https://community.sap.com/t5/technology-q-a/ssl-handshake-error/qaa-p/12020779#M4498787 <P>Hi Samuli </P><P>ABAP is enabled for TLS 1.2 ,however as I said prior the same certificate works with one of the target host already but it does not work for its subdomain. </P> Thu, 01 Aug 2019 10:44:16 GMT Former Member 2019-08-01T10:44:16Z https://community.sap.com/t5/technology-q-a/ssl-handshake-error/qaq-p/12020772 <P>I am currently using an RFC of Type " HTTP Connections to External Sever" to establish connectivity with a third party system with Target Host as Spectrum.pitneybowes.com and Path Prefix as /Soap/ .</P> <P>I have installed the SSL Certificate of the above Target Host in Strust and I am able to establish connectivity. </P> <P>But when I use the Sub Domain of the above mentioned Target Host i.e. microbatch.spectrum.pitneybowes.com and Path Prefix as /Soap / with the very same SSL Certificate then I am not able to establish connectivity as it throws an SSL Handshake Error. </P> <P>According to the owner of the third party system the SSL Certificate is a wild character certificate which supports multiple Sub Domains of Spectrum.Pitneybowes.com and it works fine for them over the URL and other applications .</P> <P>However it's not working in SAP , kindly advice. </P> Wed, 31 Jul 2019 07:32:05 GMT https://community.sap.com/t5/technology-q-a/ssl-handshake-error/qaq-p/12020772 Former Member 2019-07-31T07:32:05Z https://community.sap.com/t5/technology-q-a/ssl-handshake-error/qaa-p/12020773#M4498781 <P>The 3rd party is right, their wildcard certificate is correctly setup. Their wildcard certificate has 3 parts to it: root CA, intermediate and SSL server. All 3 must be trusted by SAP. You do not specify, how exactly you are accessing the target. You may have to store the certificates in multiple nodes in STRUST: System PSE, SSL standard, SSL anonymous, etc. If your system has multiple instances, you might have to make sure all instances see the certificates either by synchronizing the instances or saving the certificates on each instance.</P> Wed, 31 Jul 2019 11:30:27 GMT https://community.sap.com/t5/technology-q-a/ssl-handshake-error/qaa-p/12020773#M4498781 SamuliKaski 2019-07-31T11:30:27Z https://community.sap.com/t5/technology-q-a/ssl-handshake-error/qaa-p/12020774#M4498782 <P></P><P>Hey Samuli , thanks for the reply. </P><P>I have stored the SSL Certificate already into multiple nodes that you have suggested above but it still throws SSL handshake error for the Sub Domain UR and not for the Main URL. </P><P>No System does not have multiple instances that I would need to sync. </P> Wed, 31 Jul 2019 11:52:11 GMT https://community.sap.com/t5/technology-q-a/ssl-handshake-error/qaa-p/12020774#M4498782 Former Member 2019-07-31T11:52:11Z https://community.sap.com/t5/technology-q-a/ssl-handshake-error/qaa-p/12020775#M4498783 <P>I have stored the SSL Certificate already into multiple nodes that you have suggested above . No System does not have multiple instances . </P> Wed, 31 Jul 2019 11:54:15 GMT https://community.sap.com/t5/technology-q-a/ssl-handshake-error/qaa-p/12020775#M4498783 Former Member 2019-07-31T11:54:15Z https://community.sap.com/t5/technology-q-a/ssl-handshake-error/qaa-p/12020776#M4498784 <P>In that case, I would increase the ICM trace level to 2 or even 3, reproduce, decrease the ICM trace level back to 1 and then analyze the trace. There will be a reason for the SSL handshake to fail. I assume this is a client environment? You could check with their network administrator if they have some sort of SSL decrypting firewall that might explain the SSL handshake failing (the target sees it as man-in-the-middle attack).</P> Wed, 31 Jul 2019 12:12:04 GMT https://community.sap.com/t5/technology-q-a/ssl-handshake-error/qaa-p/12020776#M4498784 SamuliKaski 2019-07-31T12:12:04Z https://community.sap.com/t5/technology-q-a/ssl-handshake-error/qaa-p/12020777#M4498785 <P>Hi Samuli </P><P>I increased the Trace level to 3 and I am attaching the ICM Logs , however I could not correlate much to identify the issue that why the SSL Certificate is not working. </P><P>I am attaching the logs. </P><P>Thanks</P> Thu, 01 Aug 2019 07:35:14 GMT https://community.sap.com/t5/technology-q-a/ssl-handshake-error/qaa-p/12020777#M4498785 Former Member 2019-08-01T07:35:14Z https://community.sap.com/t5/technology-q-a/ssl-handshake-error/qaa-p/12020778#M4498786 <P>The trace reveals SSL_ERROR_CONNECTION_LOST followed by SSSLERR_SSL_CONNECT. Your AS ABAP might not be enabled for TLS 1.2 or higher, the target server probably requires it. See SAP notes <A href="https://launchpad.support.sap.com/#/notes/0002368112" target="_blank">2368112</A> and <A href="https://launchpad.support.sap.com/#/notes/510007" target="_blank">510007</A> for details.</P> Thu, 01 Aug 2019 10:31:06 GMT https://community.sap.com/t5/technology-q-a/ssl-handshake-error/qaa-p/12020778#M4498786 SamuliKaski 2019-08-01T10:31:06Z https://community.sap.com/t5/technology-q-a/ssl-handshake-error/qaa-p/12020779#M4498787 <P>Hi Samuli </P><P>ABAP is enabled for TLS 1.2 ,however as I said prior the same certificate works with one of the target host already but it does not work for its subdomain. </P> Thu, 01 Aug 2019 10:44:16 GMT https://community.sap.com/t5/technology-q-a/ssl-handshake-error/qaa-p/12020779#M4498787 Former Member 2019-08-01T10:44:16Z https://community.sap.com/t5/technology-q-a/ssl-handshake-error/qaa-p/12020780#M4498788 <P>The target hosts might be differently configured, one requiring TLS while the other allowing SSLv3 (which is the default in SAP systems unless changed). What is the value of the instance profile parameter ssl/client_ciphersuites?</P><P>I assume you are testing the main domain and sub domain the same way, either in SM59 or in code? Testing one one way and the other another way would be silly.</P><P>You could remote to the SAP server and try the troubleshooting steps mentioned in the SAP notes.</P> Thu, 01 Aug 2019 12:28:48 GMT https://community.sap.com/t5/technology-q-a/ssl-handshake-error/qaa-p/12020780#M4498788 SamuliKaski 2019-08-01T12:28:48Z https://community.sap.com/t5/technology-q-a/ssl-handshake-error/qaa-p/12020781#M4498789 <P>Try with the following instance profile parameters:</P><P>icm/HTTPS/client_sni_enabled = TRUE</P><P>ssl/client_ciphersuites = 150:PFS:HIGH</P> Thu, 01 Aug 2019 12:32:25 GMT https://community.sap.com/t5/technology-q-a/ssl-handshake-error/qaa-p/12020781#M4498789 SamuliKaski 2019-08-01T12:32:25Z https://community.sap.com/t5/technology-q-a/ssl-handshake-error/qaa-p/12020782#M4498790 <P>Hi Vishwam,</P><P>I've slightly changed the tags on your question, as "Security" is clearly the primary issue you are trying to solve, and "logging of RFC and web services" is more about collecting trace files. Although you've already got one of the top experts on the case with you in Samuli, but the new tag may attract the attention of others besides, as well as making this more visible to others with the same issue in the future who may be interested in the ultimate solution.</P><P>Cheers,<BR />Matt Fraser<BR />SAP Community Moderator</P> Thu, 01 Aug 2019 14:43:39 GMT https://community.sap.com/t5/technology-q-a/ssl-handshake-error/qaa-p/12020782#M4498790 Matt_Fraser 2019-08-01T14:43:39Z