on 2019 Sep 07 2:30 PM
Dear Experts,
I have setup a SAP Web Dispatcher. I have added the following security-related parameters in the profile:
wdisp/ssl_encrypt = 1
ssl/ssl_lib = /sapmnt/<SID>/exe/uc/linuxx86_64/sapcrypto.lst
ssl/server_pse = /usr/sap/<SID>/W00/sec/<SID>.pse
wdisp/ssl_auth = 0
icm/HTTPS/verify_client = 0
wdisp/add_client_protocol_header = true
is/HTTP/show_server_header = false
is/HTTP/show_detailed_errors = false
ssl/ciphersuites = 128:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+aRSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:HIGH:-MEDIUM:!3DES:!ADH:!aNULL:!DES:!DSS:!ECDSA:!eNULL:!EXP:!EXPORT:!MD5:!PSK:!RC4:!SEED:!SSLV2:!LOW
However, the dev_webdisp file looks quite miserable.
I have two main concerns:
1. I am using Kernel 7.73. SAPcryptoLib should be part of it. At least I can see all the files in my exe directory!!
[Thr 139668973037312] =================================================
[Thr 139668973037312] = SSL Initialization platform tag=(linuxx86_64_gcc43)
[Thr 139668973037312] = (773_REL patchno 213,Aug 2 2019,mt,ascii-uc, 16/64/64)
[Thr 139668973037312] = [ipf] ssl/ssl_lib=/sapmnt/<SID>/exe/uc/linuxx86_64/sapcrypto.lst
[Thr 139668973037312] = resulting Filename = "/sapmnt/<SID>/exe/uc/linuxx86_64/sapcrypto.lst"
[Thr 139668973037312] *** ERROR => DlLoadLib()==DLENOACCESS - dlopen("/sapmnt/<SID>/exe/uc/linuxx86_64/sapcrypto.lst") FAILED
"/sapmnt/<SID>/exe/uc/linuxx86_64/sapcrypto.lst: invalid ELF header" [dlux.c 550]
[Thr 139668973037312] *** ERROR => secussl_LoadLibrary(): Unable to load "/sapmnt/<SID>/exe/uc/linuxx86_64/sapcrypto.lst" [ssslsecu.c 635]
[Thr 139668973037312] *** ERROR => Loading of SSL library failed -- NO SSL available!
[Thr 139668973037312] =================================================
[Thr 139668973037312]
[Thr 139668973037312] <<- ERROR: SapSSLInit(read_profile=1)==SSSLERR_LIB_NOT_FOUND
[Thr 139668973037312] *** ERROR => DlLoadLib()==DLENOACCESS - dlopen("/sapmnt/<SID>/exe/uc/linuxx86_64/sapcrypto.lst") FAILED
"/sapmnt/<SID>/exe/uc/linuxx86_64/sapcrypto.lst: invalid ELF header" [dlux.c 550]
[Thr 139668973037312] *** ERROR => DlLoadLib()==DLENOACCESS - dlopen("libsapsecu.so") FAILED
"libsapsecu.so: cannot open shared object file: No such file or directory" [dlux.c 550]
[Thr 139668973037312] =================================================
WHY this error ? How come invalid ELF header ? The file does exist and is owned by <SID>adm !!
2. There is some problem with the ciphersuits:
[Thr 139668973037312] *** ERROR => cannot set ciphersuites "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+aRSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA2
56:EECDH:EDH+aRSA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:HIGH:-MEDIUM:!3DES:!ADH:!aNULL:!DES:!DSS:!ECDSA:!eNULL:!EXP:!EXPORT:!MD5:!PSK:!RC4:!SEED:!SSLV2:!LOW"
for PSE "/usr/sap/WD1/W00/sec/WD1.pse" [ssslsecu.c 2993]
[Thr 139668973037312] secussl_Create_SSL_CTX: SSL_CTX_set_default_cipher_suites() failed (1285/0x00000505)
[Thr 139668973037312] => "A function called indirectly got an invalid parameter"
[Thr 139668973037312] >> ---------- Begin of Secu-SSL Errorstack ---------- >>
[Thr 139668973037312] 0x00000505 | SAPCRYPTOLIB | SSL_CTX_set_default_cipher_suites
[Thr 139668973037312] SAPCRYPTO API error
[Thr 139668973037312] A function called indirectly got an invalid parameter
[Thr 139668973037312] 0xa0600000 | SSL | sec_SSL_CTX_set_default_cipher_suites
[Thr 139668973037312] A function called indirectly got an invalid parameter
[Thr 139668973037312] 0xa060000b | SSL | ssl_create_cipher_suites
[Thr 139668973037312] A function parameter is invalid
[Thr 139668973037312] Invalid character in cipher suite string:
[Thr 139668973037312] << ---------- End of Secu-SSL Errorstack ----------
PLEASE kindly let me know what is wrong... All the documents and threads I found are very foggy and lack clear explanation!!! 😞 Many thanks in advance!
Request clarification before answering.
Please anyone... Why am I getting this error ? PLEASE kindly help me to get this solved !!
Thanks a lot !!!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Dear Isaias,
MANY thanks for your useful comment! It looks better now. However, there is still a problem with the ciphersuites, can you please kindly advise about that one as well...
[Thr 140543562585856] = [ipf] ssl/ciphersuites=128:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+aRSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:HIGH:-MEDIUM:!3DES:!ADH:!aNULL:!DES:!DSS:!ECDSA:!eNULL:!EXP:!EXPORT:!MD5:!PSK:!RC4:!SEED:!SSLV2:!LOW
[Thr 140543562585856] = NOT creating Envvar SAPSSL_CIPHERSUITES=128:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+aRSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:HIGH:-MEDIUM:!3DES:!ADH:!aNULL:!DES:!DSS:!ECDSA:!eNULL:!EXP:!EXPORT:!MD5:!PSK:!RC4:
[Thr 140543562585856] = [ctc] ssl/client_ciphersuites=150:PFS:HIGH::EC_P256:EC_HIGH
[Thr 140543562585856] *** ERROR => cannot set ciphersuites "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+aRSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:HIGH:-MEDIUM:!3DES:!ADH:!aNULL:!DES:!DSS:!ECDSA:!eNULL:!EXP:!EXPORT:!MD5:!PSK:!RC4:!SEED:!SSLV2:!LOW"
for PSE "/usr/sap/<SID>/W00/sec/<SID>.pse" [ssslsecu.c 2993]
[Thr 140543562585856] secussl_Create_SSL_CTX: SSL_CTX_set_default_cipher_suites() failed (1285/0x00000505)
[Thr 140543562585856] => "A function called indirectly got an invalid parameter"
[Thr 140543562585856] >> ---------- Begin of Secu-SSL Errorstack ---------- >>
[Thr 140543562585856] 0x00000505 | SAPCRYPTOLIB | SSL_CTX_set_default_cipher_suites
[Thr 140543562585856] SAPCRYPTO API error
[Thr 140543562585856] A function called indirectly got an invalid parameter
[Thr 140543562585856] 0xa0600000 | SSL | sec_SSL_CTX_set_default_cipher_suites
[Thr 140543562585856] A function called indirectly got an invalid parameter
[Thr 140543562585856] 0xa060000b | SSL | ssl_create_cipher_suites
[Thr 140543562585856] A function parameter is invalid
[Thr 140543562585856] Invalid character in cipher suite string:
[Thr 140543562585856] << ---------- End of Secu-SSL Errorstack ----------
[Thr 140543562585856] Warning: Emergency ciphersuites="PFS:HIGH"
[Thr 140543562585856] = Success -- SapCryptoLib SSL ready!
[Thr 140543562585856] =================================================
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Dear Symon,
The parameter "ssl/ssl_lib" is incorrect. It is pointing to a "list file", that contains the list of files required by the SAP CryptoLib.
Based on the trace extract that was posted, the Web Dispatcher in use is from release 773.
Please delete the parameter "ssl/ssl_lib" from the Web Dispatcher profile and restart the Web Dispatcher. Then, it will use the default value, which should point to the correct library file.
Regards,
Isaías
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
52 | |
6 | |
6 | |
5 | |
5 | |
4 | |
4 | |
3 | |
3 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.