OpenSSL

I had an interesting support case recently that sent me down a few rabbit holes based around OpenSSL.  Essentially as a result of this announcement from Google, the provider of a Web Service that a Genero application was calling was making changes to their SSL/TLS certificates used to secure Web Service communication.  The Genero developer came to us as they believe they had made the changes to certificates correctly but were getting errors messages referencing certificates.  So we started off in the direction of checking certificates, making the web service call with curl and small Genero programs.  What we eventually found was that when using their Genero version they would get an error but using a later version of Genero it was OK, and we traced that to the fact their OpenSSL libraries were too old and the Web Service provided was not willing to communicate with them !

What is OpenSSL?, as per the Wikipedia page …

OpenSSL is a software library for applications that provide secure communications over computer networks against eavesdropping, and identify the party at the other end. It is widely used by Internet servers, including the majority of HTTPS websites.

… other good links are the official website and the GitHub repository page.

The interesting section is the release history on the Wiki page, and reading that in conjunction with the FGL page on OpenSSL requirements.  I want to share a few quotes from our page …

Starting with FGLGWS 3.21.01, 4.01.05 and 5.00.00, OpenSSL 3.0 LTS is required for encryption and security.

Because OpenSSL 1.1.1 goes EOL in September 2023 (external link), it is now mandatory to use OpenSSL 3.0 LTS to get the latest security fixes.

What OpenSSL version is your Genero application using?

Currently, when installing Genero the following occurs …

When installing an FGLGWS package, OpenSSL 3.0 libs will be provided in FGLDIR, if no OpenSSL 3.0 exists on the system.

You can  find the version of the OpenSSL library in use via the  fglpass command in your Genero environment …

fglpass -Vssl

… this will tell you the OpenSSL version in use with output like …

SSL version: OpenSSL 3.0.16 11 Feb 2025

You will also see in FGLWSDEBUG output for a Web Service call …

WS-DEBUG (Security Info)
OpenSSL 3.0.16 11 Feb 2025
WS-DEBUG END

For my customer, we found that with the old 3.20 version of Genero they were using, they had a 1.0…. version of OpenSSL, and as per the release history on the Wiki page, this had not been supported since 2019.  The Web Service vendor was rejecting their attempt to communicate with it using such an old OpenSSL library.  When we made the same Web Service call using a Genero version that had a 1.1 or 3.X version it succeeded.

I know our community like to install a Genero developed application and a Genero package and not touch it for many years,  but if you are using a Genero version from before 3.21.01 or in the range 4.00.00-4.01.04, run fglpass -Vssl and compare the OpenSSL version returned and what entry it has on the OpenSSL release history Wiki page.  You may find that you have to upgrade in a hurry one day because another server refuses to communicate with your server.  Also a reminder that our Professional Services team can assist you with an upgrade.