Question Re: SAP SSL handshake failed in Technology Q&A

SAP SSL handshake failed

SvenS — Tue, 03 Apr 2018 13:45:04 GMT

I'm trying to retrieve data from an open data api. I have downloaded the certificate from the site and imported it into STRUST (SSL Client Anonymous). Then I created a HTTP connection to external server in SM59. In the beginning it worked fine, until last week when the api changed its URL and so its DNS. Ofcourse it could no longer be reached by the current host. So I did above steps again for the new URL (changed everything accordingly like hostname etc. in SM59), but this time I receive following error: SSL handshake with 'hostname:port' failed: SSSLERR_CONN_CLOSED (-10)#Remote Peer has closed the network connection##SapSSLSessionStartNB()==SSSLERR_CONN_C LOSED##

Anyone has an idea on how to solve this?

Re: SAP SSL handshake failed

Isaias_SAP — Fri, 06 Apr 2018 22:40:30 GMT

Hello Sven,

Have you imported the new SSL server certificate to the anonymous PSE (STRUST)?

And is the SM59 still configured to use the anonymous PSE too (under the "technical settings" tab)?

Did anything else change at the remote website? Like, now the website requires authentication using a client certificate?

Simulating the issue with the ICM running on trace level 2 and providing the trace might help us to identify other possibilities.

Regards,

Isaías

Re: SAP SSL handshake failed

SvenS — Tue, 10 Apr 2018 13:46:49 GMT

Hello Isaias

Yes I imported the new SSL server certificate to the anonymous PSE. In SM59 I configured everything correctly. I've been looking into it the past days and I think that the new remote site requests a key of the certificate which isn't provided. I came to this conclusion because at the moment without key it is even impossible to send a request to the site via Postman. I'm gonna try and generate a key via the command prompt and see if I can reach retrieve a request via Postman.

Let me know if you have any other ideas that I could try.

Kind reagrds

Sven Swennen

Re: SAP SSL handshake failed

Isaias_SAP — Tue, 10 Apr 2018 20:17:01 GMT

Hello Sven,

A level 2 trace of the ICM could help us verifying whether we can suggest anything else.

You can increase its trace level through the transaction SMICM, then perform a "connection test" at SM59 and reduce the trace level as soon as the issue is simulated.

Besides attaching the trace file to this thread, we would need the name of the target server.

Kind regards,

Isaías

Re: SAP SSL handshake failed

SvenS — Wed, 11 Apr 2018 08:52:43 GMT

Hello

Only thing the trace is outputting at level 1 is the Remote peer has closed the network connection.

So not really helpful.

The traces at higher levels don't output any errors.

Seems like it is an issue with the certificate. But I don't know how to solve it.

Kind regards

Sven

Re: SAP SSL handshake failed

BJarkowski — Wed, 11 Apr 2018 08:59:41 GMT

Can you connect to the target host through browser?

I would also check the SSL config on the target (for example using it: https://www.ssllabs.com/ssltest/).

This might also be a cipher issue - maybe you need to enable other cipher suite on AS.

Check SAP Note 2570499 - How to adjust the supported SSL cipher suites in AS ABAP

Re: SAP SSL handshake failed

SvenS — Wed, 11 Apr 2018 09:48:32 GMT

Thanks for the response

Yes I can connect to the target host via browser.

Could you explain what you mean by other cipher suite? and how I can know if I need another one? I'm not familiar with certificates so I don't really get what you mean.

But if it has anything to do with following:

I can tell you that it is the same as another certificate which is working at the moment.

UPDATE:

Could it be that this is the problem? the other certificate that works at the moment has this enabled.

Kind regards

Sven

Re: SAP SSL handshake failed

BJarkowski — Wed, 11 Apr 2018 16:45:15 GMT

That was just a guess with the cipher suite, maybe not the best 🙂

One more question - did you import to STRUST the full certification path? I mean also the certificate of the CA that signed the certificate for the website.

Re: SAP SSL handshake failed

Isaias_SAP — Wed, 11 Apr 2018 21:46:28 GMT

Hello Sven,

The trace says "Failed to verify peer certificate. Peer not trusted".

This would mean that SAP does not trust the certificate it received from the remote server.

You would need to either import the certificate itself, or import the certificate of the "issuer" (the CA - Certification Authority - that signed the certificate).

The screenshot does not show whether the client or anonymous PSE ("SAPSSLC.pse" and "SAPSSLA.pse", by default) was in use. So, maybe import the certificate at both, to be on the safe side, as this would not cause any issues.

This wiki page might help.

Kind regards,

Isaías

Re: SAP SSL handshake failed

SvenS — Thu, 12 Apr 2018 07:38:23 GMT

Hello

The screenshot doesn't show it but I'm certain the anonymous PSE is used. To be sure I also imported it all in standard but without success. Since I'm really stuck I'll provide the link from where I'm trying to get data: https://public.brussels-parking-guidance.com/Datex/Export?publication=dynamic .
I'm not to familiar with certificates so for you question of the CA certificate I tried following: I downloaded all the certificates of the site (DST Root, The X3 and the one of the site itself, see screenshot). Then I added them to STRUST by importing them.

Afterwards I created a new HTTP connection to external server in SM59 and filled in all the required fields as host I put public.brussels-parking-guidance.com and path prefix /Datex/Export?publication=dynamic. By logon & security I activated SSL certificate and put it on anonymous (I also configured the proxy correct). But for some reason it is not trusting the certificate.

Is this the correct way?

Kind reagrds
Sven

Re: SAP SSL handshake failed

SvenS — Thu, 12 Apr 2018 07:55:26 GMT

I'm not familiar with certificates so since I'm really stuck I'll let you know what I did. I need to get data of following site: https://public.brussels-parking-guidance.com/Datex/Export?publication=dynamic . I downloaded following certificates of the site (DST, X3 and the one of the site itself).

I imported all these certificates into STRUST in the anonymous and standard PSE. Afterwards I created a new HTTP connection to external server in SM59 and filled in all the required fields as host I put public.brussels-parking-guidance.com and path prefix /Datex/Export?publication=dynamic. By logon & security I activated SSL certificate and put it on anonymous (I also configured the proxy correct). But for some reason it is not trusting the certificate.

Is this the correct way to do it?

EDIT: if you want also check above response, I added a level 2ICM trace file there if it helps.

Kind reagerds

Sven Swennen

Re: SAP SSL handshake failed

Isaias_SAP — Thu, 12 Apr 2018 12:46:00 GMT

Hello Sven,

For the purposes of SSL trust, importing the certificate of "Let's Encrypt Authority X3" would suffice, but it would be recommended to import the "DST Root CA X3" too.

There is no need to import the last one ("public.brussels-parking-guidance.om").

Based on the SM59 settings you have mentioned (which seem correct), you would need to import those two certificates at the Anonymous PSE file.

To confirm that everything is correct with it, logon at operating system level as "SIDadm" and execute the following command:

sapgenpse maintain_pk -l -p <path to anonymous PSE - SAPSSLA.pse>

You should see the "DST Root" and the other "X3" certificates listed at the output.

If you see them there, try restarting the ICM (transaction SMICM, menu Administration -> ICM -> Exit Soft/Hard -> Local).

Depending on the SAP NetWeaver release in use, restarting the ICM manually would be required, so it reloads the PSE files.

Regards,

Isaías

Re: SAP SSL handshake failed

SvenS — Thu, 12 Apr 2018 13:18:49 GMT

Hello

Did it all except for the operating system level (I have no authorization to do this).

Unfortunately still having the same error. It's starting to look like this one just isn't going to work.

Thanks for all the help, if you got any other ideas feel free to still share them so I can test them :).

Kind regards

Sven Swennen

Re: SAP SSL handshake failed

Isaias_SAP — Thu, 12 Apr 2018 13:52:51 GMT

Hi!

Can you provide the complete "dev_icm" trace file?

Kind regards,

Isaías

Re: SAP SSL handshake failed

BJarkowski — Thu, 12 Apr 2018 14:10:54 GMT

Hi Isaias,

I tried to replicate the issue and I also encounter it.

Here my smicm logs (level 3)

[Thr 140608096933632] Thu Apr 12 14:05:07:547 2018
[Thr 140608096933632]      in: cred_hdl = 7fe1d405c670
[Thr 140608096933632] ->> SapSSLSetTargetHostname(sssl_hdl=7fe1a8001690, &hostname=7fe1a8001500)
[Thr 140608096933632] <<- SapSSLSetTargetHostname(sssl_hdl=7fe1a8001690)==SAP_O_K
[Thr 140608096933632]      in: hostname = "public.brussels-parking-guidance.com"
[Thr 140608096933632] ->> SapSSLSessionStartNB(sssl_hdl=7fe1a8001690, flags=00000000, timeout=80000, &IOstat=7fe1dfab7f30)
[Thr 140608096933632] NiIBlockMode: leave blockmode for hdl 96 FALSE
[Thr 140608096933632] NiIHdlGetStatus: hdl 96/sock 31 ok, no data pending
[Thr 140608096933632]   SapISSLUseSessionCache(): Creating NEW session (0 cached)
[Thr 140608096933632] CCL[SSL]: Cli-0000000C: Have no session to be resumed. Performing full handshake [ssl3_client_hello]
[Thr 140608096933632] CCL[SSL]: Cli-0000000C: ClientHello: Offering protocol version 3.1 (TLSv1.0) [ssl3_get_client_hello_version]
[Thr 140608096933632] CCL[SSL]: Cli-0000000C: ClientHello: no session resumption requested (empty session ID) [ssl3_client_hello]
[Thr 140608096933632] CCL[SSL]: Cli-0000000C: Summary: Offering 6 cipher suite(s) and SCSV(s):
[Thr 140608096933632]     < 0> : TLS_RSA_WITH_AES128_CBC_SHA
[Thr 140608096933632]     < 1> : TLS_RSA_WITH_AES256_CBC_SHA
[Thr 140608096933632]     < 2> : TLS_RSA_WITH_3DES_EDE_CBC_SHA
[Thr 140608096933632]     < 3> : TLS_RSA_WITH_RC4_128_SHA
[Thr 140608096933632]     < 4> : TLS_RSA_WITH_RC4_128_MD5
[Thr 140608096933632]     < 5> : Signaling cipher suite value (SCSV) secure renegotiation (RFC5746)
[Thr 140608096933632]  [ssl_cipher_suites_to_bytes]
[Thr 140608096933632] CCL[SSL]: Cli-0000000C: Sending SSLv3/TLS ClientHello [ssl3_client_hello]
[Thr 140608096933632]   SSL:SiSend(sock=  31)== 0 (SI_OK)       (out=60 of 60)
[Thr 140608096933632]   SSL:SiRecv(sock=  31)==13 (SI_ETIMEOUT) (in=0, max=16)
[Thr 140608096933632]     > SSL:SiPoll(sock=31, evt=R, timeout=80000 ms)
[Thr 140608096933632]   <   SSL:SiPoll(sock=31, evt=R, slept  =  19 ms) Ready
[Thr 140608096933632]   SSL:SiRecv(sock=  31)==12 (SI_ECONN_BROKEN) (in=0, max=16)
[Thr 140608096933632]   SSL_get_state()==0x2120 "TLS read server hello A"
[Thr 140608096933632]   SSLSessionStart: new SSL session (TLSv1.0) no CertRequest
[Thr 140608096933632]   Stop! Required server certificate not present
[Thr 140608096933632] <<- SapSSLSessionStartNB(sssl_hdl=7fe1a8001690)==SSSLERR_CONN_CLOSED
[Thr 140608096933632] ->> SapSSLSessionLastError(sssl_hdl=7fe1a8001690, &rc=7fe1dfab7f20, &rc_name=7fe1dfab7f40, &rc_desc=7fe1dfab7f50, &rc_detail=7fe1dfab7f60)
[Thr 140608096933632] DpSesGetWorkerType: return workerType DIA for T6_U108
[Thr 140608096933632] RqQQueueGetNumberOfRequests: Queue <T6_U108_M0> in slot 45 contains 0 requests of type DIA
[Thr 140608096933632] DpSesGetTasks: found 0 open tasks for T6_U108_M0
[Thr 140608096933632] DpSesGetWorkerType: return workerType DIA for T6_U108
[Thr 140608096933632] RqQQueueGetNumberOfRequests: Queue <T6_U108_M1> in slot 41 contains 0 requests of type DIA
[Thr 140608096933632] DpSesGetTasks: found 1 open tasks for T6_U108_M1
[Thr 140608096933632] *** ERROR => SSL handshake with public.brussels-parking-guidance.com:443 failed: SSSLERR_CONN_CLOSED (-10)
[Thr 140608096933632] Remote Peer has closed the network connection<br>

I thought it may be related to SSL/TLS version, so I checked it with profile parameter

ssl/client_ciphersuites = 208:HIGH:MEDIUM

But it didn't change anything. Sorry for interrupting in your answer, but I hope this will help to solve Sven issue.

BTW. I'm 99,99% sure my config is correct - I added all certs, restarted ICM etc.

Re: SAP SSL handshake failed

SvenS — Thu, 12 Apr 2018 14:41:43 GMT

Hello

This is the end of the level 2 ICM trace.

Let me know if this is what you wanted to see (I couldn't upload the whole file since it is 30MB and SCN only allows 1MB)?

icm-end.txt

Kind reagrds

Sven Swennen

Re: SAP SSL handshake failed

Robert_Russell1 — Thu, 12 Apr 2018 20:51:28 GMT

Hi Sven,

Interesting question 🙂 had me googling and I have got it to bypass the error SSSLERR_CONN_C LOSED message.

By setting the parameter mentioned in this note to true on my NPL demo system 751

2124480 - ICM / Web Dispatcher: TLS Extension Server Name Indication (SNI) as client

"To enabled SNI seticm/HTTPS/client_sni_enabled to "true". This parameter is dynamic."

If your interested 🙂 my googling was a result of trying and failing with openssl client connections ( to see another non browser connection.)

The errors in this connection led me to these links which mentioned Server Name Indication (SNI) as a way of using more certificates on one IP address. Which must be the case for "public.brussels-parking-guidance.om" and the SAP parameter is required.

Hope it helps 🙂

Cheers

Robert

Re: SAP SSL handshake failed

Isaias_SAP — Thu, 12 Apr 2018 21:30:19 GMT

Hi all,

I could simulate the issue using an internal test system.

I was discussing this case with a BC-SEC-SSL colleague, and then I saw Robert's update.

I performed some tests and it worked for me. Thus, setting "icm/HTTPS/client_sni_enabled = TRUE" should be the solution.

Thank you, Robert! Well done :-).

Regards,

Isaías

Notify: db8ac33b71d34a778adf273b064c4883 , svenswennen

Re: SAP SSL handshake failed

BJarkowski — Thu, 12 Apr 2018 21:45:43 GMT

Wow! Congrats Rob!

Re: SAP SSL handshake failed

SvenS — Fri, 13 Apr 2018 12:17:18 GMT

Hello Robert

Thanks for the answer. I'm new to SAP and I want to verify if I'm going to do this correctly. For this paramater am I correct that I have to go to RZ10, fill in the profile I'm using and then create this parameter (because I don't see the parameter in any of the profiles)?

Or am i completely incorrect and is "icm/HTTPS/client_sni_enabled = TRUE" found somewhere else? I tried googling it but it only says what it is and does but not where to modify it.

Kind regards

Sven Swennen