Official Content

The evolution of the SSL (Secure Socket Layer) protocol to TLS (Transport Layer Security) may cause services that were correctly consumed under SSL to stop working when the configuration is changed to TLS, particularly when using TLS version 1.2.

TLS protocol support is implemented in the base software:
    .NET Framework 4.6
    Java JDK 1.8 

Therefore, service clients may stop working when the service migrates to the TLS 1.2 protocol, depending on the framework/sdk used by the client (consumer).

The errors that can occur are similar to the following:

The underlying connection was closed: An unexpected error occurred on a send.
WARN  GeneXus.Http.Client.GxHttpClient - Error Execute System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
   at System.Net.HttpWebRequest.GetResponse()
   at GeneXus.Http.Client.GxHttpClient.Execute(String method, String name)
ERROR GxHttpClient [] - Error Execute Exception: System.Net.WebException 
Message: A conexão subjacente estava fechada: Erro inesperado em um envio. 
Source: System em System.Net.HttpWebRequest.GetResponse() 
    em GeneXus.Http.Client.GxHttpClient.Execute(String method, String name) 
Nested Exception
Exception: System.IO.IOException
Message: EOF inesperado ou 0 bytes recebidos do fluxo de transporte.
Source: System
  em System.Net.FixedSizeReader.ReadPacket(Byte[] buffer, Int32 offset, Int32 count)
  em System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
  em System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
  em System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
  em System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)

The way to solve these errors will depend on the platform/language and how these services are invoked. The different alternatives are detailed below.

.NET Framework Generator

In .NET Framework you can follow two different paths:

  • A: Change general settings in the web.config file, or
  • B: Use the CSHARP command to change settings at some specific point in your programs.

A - Change settings in web.config

This option is valid if you have .NET framework 4.6.1 or higher (which requires Windows Server 2008 SP2 or higher)

  <httpRuntime targetFramework="4.6.1"/>

Note: 4.6.2 is already set by default as of GeneXus 17 upgrade 4.

B - Change settings using CSHARP command

1.  The service is invoked using External Object / Web Service

In this case, there are two scenarios: 
  1.1 - If the Environment property Use Native Soap = True, it is solved with code embedded in the GeneXus source itself. Before invoking the service, enter these lines:

csharp System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls;

  1.2 - If the Environment property Use Native Soap = False, add this line before invoking the service, in the GeneXus code.  

csharp System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12 | System.Net.SecurityProtocolType.Tls11 | System.Net.SecurityProtocolType.Tls;

Framework 4.0 or higher is required.
With Framework 3.5 or lower, find the module that implements TLS 1.2 and install it. 

2. The service is invoked with HttpClient data type

In this case, you must configure the settings described in item 1.2.

csharp System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12 | System.Net.SecurityProtocolType.Tls11 | System.Net.SecurityProtocolType.Tls;
&httpclient.WriteAttribute("xmlns:SOAP-ENV", "...") 

Java Generator

With JDK 1.8 or higher 1.7 u131 there are no additional requirements, as TLS v1.2 is used by default. This applies whether the service is consumed with External Object: WSDL - Web Service or with HttpClient data type.

With JDK 1.7 lower u131 it doesn't work; although TLS v1.2 is supported, the default value is TLS v1. To make it work, you should change the default value to Tls v1.2.

It is possible by configuring the Virtual Machine:


Another way to do the same is to add the following native code to GeneXus source:

java try { 
    java ctx ="TLSv1.2");
    java ctx.init(null, null, null);
java } catch (Exception e) {
java }

Important: This code changes the default for the entire Web server.

For versions lower than JDK1.7, you should find out if it is possible to install the TLS protocol support.

IOS (Offline)

If a TLS service is invoked from an Offline Panel, it is recommended that it runs under IOS 11. Even though support for 802.1X authentication is available as of iOS 9, some issues have been reported until version 11, so this is the recommended version.

Android (Offline)

As mentioned in the Java section, Java 8 is required; therefore, there are no issues in this platform.


Last update: April 2024 | © GeneXus. All rights reserved. GeneXus Powered by Globant