The WinHTTP control and using TLS 1.2

[Adrian Williamson]

Hi,

 

As part of a Payment Card Industry change we have to stop using the default security protocol TLS 1.0 and use TLS 1.2 instead.

 

I can see that this is the subject of some discussion and perhaps two different ways to get it working:

 

1. Patch the OS
2. Change the WinHttpRequestOption_SecureProtocols option.

 

I’m not having much success adapting the syntax of this into OpenROAD.

 

https://docs.microsoft.com/en-gb/windows/desktop/WinHttp/winhttprequest

 

Suggests that I can do something like:

 

Declare

    WinHttpRequestOption_SecureProt = integer not null default 9;   

    SecureProtocol_TLS1_2 = integer not null default 2048;   

    http  = winhttp!winhttprequest;

enddeclare

.

.

.

http.option (WinHttpRequestOption_SecureProt) = SecureProtocol_TLS1_2; 

 

or in naked decimal:

 

    http.option (9) = 2048;

 

OpenROAD is not keen on that : “E_W40271 Invalid target of assignment or BYREF.”

 

The snippets of syntax I’ve used from things like ASP and VB suggest it should work like this.

 

Thoughts?

 

Cheers

 

Adrian

[Bodo Bergmann]

Hi Adrian,

 

Have you tried to use/set the “Option” of the WinHttpRequest as method (as a COM property is implemented by setter/getter methods), e.g.:

                http.Option(9, 2048);

 

Regards,

Bodo.

 

Bodo Bergmann

Principal Software Engineer

Actian | Engineering

www.actian.com

GESELLSCHAFTSANGABEN: Actian Germany GmbH | Geschäftsführer: Stephen Mark Padgett, Suzanne Gisborn, Gregory S. Hampton

Sitz der Gesellschaft: Hamburg| Handelsregister: Amtsgericht Hamburg | HRB 135991| USt-IdNr: DE252449897

--
You received this message because you are subscribed to the Google Groups "OpenROAD Users Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openroad-user...@googlegroups.com.
To post to this group, send email to openroa...@googlegroups.com.
Visit this group at https://groups.google.com/group/openroad-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/openroad-users/009501d46a1f%24ec599010%24c50cb030%24%40rationalcommerce.com.
For more options, visit https://groups.google.com/d/optout.

[Adrian Williamson]

Hi Bodo,

 

Yes I tried that and was getting the following complaint where I think it means it can’t find an entry point/method with that construction of parameters.

 

E_WT0029 Error at line 120 of http_uc.

 

 

E_WT006D The invocation of an external object method failed.

    The method 'option' for source '<missing>' returned an error code of

    80070057 and the error message:

 '<missing>'

 

E_WT0029 Error at line 121 of http_uc.

 

 

E_WT006D The invocation of an external object method failed.

    The method 'send' for source 'WinHttp.WinHttpRequest' returned an error

    code of 80020009 and the error message:

     'The connection with the server was terminated abnormally'

 

From this order of code:

 

    CurObject.httpquery = 'https://'+ url + rsi+'/'+ dob_txt;

           

    http.Open('GET',CurObject.httpquery,FALSE);  

    http.SetRequestHeader(header,value);

    //TLS 1.2 Protocol can only now (22/10/2018) be used in communication with to support the Card Payments protocol:

    //https://docs.microsoft.com/en-gb/windows/desktop/WinHttp/iwinhttprequest-option   

    //http.option (byref(WinHttpRequestOption_SecureProt), byref(SecureProtocol_TLS1_2));   

    http.option (9,2048);

    http.Send();

 

In the Microsoft documentation it refers to this as a read/write  Property.

 

I started to think about arrays with the ninth element being this integer etc but that is not going to work at all.

 

Can we ‘write’ properties like this one?

 

I’m going to isolate a test case and share that.

 

Cheers

 

Adrian

To view this discussion on the web visit https://groups.google.com/d/msgid/openroad-users/DM5PR06MB3385D5151C66D4784ACA887393F50%40DM5PR06MB3385.namprd06.prod.outlook.com.

[Adrian Williamson]

Hi,

 

The attached application has it all.

 

What I believe I need to be able to do is get the final output to say ‘TLS 1.2’:

 

 

 

This can be done by writing to the ‘Options’ property or by messing around with the registry to get it to use TLS1.2 by default.

 

I’m currently messing with the registry.

 

Cheers

 

Adrian

To view this discussion on the web visit https://groups.google.com/d/msgid/openroad-users/000a01d46ab8%24a1743020%24e45c9060%24%40rationalcommerce.com.

[Bodo Bergmann]

Hi Adrian,

 

This is strange – I do not get an error when using this method:

 

procedure test() =

declare

     http = WinHttpRequest;

     rv = INTEGER NOT NULL;

     rtxt = VARCHAR(16000) NOT NULL;

enddeclare

{

     MESSAGE '=== start ===';

     http.Open('GET', 'http://www.example.com', FALSE);

     http.Option(9, 2048);

     http.Send();

     rtxt = http.responsetext;

     MESSAGE rtxt;

}

 

This prints the ResponseText as expected.

 

Bodo.

To view this discussion on the web visit https://groups.google.com/d/msgid/openroad-users/000a01d46ab8%24a1743020%24e45c9060%24%40rationalcommerce.com.

[Adrian Williamson]

Hi,

 

That errors for me:

 

 

I’m using OR 6.2.0/15201 p15279 on Windows 7 and Windows Server 2008 R2 Data Centre (Amazon instance).

 

What are you using?

 

Cheers

 

Adrian

PS the hot fix from Microsoft managed to change the default to TLS 1.2

To view this discussion on the web visit https://groups.google.com/d/msgid/openroad-users/DM5PR06MB338590707D71C6889FDA0D3393F50%40DM5PR06MB3385.namprd06.prod.outlook.com.

[Bodo Bergmann]

Adrian,

 

I tested using OR 6.2 (32-bit) with patch 15339 on Windows 10.

My WinHttp External Class Library references the Microsoft WinHTTP Services, version 5.1

with TypeLib ID {662901FC-6951-4854-9EB2-D9A2570F2B2E}

 

I assume that because you are using an older Windows and/or WinHttp version,

it does not support the value 2048 (WinHttpRequestOption_SecureProtocols).

Have you tested with a value that should work (e.g. 128 – for TLS 1.0)?

 

See https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in

To view this discussion on the web visit https://groups.google.com/d/msgid/openroad-users/001c01d46acb%2457953a90%2406bfafb0%24%40rationalcommerce.com.

[Adrian Williamson]

Hi,

 

Yes that is the issue – 128 works ok.

 

The TypeLib is the same, but the winhttp.dll might have different content or even different registry settings affecting the options it will accept.

 

Patching the OS might be easier for us with this client that trying to rollout an application image even with a small change.

 

I’m waiting to hear back from them.

To view this discussion on the web visit https://groups.google.com/d/msgid/openroad-users/DM5PR06MB33852F0A2542A40ADE2E56F193F50%40DM5PR06MB3385.namprd06.prod.outlook.com.

[Adrian Williamson]

Hi,

 

In case anyone else who uses the WinHTTP control to initiate SSL conversations needs a solution I found that the four registry lines below moved the system wide default from TLS 1.0 to TLS 1.2.

 

This worked on the clients which would not accept the Option (9,2048) syntax as noted in this thread.

 

I suspect that there are further registry entries required to be made to get clients to accept Option(9,2048) but I have not made any effort to find this as yet as changing the system wide default works (if you have a lot of software stacks to deal with on a single host then changing the system default is cheaper* than making changes in each stack).

 

Cheers

 

Adrian

 

*Cheapness is of course a relative concept : If your company likes to make opportunistic margin from its clients then changing all stacks generates more revenue.

 

Note: You can save the text below as a “.reg” file e.g. “TLS1_2.REG” and double click it – this will install the lines into the registry of the machine you are logged into.

 

 

Windows Registry Editor Version 5.00

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]

"SecureProtocols"=dword:00000a80

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]

"SecureProtocols"=dword:00000a80

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]

"DefaultSecureProtocols"=dword:00000a00

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]

"DefaultSecureProtocols"=dword:00000a00

 

 

 

From: Adrian Williamson <adrian.w...@rationalcommerce.com>
Sent: 23 October 2018 15:06
To: 'openroa...@googlegroups.com' <openroa...@googlegroups.com>
Subject: RE: [openroad-users] The WinHTTP control and using TLS 1.2

 

Hi,

 

Yes that is the issue – 128 works ok.

 

The TypeLib is the same, but the winhttp.dll might have different content or even different registry settings affecting the options it will accept.

 

Patching the OS might be easier for us with this client that trying to rollout an application image even with a small change.

 

I’m waiting to hear back from them.

 

Cheers

To view this discussion on the web visit https://groups.google.com/d/msgid/openroad-users/DM5PR06MB33852F0A2542A40ADE2E56F193F50%40DM5PR06MB3385.namprd06.prod.outlook.com.