTPSGet" )
else
conout( "OK HTTPSGet" )
varinfo( "WebPage", cGetRet )
endif
varinfo( "Header", cHeadRet )
return
Iniciamos a ferramenta OpenSSL de forma a simular um servidor que aceita somente conexões SSL/TLS na versão TLS1.2, conforme o comando abaixo:
openssl s_server -4 -key localhost-key.pem -cert localhost-cert.pem -accept 8443 -state -msg -security_debug -nbio -tls1_2
Executando o programa GetSSL01 temos o seguinte resultado de sucesso na conexão no log da console AppServer:
Windows Operating System version 6.1.7601 Service Pack 1
[INFO ][SERVER] [Thread 6752] [SMARTHEAP] Version 8.0.0
*** TOTVS S.A. ***
*** www.totvs.com.br ***
* TOTVS - Build 7.00.131227A - Nov 23 2017 - 13:23:07 NG
* Build: 32 bits
* RPO Format: 32 bits
* SVN Revision: 10324 - 15733 - 1956
* Build Version: 13.2.3.25
'Ambiente de teste para comunicacao SSL/TLS' console mode.
Press Ctrl+Break to terminate.
*** STARTING SERVER WITH DEBUG OF USED MEMORY PER THREAD
*** STARTING SERVER WITH MAXIMUM STRING SIZE LIMIT SET TO 20 MB. ***
---------------- OS System Info -----------------------------------------------
OS Version .........: Windows 7 [Version 6.1.7601]
OS Platform ........: Windows NT Based (x64)
OS Version Info ....: Service Pack 1
-------------------------------------------------------------------------------
---------------- OS Memory Info -----------------------------------------------
Physical memory . 8025.59 MB. Used 7078.12 MB. Free 947.48 MB.
Paging file ..... 16049.37 MB. Used 12385.17 MB. Free 3664.20 MB.
-------------------------------------------------------------------------------
[INFO ][SERVER] [Thread 6752] APP Virtual Address Allocation Limit .... 4095.88MB.
[INFO ][SERVER] [Thread 6752] Memory Monitor Virtual Address LIMIT .... 4095.88MB.
Http server is ready.
Root path is c:\totvs\p12_windows_x86\protheus_data\web\
Listening port 8888
[INFO ][SSL] [tSSLSocketAPI][Initialize] starting handshake ..
[INFO ][SSL] [tSSLSocketAPI] Using TLS1.2 protocol.
[INFO ][SSL] SSL CIPHERS ALL
[INFO ][SSL] [tSSLSocketAPI][Initialize] Bugs (0)
[INFO ][SSL] [tSSLSocketAPI][Initialize] SSL2 (0), SSL3 (0), TLS1 (3)
[INFO ][SSL] [tSSLSocketAPI][Initialize] State (1)
[INFO ][SSL] [tSSLSocketAPI][Initialize] Setting Certificates
[INFO ][SSL] [tSSLSocketAPI][SetCertificateFiles] cert (C:\Totvs\P12_Windows_x86\Protheus_Data\certs\localhost\localhost-cert.pem)
[INFO ][SSL] [tSSLSocketAPI][SetCertificateFiles] key (C:\Totvs\P12_Windows_x86\Protheus_Data\certs\localhost\localhost-key.pem)
[INFO ][SSL] [tSSLSocketAPI][Initialize] End handshake.
Https server is ready.
Listening port 443 (default)
[INFO ][SERVER] Application PID ......... [10864]
[INFO ][SERVER] Application Main Thread .. [6752]
[INFO ][SERVER] [Thread 6752] Application Server started on port 8612
[08/12/2017 10:11:36] Server started.
[WARN ][SERVER] [Thread 1496] [GENERAL] INACTIVETIMEOUT = 99999 seconds is ON.
[INFO ][SERVER] [08/12/2017 10:19:41] Starting Program U_GETSSL01 Thread 1496 (rinaldo,TEC-CATROQUE)
[INFO ][SSL] [tSSLSocketAPI][Connect] Connecting SSL.
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] starting handshake ..
[INFO ][SSL] [tSSLSocketAPI] Using TLS1.2 protocol.
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] KeyFile (C:\Totvs\P12_Windows_x86\Protheus_Data\certs\localhost\localhost-key.pem)
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] CertificateFile (C:\Totvs\P12_Windows_x86\Protheus_Data\certs\localhost\localhost-cert.pem)
[INFO ][SSL] SSL CIPHERS ALL
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] Bugs (0)
[INFO ][SSL] [tSSLSocketAPI][Initialize] SSL2 (0), SSL3 (0), TLS1 (3)
[INFO ][SSL] [tSSLSocketAPI][Initialize] State (1)
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] End handshake (1)
[INFO ][SSL] SSL callback where:[16] ret:[1] state:[before/connect initialization]
[INFO ][SSL] SSL_connect:before/connect initialization
[INFO ][SSL] SSL_connect:SSLv3 write client hello A
[INFO ][SSL] SSL_connect:SSLv3 read server hello A
[INFO ][SSL] SSL_connect:SSLv3 read server certificate A
[INFO ][SSL] SSL_connect:SSLv3 read server key exchange A
[INFO ][SSL] SSL_connect:SSLv3 read server done A
[INFO ][SSL] SSL_connect:SSLv3 write client key exchange A
[INFO ][SSL] SSL_connect:SSLv3 write change cipher spec A
[INFO ][SSL] SSL_connect:SSLv3 write finished A
[INFO ][SSL] SSL_connect:SSLv3 flush data
[INFO ][SSL] SSL_connect:SSLv3 read server session ticket A
[INFO ][SSL] SSL_connect:SSLv3 read finished A
[INFO ][SSL] SSL callback where:[32] ret:[1] state:[SSL negotiation finished suc
cessfully]
[INFO ][SSL] [tSSLSocketAPI][Connect] Connecting SSL OK.
Se adotarmos uma configuração que habilite também os protocoloos SSL2 e SSL3, pois intuitivamente estaríamos habilitando (veremos mais adiante que essa informação é irregular) todo conjunto de protocolos disponíveis na aplicação, temos:
[SSLConfigure]
Verbose = 1
SSL2 = 1
SSL3 = 1
TLS1 = 3
Bugs = 0
State = 1
TryProtocols = 0
Ao executar novamente o programa ADVPL temos como resultado um erro na conexão, conforme a evidência abaixo:
Windows Operating System version 6.1.7601 Service Pack 1
[INFO ][SERVER] [Thread 6944] [SMARTHEAP] Version 8.0.0
*** TOTVS S.A. ***
*** www.totvs.com.br ***
* TOTVS - Build 7.00.131227A - Nov 23 2017 - 13:23:07 NG
* Build: 32 bits
* RPO Format: 32 bits
* SVN Revision: 10324 - 15733 - 1956
* Build Version: 13.2.3.25
'Ambiente de teste para comunicacao SSL/TLS' console mode.
Press Ctrl+Break to terminate.
*** STARTING SERVER WITH DEBUG OF USED MEMORY PER THREAD
*** STARTING SERVER WITH MAXIMUM STRING SIZE LIMIT SET TO 20 MB. ***
---------------- OS System Info -----------------------------------------------
OS Version .........: Windows 7 [Version 6.1.7601]
OS Platform ........: Windows NT Based (x64)
OS Version Info ....: Service Pack 1
-------------------------------------------------------------------------------
---------------- OS Memory Info -----------------------------------------------
Physical memory . 8025.59 MB. Used 7133.06 MB. Free 892.53 MB.
Paging file ..... 16049.37 MB. Used 12504.54 MB. Free 3544.83 MB.
-------------------------------------------------------------------------------
[INFO ][SERVER] [Thread 6944] APP Virtual Address Allocation Limit .... 4095.88MB.
[INFO ][SERVER] [Thread 6944] Memory Monitor Virtual Address LIMIT .... 4095.88MB.
Http server is ready.
Root path is c:\totvs\p12_windows_x86\protheus_data\web\
Listening port 8888
[INFO ][SSL] [tSSLSocketAPI][Initialize] starting handshake ..
[INFO ][SSL] [tSSLSocketAPI] Using SSL3+SSL2 protocol.
[INFO ][SSL] SSL CIPHERS ALL
[INFO ][SSL] [tSSLSocketAPI][Initialize] Bugs (0)
[INFO ][SSL] [tSSLSocketAPI][Initialize] SSL2 (1), SSL3 (1), TLS1 (3)
[INFO ][SSL] [tSSLSocketAPI][Initialize] State (1)
[INFO ][SSL] [tSSLSocketAPI][Initialize] Setting Certificates
[INFO ][SSL] [tSSLSocketAPI][SetCertificateFiles] cert (C:\Totvs\P12_Windows_x86\Protheus_Data\certs\localhost\localhost-cert.pem)
[INFO ][SSL] [tSSLSocketAPI][SetCertificateFiles] key (C:\Totvs\P12_Windows_x86\Protheus_Data\certs\localhost\localhost-key.pem)
[INFO ][SSL] [tSSLSocketAPI][Initialize] End handshake.
Https server is ready.
Listening port 443 (default)
[INFO ][SERVER] Application PID ......... [4256]
[INFO ][SERVER] Application Main Thread .. [6944]
[INFO ][SERVER] [Thread 6944] Application Server started on port 8612
[08/12/2017 10:21:14] Server started.
[WARN ][SERVER] [Thread 11860] [GENERAL] INACTIVETIMEOUT = 99999 seconds is ON.
[INFO ][SERVER] [08/12/2017 10:21:22] Starting Program U_GETSSL01 Thread 11860 (
rinaldo,TEC-CATROQUE)
[INFO ][SSL] [tSSLSocketAPI][Connect] Connecting SSL.
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] starting handshake ..
[INFO ][SSL] [tSSLSocketClientAPI] Using SSL3+SSL2 protocol.
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] KeyFile (C:\Totvs\P12_Windows_x86\Protheus_Data\certs\localhost\localhost-key.pem)
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] CertificateFile (C:\Totvs\P12_Windows_x86\Protheus_Data\certs\localhost\localhost-cert.pem)
[INFO ][SSL] SSL CIPHERS ALL
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] Bugs (0)
[INFO ][SSL] [tSSLSocketAPI][Initialize] SSL2 (1), SSL3 (1), TLS1 (3)
[INFO ][SSL] [tSSLSocketAPI][Initialize] State (1)
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] End handshake (1)
[INFO ][SSL] SSL callback where:[16] ret:[1] state:[before/connect initialization]
[INFO ][SSL] SSL_connect:before/connect initialization
[INFO ][SSL] SSL_connect:SSLv2/v3 write client hello A
[INFO ][SSL] SSL3 alert read:fatal:handshake failure
[INFO ][SSL] SSL_connect:error in SSLv2/v3 read server hello A
[ERROR][SSL] SSL erro = -1
[ERROR][SSL] SSL code = 336032784
[ERROR][SSL] SSL description = error:14077410:SSL routines:SSL23_GET_SERVER_HELL
O:sslv3 alert handshake failure
[ERROR][SSL] Failed Handshake SSL.
Note que a aplicação fez uso do primeiro conjunto de protocolos diponíveis (SSL3+SSL2) em um única tentativa. Tecnicamente o método da biblioteca OpenSSL utilizado nesse contexto utiliza um procedimento de negociação de versão de protocolo para o estabelecimento da conexão. Neste ponto temos que lembrar que o conjunto de protocolos disponíveis pela biblioteca, em ordem crescente de grau de segurança, é SSL2, SSL3, TLS1.0, TLS1.1 e TLS1.2. Observe que na configuração estabelecida da aplicação habilitamos um conjunto parcial de protocolos. Também, note que há um descontinuidade dentre os graus de segurança. A bibliote sugere que não haja essa descontinuidade quendo utilizado o método de negociação de versão. Apenas deve ser utilizado a habilitação de versões quando temo o uso de métodos direcionado de versões, como ocorrido no primeiro contexto deste artigo.
A prática atual para solução do problema de conexão SSL é a habilitação da chave TryProtocols na configuração da aplicação:
[SSLConfigure]
Verbose = 1
SSL2 = 1
SSL3 = 1
TLS1 = 3
Bugs = 0
State = 1
TryProtocols = 1
Ao executar novamente o programa ADVPL, temos como resultado sucesso na conexão conforme a evidência abaixo, porém, opdemos observar os 2 (duas) tentativas de conexão:
Windows Operating System version 6.1.7601 Service Pack 1
[INFO ][SERVER] [Thread 576] [SMARTHEAP] Version 8.0.0
*** TOTVS S.A. ***
*** www.totvs.com.br ***
* TOTVS - Build 7.00.131227A - Nov 23 2017 - 13:23:07 NG
* Build: 32 bits
* RPO Format: 32 bits
* SVN Revision: 10324 - 15733 - 1956
* Build Version: 13.2.3.25
'Ambiente de teste para comunicacao SSL/TLS' console mode.
Press Ctrl+Break to terminate.
*** STARTING SERVER WITH DEBUG OF USED MEMORY PER THREAD
*** STARTING SERVER WITH MAXIMUM STRING SIZE LIMIT SET TO 20 MB. ***
---------------- OS System Info -----------------------------------------------
OS Version .........: Windows 7 [Version 6.1.7601]
OS Platform ........: Windows NT Based (x64)
OS Version Info ....: Service Pack 1
-------------------------------------------------------------------------------
---------------- OS Memory Info -----------------------------------------------
Physical memory . 8025.59 MB. Used 7120.40 MB. Free 905.20 MB.
Paging file ..... 16049.37 MB. Used 12659.12 MB. Free 3390.25 MB.
-------------------------------------------------------------------------------
[INFO ][SERVER] [Thread 576] APP Virtual Address Allocation Limit .... 4095.88 MB.
[INFO ][SERVER] [Thread 576] Memory Monitor Virtual Address LIMIT .... 4095.88 MB.
Http server is ready.
Root path is c:\totvs\p12_windows_x86\protheus_data\web\
Listening port 8888
[INFO ][SSL] [tSSLSocketAPI][Initialize] starting handshake ..
[INFO ][SSL] [tSSLSocketAPI] Using SSL3+SSL2 protocol.
[INFO ][SSL] SSL CIPHERS ALL
[INFO ][SSL] [tSSLSocketAPI][Initialize] Bugs (0)
[INFO ][SSL] [tSSLSocketAPI][Initialize] SSL2 (1), SSL3 (1), TLS1 (3)
[INFO ][SSL] [tSSLSocketAPI][Initialize] State (1)
[INFO ][SSL] [tSSLSocketAPI][Initialize] Setting Certificates
[INFO ][SSL] [tSSLSocketAPI][SetCertificateFiles] cert (C:\Totvs\P12_Windows_x86\Protheus_Data\certs\localhost\localhost-cert.pem)
[INFO ][SSL] [tSSLSocketAPI][SetCertificateFiles] key (C:\Totvs\P12_Windows_x86\rotheus_Data\certs\localhost\localhost-key.pem)
[INFO ][SSL] [tSSLSocketAPI][Initialize] End handshake.
Https server is ready.
Listening port 443 (default)
[INFO ][SERVER] Application PID ......... [6288]
[INFO ][SERVER] Application Main Thread .. [576]
[INFO ][SERVER] [Thread 576] Application Server started on port 8612
[08/12/2017 10:39:50] Server started.
[WARN ][SERVER] [Thread 4656] [GENERAL] INACTIVETIMEOUT = 99999 seconds is ON.
[INFO ][SERVER] [08/12/2017 10:40:08] Starting Program U_GETSSL01 Thread 4656 (r
inaldo,TEC-CATROQUE)
[INFO ][SSL] [tSSLSocketAPI][Connect] Connecting SSL.
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] starting handshake ..
[INFO ][SSL] [tSSLSocketClientAPI] Using SSL3+SSL2 protocol.
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] KeyFile (C:\Totvs\P12_Windows_x86\Protheus_Data\certs\localhost\localhost-key.pem)
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] CertificateFile (C:\Totvs\P12_Windows_x86\Protheus_Data\certs\localhost\localhost-cert.pem)
[INFO ][SSL] SSL CIPHERS ALL
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] Bugs (0)
[INFO ][SSL] [tSSLSocketAPI][Initialize] SSL2 (1), SSL3 (1), TLS1 (3)
[INFO ][SSL] [tSSLSocketAPI][Initialize] State (1)
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] End handshake (1)
[INFO ][SSL] SSL callback where:[16] ret:[1] state:[before/connect initialization]
[INFO ][SSL] SSL_connect:before/connect initialization
[INFO ][SSL] SSL_connect:SSLv2/v3 write client hello A
[INFO ][SSL] SSL3 alert read:fatal:handshake failure
[INFO ][SSL] SSL_connect:error in SSLv2/v3 read server hello A
[ERROR][SSL] SSL erro = -1
[ERROR][SSL] SSL code = 336032784
[ERROR][SSL] SSL description = error:14077410:SSL routines:SSL23_GET_SERVER_HELL
O:sslv3 alert handshake failure
[ERROR][SSL] Failed Handshake SSL.
[INFO ][SSL] [tSSLSocketAPI][Connect] Connecting SSL.
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] starting handshake ..
[INFO ][SSL] [tSSLSocketAPI] Using TLS1.2 protocol.
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] KeyFile (C:\Totvs\P12_Windows_x86\Protheus_Data\certs\localhost\localhost-key.pem)
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] CertificateFile (C:\Totvs\P12_Windows_x86\Protheus_Data\certs\localhost\localhost-cert.pem)
[INFO ][SSL] SSL CIPHERS ALL
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] Bugs (0)
[INFO ][SSL] [tSSLSocketAPI][Initialize] SSL2 (0), SSL3 (0), TLS1 (3)
[INFO ][SSL] [tSSLSocketAPI][Initialize] State (1)
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] End handshake (1)
[INFO ][SSL] SSL callback where:[16] ret:[1] state:[before/connect initialization]
[INFO ][SSL] SSL_connect:before/connect initialization
[INFO ][SSL] SSL_connect:SSLv3 write client hello A
[INFO ][SSL] SSL_connect:SSLv3 read server hello A
[INFO ][SSL] SSL_connect:SSLv3 read server certificate A
[INFO ][SSL] SSL_connect:SSLv3 read server key exchange A
[INFO ][SSL] SSL_connect:SSLv3 read server done A
[INFO ][SSL] SSL_connect:SSLv3 write client key exchange A
[INFO ][SSL] SSL_connect:SSLv3 write change cipher spec A
[INFO ][SSL] SSL_connect:SSLv3 write finished A
[INFO ][SSL] SSL_connect:SSLv3 flush data
[INFO ][SSL] SSL_connect:SSLv3 read server session ticket A
[INFO ][SSL] SSL_connect:SSLv3 read finished A
[INFO ][SSL] SSL callback where:[32] ret:[1] state:[SSL negotiation finished suc
cessfully]
[INFO ][SSL] [tSSLSocketAPI][Connect] Connecting SSL OK.
Esse comportamento pode induzir que utilizemos o uso dos métodos objetivos (no sentido de direcionar a versão na conexão) da biblioteca OpenSSL, porém, há a necessidade de controle de loop de retentativas. Vamos então avaliar o uso de conexão TLS1.0 contra um servidor que disponibilize somente a versão TLS1.1:
Configuramos o AppServer como:
[SSLConfigure]
Verbose = 1
SSL2 = 0
SSL3 = 0
TLS1 = 1
Bugs = 0
State = 1
TryProtocols = 1
Iniciamos a ferramenta OpenSSL com a configuração:
openssl s_server -4 -key localhost-key.pem -cert localhost-cert.pem -accept 8443 -state -msg -security_debug -nbio -tls1_1
Ao executar o programa ADVPL veremos que a conexão ocorrerá com sucesso, porém, há um conjunto de tentativas falhas. Note que não deveria ter havido sucesso na conexão, uma vez que não foi permita habilitação.
Windows Operating System version 6.1.7601 Service Pack 1
[INFO ][SERVER] [Thread 5072] [SMARTHEAP] Version 8.0.0
*** TOTVS S.A. ***
*** www.totvs.com.br ***
* TOTVS - Build 7.00.131227A - Nov 23 2017 - 13:23:07 NG
* Build: 32 bits
* RPO Format: 32 bits
* SVN Revision: 10324 - 15733 - 1956
* Build Version: 13.2.3.25
'Ambiente de teste para comunicacao SSL/TLS' console mode.
Press Ctrl+Break to terminate.
*** STARTING SERVER WITH DEBUG OF USED MEMORY PER THREAD
*** STARTING SERVER WITH MAXIMUM STRING SIZE LIMIT SET TO 20 MB. ***
---------------- OS System Info -----------------------------------------------
OS Version .........: Windows 7 [Version 6.1.7601]
OS Platform ........: Windows NT Based (x64)
OS Version Info ....: Service Pack 1
-------------------------------------------------------------------------------
---------------- OS Memory Info -----------------------------------------------
Physical memory . 8025.59 MB. Used 7146.13 MB. Free 879.47 MB.
Paging file ..... 16049.37 MB. Used 13021.99 MB. Free 3027.38 MB.
-------------------------------------------------------------------------------
[INFO ][SERVER] [Thread 5072] APP Virtual Address Allocation Limit .... 4095.88MB.
[INFO ][SERVER] [Thread 5072] Memory Monitor Virtual Address LIMIT .... 4095.88MB.
Http server is ready.
Root path is c:\totvs\p12_windows_x86\protheus_data\web\
Listening port 8888
[INFO ][SSL] [tSSLSocketAPI][Initialize] starting handshake ..
[INFO ][SSL] [tSSLSocketAPI] Using TLS1.0 protocol.
[INFO ][SSL] SSL CIPHERS ALL
[INFO ][SSL] [tSSLSocketAPI][Initialize] Bugs (0)
[INFO ][SSL] [tSSLSocketAPI][Initialize] SSL2 (0), SSL3 (0), TLS1 (1)
[INFO ][SSL] [tSSLSocketAPI][Initialize] State (1)
[INFO ][SSL] [tSSLSocketAPI][Initialize] Setting Certificates
[INFO ][SSL] [tSSLSocketAPI][SetCertificateFiles] cert (C:\Totvs\P12_Windows_x86\Protheus_Data\certs\localhost\localhost-cert.pem)
[INFO ][SSL] [tSSLSocketAPI][SetCertificateFiles] key (C:\Totvs\P12_Windows_x86\Protheus_Data\certs\localhost\localhost-key.pem)
[INFO ][SSL] [tSSLSocketAPI][Initialize] End handshake.
Https server is ready.
Listening port 443 (default)
[INFO ][SERVER] Application PID ......... [6648]
[INFO ][SERVER] Application Main Thread .. [5072]
[INFO ][SERVER] [Thread 5072] Application Server started on port 8612
[08/12/2017 11:04:13] Server started.
[WARN ][SERVER] [Thread 9072] [GENERAL] INACTIVETIMEOUT = 99999 seconds is ON.
[INFO ][SERVER] [08/12/2017 11:04:24] Starting Program U_GETSSL01 Thread 9072 (rinaldo,TEC-CATROQUE)
[INFO ][SSL] [tSSLSocketAPI][Connect] Connecting SSL.
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] starting handshake ..
[INFO ][SSL] [tSSLSocketAPI] Using TLS1.0 protocol.
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] KeyFile (C:\Totvs\P12_Windows_x86\Protheus_Data\certs\localhost\localhost-key.pem)
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] CertificateFile (C:\Totvs\P12_Windows_x86\Protheus_Data\certs\localhost\localhost-cert.pem)
[INFO ][SSL] SSL CIPHERS ALL
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] Bugs (0)
[INFO ][SSL] [tSSLSocketAPI][Initialize] SSL2 (0), SSL3 (0), TLS1 (1)
[INFO ][SSL] [tSSLSocketAPI][Initialize] State (1)
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] End handshake (1)
[INFO ][SSL] SSL callback where:[16] ret:[1] state:[before/connect initialization]
[INFO ][SSL] SSL_connect:before/connect initialization
[INFO ][SSL] SSL_connect:SSLv3 write client hello A
[INFO ][SSL] SSL3 alert read:fatal:protocol version
[INFO ][SSL] SSL_connect:failed in SSLv3 read server hello A
[INFO ][SSL] [tSSLSocketAPI][Connect] Connecting SSL OK.
[INFO ][SSL] SSL_connect:failed in SSLv3 read server hello A
[ERROR][SSL] SSL erro = -1
[ERROR][SSL] SSL code = 336191717
[ERROR][SSL] SSL description = error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure
[ERROR][SSL] Unable to send data. Error syscall.
[INFO ][SSL] [tSSLSocketAPI][Connect] Connecting SSL.
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] starting handshake ..
[INFO ][SSL] [tSSLSocketAPI] Using TLS1.2 protocol.
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] KeyFile (C:\Totvs\P12_Windows_x86\Protheus_Data\certs\localhost\localhost-key.pem)
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] CertificateFile (C:\Totvs\P12_Windows_x86\Protheus_Data\certs\localhost\localhost-cert.pem)
[INFO ][SSL] SSL CIPHERS ALL
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] Bugs (0)
[INFO ][SSL] [tSSLSocketAPI][Initialize] SSL2 (0), SSL3 (0), TLS1 (3)
[INFO ][SSL] [tSSLSocketAPI][Initialize] State (1)
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] End handshake (1)
[INFO ][SSL] SSL callback where:[16] ret:[1] state:[before/connect initialization]
[INFO ][SSL] SSL_connect:before/connect initialization
[INFO ][SSL] SSL_connect:SSLv3 write client hello A
[INFO ][SSL] SSL3 alert write:fatal:protocol version
[INFO ][SSL] SSL_connect:error in SSLv3 read server hello A
[ERROR][SSL] SSL erro = -1
[ERROR][SSL] SSL code = 336130315
[ERROR][SSL] SSL description = error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
[ERROR][SSL] Failed Handshake SSL.
[INFO ][SSL] [tSSLSocketAPI][Connect] Connecting SSL.
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] starting handshake ..
[INFO ][SSL] [tSSLSocketAPI] Using TLS1.1 protocol.
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] KeyFile (C:\Totvs\P12_Windows_x86\Protheus_Data\certs\localhost\localhost-key.pem)
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] CertificateFile (C:\Totvs\P12_Windows_x86\Protheus_Data\certs\localhost\localhost-cert.pem)
[INFO ][SSL] SSL CIPHERS ALL
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] Bugs (0)
[INFO ][SSL] [tSSLSocketAPI][Initialize] SSL2 (0), SSL3 (0), TLS1 (2)
[INFO ][SSL] [tSSLSocketAPI][Initialize] State (1)
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] End handshake (1)
[INFO ][SSL] SSL callback where:[16] ret:[1] state:[before/connect initialization]
[INFO ][SSL] SSL_connect:before/connect initialization
[INFO ][SSL] SSL_connect:SSLv3 write client hello A
[INFO ][SSL] SSL_connect:SSLv3 read server hello A
[INFO ][SSL] SSL_connect:SSLv3 read server certificate A
[INFO ][SSL] SSL_connect:SSLv3 read server key exchange A
[INFO ][SSL] SSL_connect:SSLv3 read server done A
[INFO ][SSL] SSL_connect:SSLv3 write client key exchange A
[INFO ][SSL] SSL_connect:SSLv3 write change cipher spec A
[INFO ][SSL] SSL_connect:SSLv3 write finished A
[INFO ][SSL] SSL_connect:SSLv3 flush data
[INFO ][SSL] SSL_connect:SSLv3 read server session ticket A
[INFO ][SSL] SSL_connect:SSLv3 read finished A
[INFO ][SSL] SSL callback where:[32] ret:[1] state:[SSL negotiation finished successfully]
[INFO ][SSL] [tSSLSocketAPI][Connect] Connecting SSL OK.
2. Habilitação de Ranque de Versões
Como já informado anteriormente, o conjunto de protocolos disponíveis pela biblioteca OpenSSL, em ordem crescente de grau de segurança, é SSL2, SSL3, TLS1.0, TLS1.1 e TLS1.2. Também, a bibliote sugere que não haja descontinuidade na habilitação de versões quando utilizado o método de negociação de versão. Ao utilizar métodos que direcionem a conexão para versões específicas não deve ser utilizado os recursos de habilitação de protocolo.
Note que uma configuração importante que até aqui não levantamos é a impossibilidade de habilitar o uso da versões TLS concomitantemente. Os protocolos TLS são nada mais que a continuidade do desenvolvimento dos protocolos SSL, de forma que a versão TLS1.0 corresponderia hipoteticamente à versão SSL4. Atualmente é considerada insegura as versões SSL2, SSL3 e TLS1.0, pois há registro de métodos de quebra de handshaking possibiltando invasões na conexão. Nem todos serviços disponíveis no parque instalado de acesso da aplicação estão atualizados com a versão TLS1.2, de forma que há necessidade de uma configuração que contemple essas possibilidades.
Portanto, é extremamente importante possibilitarmos a utilização dsos protocolos TLS1.1 e TLS1.2 e também manter continuidade entre o menor e maior grau de segurança, correspondente a versão de protocolo utilizado.
A correção de conexões SSL proposta e incluída a partir da versão da TOTVS AppServer 13.2.3.26 estabelece o uso de novas chaves de habilitação de protocolo TLS, sendo utilizado somente valores 1 (habilitação) e 0 (desabilitação):
[SSLConfigure]
TLS1_0 = 0
TLS1_1 = 1
TLS1_2 = 1
A chave antiga "TLS1" está mantida no modo deprecated. Isso significa que a aplicação carregará a informação disponível em TLS1 mantendo compatibilidade nas versões anteriores. Nos casos que estejam presentes a chave TLS1 e qualquer das chaves novas, o conteúdo da chave antiga TLS1 será desconsiderada integralmente. Ou seja, mesmo que a chave TLS1 esteja configurada para o protocolo TLS1.2, caso encontre a chave TLS1.0 no arquivo INI o protocolo TLS1.2 será desabilitado da conexão.
Não haverá mais necessidade da chave TryProtocols. O mecanismo de retentativa de conexão com alteração de versão de protocolo será responsabilidade do método de negociação de versão. Ainda que seja encontrada a chave TryProtocols no arquivo INIserá desprezada.
Passemos a realizar testes com a nova implementação das conexões SSL sob o mesmo contexto anterior, ou seja, partiremos para uma conexão TLS1.2 única e, posteriormente, adicionaremos um conjunto conjugado de versões. Cabe salientar que a nova implementação utilizou com obase a versão 13.2.3.25 disponiblizada no portal e utilizada nos testes anteriores. Ao final faremos algumas análises quanto a premissas de configuração.
Utilização dos protocolos seguros TLS1.1 e TLS1.2:
[SSLConfigure]
Verbose = 1
SSL2 = 0
SSL3 = 0
TLS1_0 = 0
TLS1_1 = 1
TLS1_2 = 1
Bugs = 0
State = 1
TryProtocols = 0
Iniciamos o simulador de servidor OpenSSL com a possiblildade de conexões no protocolo TLS1.2:
openssl s_server -4 -key localhost-key.pem -cert localhost-cert.pem -accept 8443 -state -msg -security_debug -nbio -tls1_2
Executamos o programa ADVPL anterior. Temos como resultado o sucesso na conexão:
Windows Operating System version 6.1.7601 Service Pack 1
[INFO ][SERVER] [Thread 6920] *** NOT USING SMARTHEAP
*** TOTVS S.A. ***
*** www.totvs.com.br ***
* TOTVS - Build 7.00.131227A - Dec 7 2017 - 13:54:58 NG
* Build: 32 bits
* DEBUG VERSION
* RPO Format: 32 bits
* SVN Revision: 10394 - 15899 - 1956
* Build Version: 0.0.0
'Ambiente de teste para comunicacao SSL/TLS' console mode.
Press Ctrl+Break to terminate.
*** DEBUG VERSION WITH CRASH DUMP HANDLER
*** DEBUG VERSION WITH SYMBOLS INFORMATION
*** STARTING SERVER WITH DEBUG OF USED MEMORY PER THREAD
*** STARTING SERVER WITH MAXIMUM STRING SIZE LIMIT SET TO 20 MB. ***
---------------- OS System Info -----------------------------------------------
OS Version .........: Windows 7 [Version 6.1.7601]
OS Platform ........: Windows NT Based (x64)
OS Version Info ....: Service Pack 1
-------------------------------------------------------------------------------
---------------- OS Memory Info -----------------------------------------------
Physical memory . 8025.59 MB. Used 6975.31 MB. Free 1050.29 MB.
Paging file ..... 16049.37 MB. Used 13635.53 MB. Free 2413.84 MB.
-------------------------------------------------------------------------------
[INFO ][SERVER] [Thread 6920] APP Virtual Address Allocation Limit .... 4095.88MB.
[INFO ][SERVER] [Thread 6920] Memory Monitor Virtual Address LIMIT .... 4095.88MB.
[INFO ][SERVER] [Thread 9928] Crash Monitor BEGIN
Http server is ready.
Root path is c:\totvs\p12_windows_x86\protheus_data\web\
Listening port 8888
[INFO ][SSL] [tSSLSocketAPI][Initialize] starting handshake ..
[INFO ][SSL] [tSSLSocketAPI] Using SSL/TLS protocol.
[INFO ][SSL] SSL CIPHERS ALL
[INFO ][SSL] [tSSLSocketAPI][Initialize] Bugs (0)
[INFO ][SSL] [tSSLSocketAPI][Initialize] SSL2 (0), SSL3 (0), TLS1.0 (0), TLS1.1 (1), TLS1.2 (1)
[INFO ][SSL] [tSSLSocketAPI][Initialize] State (1)
[INFO ][SSL] [tSSLSocketAPI][Initialize] Setting Certificates
[INFO ][SSL] [tSSLSocketAPI][SetCertificateFiles] cert (C:\Totvs\P12_Windows_x86\Protheus_Data\certs\localhost\localhost-cert.pem)
[INFO ][SSL] [tSSLSocketAPI][SetCertificateFiles] key (C:\Totvs\P12_Windows_x86\Protheus_Data\certs\localhost\localhost-key.pem)
[INFO ][SSL] [tSSLSocketAPI][Initialize] End handshake.
Https server is ready.
Listening port 443 (default)
[INFO ][SERVER] Application PID ......... [10296]
[INFO ][SERVER] Application Main Thread .. [6920]
[INFO ][SERVER] [Thread 6920] Application Server started on port 8612
[08/12/2017 11:53:39] Server started.
[WARN ][SERVER] [Thread 4492] [GENERAL] INACTIVETIMEOUT = 99999 seconds is ON.
[INFO ][SERVER] [08/12/2017 11:55:00] Starting Program U_GETSSL01 Thread 4492 (rinaldo,TEC-CATROQUE)
[INFO ][SSL] [tSSLSocketAPI][Connect] Connecting SSL.
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] starting handshake ..
[INFO ][SSL] [tSSLSocketClientAPI] Using TLS/SSL protocol.
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] KeyFile (C:\Totvs\P12_Windows_x86\Protheus_Data\certs\localhost\localhost-key.pem)
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] CertificateFile (C:\Totvs\P12_Windows_x86\Protheus_Data\certs\localhost\localhost-cert.pem)
[INFO ][SSL] SSL CIPHERS ALL
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] Bugs (0)
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] SSL2 (0), SSL3 (0), TLS1.0 (0), TLS1.1 (1), TLS1.2 (1)
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] State (1)
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] End handshake (1)
[INFO ][SSL] SSL callback where:[16] ret:[1] state:[before/connect initialization]
[INFO ][SSL] SSL_connect:before/connect initialization
[INFO ][SSL] SSL_connect:SSLv2/v3 write client hello A
[INFO ][SSL] SSL_connect:SSLv3 read server hello A
[INFO ][SSL] SSL_connect:SSLv3 read server certificate A
[INFO ][SSL] SSL_connect:SSLv3 read server key exchange A
[INFO ][SSL] SSL_connect:SSLv3 read server done A
[INFO ][SSL] SSL_connect:SSLv3 write client key exchange A
[INFO ][SSL] SSL_connect:SSLv3 write change cipher spec A
[INFO ][SSL] SSL_connect:SSLv3 write finished A
[INFO ][SSL] SSL_connect:SSLv3 flush data
[INFO ][SSL] SSL_connect:SSLv3 read server session ticket A
[INFO ][SSL] SSL_connect:SSLv3 read finished A
[INFO ][SSL] SSL callback where:[32] ret:[1] state:[SSL negotiation finished suc
cessfully]
[INFO ][SSL] [tSSLSocketAPI][Connect] Connecting SSL OK.
Habilitaremos agora todo o conjunto de protocolos:
[SSLConfigure]
Verbose = 1
SSL2 = 1
SSL3 = 1
TLS1_0 = 1
TLS1_1 = 1
TLS1_2 = 1
Bugs = 0
State = 1
TryProtocols = 0
Iniciamos o simulador de servidor OpenSSL com a possiblildade de conexões no protocolo TLS1.0 somente:
openssl s_server -4 -key localhost-key.pem -cert localhost-cert.pem -accept 8443 -state -msg -security_debug -nbio -tls1
Executamos o programa ADVPL anterior. Temos como resultado o sucesso na conexão:
*** TOTVS S.A. ***
*** www.totvs.com.br ***
* TOTVS - Build 7.00.131227A - Dec 7 2017 - 13:54:58 NG
* Build: 32 bits
* DEBUG VERSION
* RPO Format: 32 bits
* SVN Revision: 10394 - 15899 - 1956
* Build Version: 0.0.0
'Ambiente de teste para comunicacao SSL/TLS' console mode.
Press Ctrl+Break to terminate.
*** DEBUG VERSION WITH CRASH DUMP HANDLER
*** DEBUG VERSION WITH SYMBOLS INFORMATION
*** STARTING SERVER WITH DEBUG OF USED MEMORY PER THREAD
*** STARTING SERVER WITH MAXIMUM STRING SIZE LIMIT SET TO 20 MB. ***
---------------- OS System Info -----------------------------------------------
OS Version .........: Windows 7 [Version 6.1.7601]
OS Platform ........: Windows NT Based (x64)
OS Version Info ....: Service Pack 1
-------------------------------------------------------------------------------
---------------- OS Memory Info -----------------------------------------------
Physical memory . 8025.59 MB. Used 6966.13 MB. Free 1059.46 MB.
Paging file ..... 16049.37 MB. Used 13714.11 MB. Free 2335.26 MB.
-------------------------------------------------------------------------------
[INFO ][SERVER] [Thread 8960] APP Virtual Address Allocation Limit .... 4095.88MB.
[INFO ][SERVER] [Thread 7808] Crash Monitor BEGIN
[INFO ][SERVER] [Thread 8960] Memory Monitor Virtual Address LIMIT .... 4095.88MB.
Http server is ready.
Root path is c:\totvs\p12_windows_x86\protheus_data\web\
Listening port 8888
[INFO ][SSL] [tSSLSocketAPI][Initialize] starting handshake ..
[INFO ][SSL] [tSSLSocketAPI] Using SSL/TLS protocol.
[INFO ][SSL] SSL CIPHERS ALL
[INFO ][SSL] [tSSLSocketAPI][Initialize] Bugs (0)
[INFO ][SSL] [tSSLSocketAPI][Initialize] SSL2 (1), SSL3 (1), TLS1.0 (1), TLS1.1 (1), TLS1.2 (1)
[INFO ][SSL] [tSSLSocketAPI][Initialize] State (1)
[INFO ][SSL] [tSSLSocketAPI][Initialize] Setting Certificates
[INFO ][SSL] [tSSLSocketAPI][SetCertificateFiles] cert (C:\Totvs\P12_Windows_x86\Protheus_Data\certs\localhost\localhost-cert.pem)
[INFO ][SSL] [tSSLSocketAPI][SetCertificateFiles] key (C:\Totvs\P12_Windows_x86\Protheus_Data\certs\localhost\localhost-key.pem)
[INFO ][SSL] [tSSLSocketAPI][Initialize] End handshake.
Https server is ready.
Listening port 443 (default)
[INFO ][SERVER] Application PID ......... [11516]
[INFO ][SERVER] Application Main Thread .. [8960]
[INFO ][SERVER] [Thread 8960] Application Server started on port 8612
[08/12/2017 11:58:06] Server started.
[WARN ][SERVER] [Thread 11980] [GENERAL] INACTIVETIMEOUT = 99999 seconds is ON.
[INFO ][SERVER] [08/12/2017 11:58:18] Starting Program U_GETSSL01 Thread 11980 (rinaldo,TEC-CATROQUE)
[INFO ][SSL] [tSSLSocketAPI][Connect] Connecting SSL.
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] starting handshake ..
[INFO ][SSL] [tSSLSocketClientAPI] Using TLS/SSL protocol.
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] KeyFile (C:\Totvs\P12_Windows_x86\Protheus_Data\certs\localhost\localhost-key.pem)
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] CertificateFile (C:\Totvs\P12_Windows_x86\Protheus_Data\certs\localhost\localhost-cert.pem)
[INFO ][SSL] SSL CIPHERS ALL
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] Bugs (0)
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] SSL2 (1), SSL3 (1), TLS1.0 (1), TLS1.1 (1), TLS1.2 (1)
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] State (1)
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] End handshake (1)
[INFO ][SSL] SSL callback where:[16] ret:[1] state:[before/connect initialization]
[INFO ][SSL] SSL_connect:before/connect initialization
[INFO ][SSL] SSL_connect:SSLv2/v3 write client hello A
[INFO ][SSL] SSL_connect:SSLv3 read server hello A
[INFO ][SSL] SSL_connect:SSLv3 read server certificate A
[INFO ][SSL] SSL_connect:SSLv3 read server key exchange A
[INFO ][SSL] SSL_connect:SSLv3 read server done A
[INFO ][SSL] SSL_connect:SSLv3 write client key exchange A
[INFO ][SSL] SSL_connect:SSLv3 write change cipher spec A
[INFO ][SSL] SSL_connect:SSLv3 write finished A
[INFO ][SSL] SSL_connect:SSLv3 flush data
[INFO ][SSL] SSL_connect:SSLv3 read finished A
[INFO ][SSL] SSL callback where:[32] ret:[1] state:[SSL negotiation finished successfully]
[INFO ][SSL] [tSSLSocketAPI][Connect] Connecting SSL OK.
Podemos identificar qual o protocolo foi utilizado na conexão através do log da ferramenta OpensSSL. É possível verificar que as tratativas envolveram o TLS1.0:
SSL_accept:SSLv3/TLS read client key exchange
<<< ??? [length 0005]
16 03 01 00 30
SSL_accept:SSLv3/TLS read change cipher spec
<<< TLS 1.0Handshake [length 0010], Finished
14 00 00 0c 85 30 a2 97 0a 7f 8d fb 35 6e 9b 48
SSL_accept:SSLv3/TLS read finished
>>> ??? [length 0005]
14 03 01 00 01
>>> TLS 1.0ChangeCipherSpec [length 0001]
01
SSL_accept:SSLv3/TLS write change cipher spec
>>> ??? [length 0005]
16 03 01 00 30
>>> TLS 1.0Handshake [length 0010], Finished
14 00 00 0c 72 91 fa a4 c2 01 97 0c 88 7d 0f 86
SSL_accept:SSLv3/TLS write finished
Foram realizados uma série de testes contextualizando o AppServer como servidor e cliente em conexões SSL, apesar de neste estudo apenas demonstrar o contexto cliente da nova implementação. Todas mostraram-se satisfatória em relação ao estabelecimento de conexão conforme os critérios estabelecidos na biblioteca LibSSL e informados anteriormente, dentre eles:
P1. A habilitação de protocolos deve sempre especifica um menor e maior grau de segurança, sendo que não deve haver descontinuidades entre a relação de protocolos. Ou seja, não é adimitido configurações na forma:
[SSLConfigure]
SSL2 = 1
SSL3 = 0
TLS1_0 = 0
TLS1_1 = 1
TLS1_2 = 1
Significa que esta configuração não funcionará? Não, significa que a construção da biblioteca de comunicação não tem como garantir a possibilidade de conexão frente a descontinuidade de range de protocolo. Os testes realizados envolveram toda cadeia de continuidade possível frente a servidores utilizando o protocolo TLS1.1 e TLS1.2. Também foram realizados testes com descontinuidades, alguns resultando em sucesso outros em falhas na conexão ainda que sob habilitação do protocolo alvo do servidor.
A configuração recomendada para aumentar o grau de confiança na comunicação é:
[SSLConfigure]
SSL2 = 0
SSL3 = 0
TLS1_0 = 0
TLS1_1 = 1
TLS1_2 = 1
P2. A chave TLS1 é mantida em modo de compatibilidade. Caso novas chaves sejam encontradas teremos a supressão das configurações contidas no TLS1:
[SSLConfigure]
SSL2 = 1
SSL3 = 1
TLS1 = 3
TLS1_0 = 1
TLS1_1 = 0
TLS1_2 = 0
Ao subir a aplicação encontramos a configuração co a ausência da versão TLS1.2 indicada na chave TLS1:
[INFO ][SSL] [tSSLSocketAPI][Initialize] starting handshake ..
[INFO ][SSL] [tSSLSocketAPI] Using SSL/TLS protocol.
[INFO ][SSL] SSL CIPHERS ALL
[INFO ][SSL] [tSSLSocketAPI][Initialize] Bugs (0)
[INFO ][SSL] [tSSLSocketAPI][Initialize] SSL2 (1), SSL3 (1), TLS1.0 (1), TLS1.1 (0), TLS1.2 (0)
[INFO ][SSL] [tSSLSocketAPI][Initialize] State (1)
[INFO ][SSL] [tSSLSocketAPI][Initialize] Setting Certificates
P3. Nâo há mais funcionalidade para a chave TryProtocols. Com a refatoração de alguns métodos de conexão a chave TryProtocols deixou de indicar explicitamente a necessidade de retentativas de conexões em outras versões do protocolo SSL/TLS. Isso implica em um custo menor no overhead gasto no estabelecimento de conexões, pois a própria implementação do protocolo negociará a versão de maior grau de segurança para conexão.
P4. Esta implementação não envolve a classe WSDLManager, que contém implementação própria do protocolo, restringindo ao uso do AppServer como servidor de conexão (WEBEX, HTTTPS) e as funções de acesso HTTPSGet, HTTPSPost.
[SSLConfigure]
Verbose = 1
SSL2 = 1
SSL3 = 0
TLS1_0 = 0
TLS1_1 = 1
TLS1_2 = 1
Bugs = 0
State = 1
OpenSSL conm versão TLS1.1
Windows Operating System version 6.1.7601 Service Pack 1
[DEBUG][SERVER] Command Line Arguments - BEGIN...
[DEBUG][SERVER] [console] -> []
[DEBUG][SERVER] Command Line Arguments - END.
[INFO ][SERVER] [Thread 10524] *** NOT USING SMARTHEAP
*** TOTVS S.A. ***
*** www.totvs.com.br ***
* TOTVS - Build 7.00.131227A - Dec 7 2017 - 13:54:58 NG
* Build: 32 bits
* DEBUG VERSION
* RPO Format: 32 bits
* SVN Revision: 10394 - 15899 - 1956
* Build Version: 0.0.0
'Ambiente de teste para comunicacao SSL/TLS' console mode.
Press Ctrl+Break to terminate.
*** DEBUG VERSION WITH CRASH DUMP HANDLER
*** DEBUG VERSION WITH SYMBOLS INFORMATION
*** STARTING SERVER WITH DEBUG OF USED MEMORY PER THREAD
*** STARTING SERVER WITH MAXIMUM STRING SIZE LIMIT SET TO 20 MB. ***
---------------- OS System Info -----------------------------------------------
OS Version .........: Windows 7 [Version 6.1.7601]
OS Platform ........: Windows NT Based (x64)
OS Version Info ....: Service Pack 1
-------------------------------------------------------------------------------
---------------- OS Memory Info -----------------------------------------------
Physical memory . 8025.59 MB. Used 5703.16 MB. Free 2322.43 MB.
Paging file ..... 16049.37 MB. Used 10246.11 MB. Free 5803.26 MB.
-------------------------------------------------------------------------------
[INFO ][SERVER] [Thread 10524] APP Virtual Address Allocation Limit .... 4095.88 MB.
[INFO ][SERVER] [Thread 10524] Memory Monitor Virtual Address LIMIT .... 4095.88 MB.
[INFO ][SERVER] [Thread 7552] Crash Monitor BEGIN
Http server is ready.
Root path is c:\totvs\p12_windows_x86\protheus_data\web\
Listening port 8888
[INFO ][SSL] [tSSLSocketAPI][Initialize] starting handshake ..
[INFO ][SSL] [tSSLSocketAPI] Using SSL/TLS protocol.
[INFO ][SSL] SSL CIPHERS ALL
[INFO ][SSL] [tSSLSocketAPI][Initialize] Bugs (0)
[INFO ][SSL] [tSSLSocketAPI][Initialize] SSL2 (1), SSL3 (0), TLS1.0 (0), TLS1.1 (1), TLS1.2 (1)
[INFO ][SSL] [tSSLSocketAPI][Initialize] State (1)
[INFO ][SSL] [tSSLSocketAPI][Initialize] Setting Certificates
[INFO ][SSL] [tSSLSocketAPI][SetCertificateFiles] cert (C:\Totvs\P12_Windows_x86\Protheus_Data\certs\localhost\localhost-cert.pem)
[INFO ][SSL] [tSSLSocketAPI][SetCertificateFiles] key (C:\Totvs\P12_Windows_x86\Protheus_Data\certs\localhost\localhost-key.pem)
[INFO ][SSL] [tSSLSocketAPI][Initialize] End handshake.
Https server is ready.
Listening port 443 (default)
[INFO ][SERVER] Application PID ......... [9648]
[INFO ][SERVER] Application Main Thread .. [10524]
[INFO ][SERVER] [Thread 10524] Application Server started on port 8612
[08/12/2017 12:25:56] Server started.
[WARN ][SERVER] [Thread 10408] [GENERAL] INACTIVETIMEOUT = 99999 seconds is ON.
[INFO ][SERVER] [08/12/2017 12:28:54] Starting Program U_GETSSL01 Thread 10408 (rinaldo,TEC-CATROQUE)
[INFO ][SSL] [tSSLSocketAPI][Connect] Connecting SSL.
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] starting handshake ..
[INFO ][SSL] [tSSLSocketClientAPI] Using TLS/SSL protocol.
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] KeyFile (C:\Totvs\P12_Windows_x86\Protheus_Data\certs\localhost\localhost-key.pem)
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] CertificateFile (C:\Totvs\P12_Windows_x86\Protheus_Data\certs\localhost\localhost-cert.pem)
[INFO ][SSL] SSL CIPHERS ALL
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] Bugs (0)
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] SSL2 (1), SSL3 (0), TLS1.0 (0), TLS1.1 (1), TLS1.2 (1)
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] State (1)
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] End handshake (1)
[INFO ][SSL] SSL callback where:[16] ret:[1] state:[before/connect initialization]
[INFO ][SSL] SSL_connect:before/connect initialization
[INFO ][SSL] SSL_connect:SSLv2/v3 write client hello A
[INFO ][SSL] [tSSLSocketAPI][Connect] Connecting SSL OK.
[ERROR][SSL] SSL erro = -1
[ERROR][SSL] SSL code = 336040165
[ERROR][SSL] SSL description = error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure
[ERROR][SSL] Unable to send data. Error syscall.
[INFO ][SSL] [tSSLSocketAPI][Connect] Connecting SSL.
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] starting handshake ..
[INFO ][SSL] [tSSLSocketClientAPI] Using TLS/SSL protocol.
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] KeyFile (C:\Totvs\P12_Windows_x86\Protheus_Data\certs\localhost\localhost-key.pem)
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] CertificateFile (C:\Totvs\P12_Windows_x86\Protheus_Data\certs\localhost\localhost-cert.pem)
[INFO ][SSL] SSL CIPHERS ALL
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] Bugs (0)
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] SSL2 (1), SSL3 (0), TLS1.0 (0), TLS1.1 (1), TLS1.2 (1)
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] State (1)
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] End handshake (1)
[INFO ][SSL] SSL callback where:[16] ret:[1] state:[before/connect initialization]
[INFO ][SSL] SSL_connect:before/connect initialization
[INFO ][SSL] SSL_connect:SSLv2/v3 write client hello A
[INFO ][SSL] [tSSLSocketAPI][Connect] Connecting SSL OK.
[ERROR][SSL] SSL erro = -1
[ERROR][SSL] SSL code = 336040165
[ERROR][SSL] SSL description = error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure
[ERROR][SSL] Unable to send data. Error syscall.
[INFO ][SSL] [tSSLSocketAPI][Connect] Connecting SSL.
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] starting handshake ..
[INFO ][SSL] [tSSLSocketClientAPI] Using TLS/SSL protocol.
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] KeyFile (C:\Totvs\P12_Windows_x86\Protheus_Data\certs\localhost\localhost-key.pem)
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] CertificateFile (C:\Totvs\P12_Windows_x86\Protheus_Data\certs\localhost\localhost-cert.pem)
[INFO ][SSL] SSL CIPHERS ALL
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] Bugs (0)
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] SSL2 (1), SSL3 (0), TLS1.0 (0), TLS1.1 (1), TLS1.2 (1)
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] State (1)
[INFO ][SSL] [tSSLSocketClientAPI][Initialize] End handshake (1)
[INFO ][SSL] SSL callback where:[16] ret:[1] state:[before/connect initialization]
[INFO ][SSL] SSL_connect:before/connect initialization
[INFO ][SSL] SSL_connect:SSLv2/v3 write client hello A
[INFO ][SSL] [tSSLSocketAPI][Connect] Connecting SSL OK.
[ERROR][SSL] SSL erro = -1
[ERROR][SSL] SSL code = 336040165
[ERROR][SSL] SSL description = error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure
[ERROR][SSL] Unable to send data. Error syscall.