Solved: SAP SSL handshake failed

Read only

97,468

SAP Managed Tags
ABAP Connectivity
SAP NetWeaver
SAP NetWeaver Application Server for ABAP
Security

I'm trying to retrieve data from an open data api. I have downloaded the certificate from the site and imported it into STRUST (SSL Client Anonymous). Then I created a HTTP connection to external server in SM59. In the beginning it worked fine, until last week when the api changed its URL and so its DNS. Ofcourse it could no longer be reached by the current host. So I did above steps again for the new URL (changed everything accordingly like hostname etc. in SM59), but this time I receive following error: SSL handshake with 'hostname:port' failed: SSSLERR_CONN_CLOSED (-10)#Remote Peer has closed the network connection##SapSSLSessionStartNB()==SSSLERR_CONN_C LOSED##

Anyone has an idea on how to solve this?

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Hello Matt

Thank you very much for adding the tags, I'm new to SAP and SCN so I didn't really know which tags where the best. I read a bit about tags on a blog and tried to pick the most logic ones for me. Do you maybe have a link to some useful tips for picking the correct tags (I'm planning on writing a blog soon and I don't want to post it somewhere incorrect)?

Also a solution has been found and mentioned below, hope it can also help some other people out.

Kind regards

Sven Swennen

Congrats on getting a solution!

With regard to tags, probably the best resource is the 'about' page at https://www.sap.com/community/about/using-tags.html. Some of the tag names can be a bit confusing, so if you're not certain, you might check around the SAP support website to see if they refer to a product name, as they often do. For instance, many people have questions about master data in their ECC system, i.e. working with MM01, etc, and they tag it with "SAP Master Data Management." That ends up being incorrect, because Master Data Management, or MDM, is a product separate from ECC. So, it can take getting used to.

My usual rule of thumb for choosing tags is to pick a "topic" tag for your primary, then "product" or "function" tags for secondaries, as appropriate. That doesn't always work out, but usually it does. For instance, for most blogs or questions about Basis functions on an ABAP server, I would put "SAP NetWeaver" as the primary tag and "SAP NetWeaver Application Server for ABAP" as the secondary. It's about ABAP user management, I might use those two, but also add "NW ABAP User Administration" (or whatever it is, it's something similar to that), and so on.

Cheers,
Matt

Hello Sven,

Have you imported the new SSL server certificate to the anonymous PSE (STRUST)?

And is the SM59 still configured to use the anonymous PSE too (under the "technical settings" tab)?

Did anything else change at the remote website? Like, now the website requires authentication using a client certificate?

Simulating the issue with the ICM running on trace level 2 and providing the trace might help us to identify other possibilities.

Regards,

Isaías

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Hello Isaias

Yes I imported the new SSL server certificate to the anonymous PSE. In SM59 I configured everything correctly. I've been looking into it the past days and I think that the new remote site requests a key of the certificate which isn't provided. I came to this conclusion because at the moment without key it is even impossible to send a request to the site via Postman. I'm gonna try and generate a key via the command prompt and see if I can reach retrieve a request via Postman.

Let me know if you have any other ideas that I could try.

Kind reagrds

Sven Swennen

Hello Sven,

A level 2 trace of the ICM could help us verifying whether we can suggest anything else.

You can increase its trace level through the transaction SMICM, then perform a "connection test" at SM59 and reduce the trace level as soon as the issue is simulated.

Besides attaching the trace file to this thread, we would need the name of the target server.

Kind regards,

Isaías

Hello

Only thing the trace is outputting at level 1 is the Remote peer has closed the network connection.

So not really helpful.

The traces at higher levels don't output any errors.

Seems like it is an issue with the certificate. But I don't know how to solve it.

Kind regards

Sven

Hello Sven,

The trace says "Failed to verify peer certificate. Peer not trusted".

This would mean that SAP does not trust the certificate it received from the remote server.

You would need to either import the certificate itself, or import the certificate of the "issuer" (the CA - Certification Authority - that signed the certificate).

The screenshot does not show whether the client or anonymous PSE ("SAPSSLC.pse" and "SAPSSLA.pse", by default) was in use. So, maybe import the certificate at both, to be on the safe side, as this would not cause any issues.

This wiki page might help.

Kind regards,

Isaías

Hello

The screenshot doesn't show it but I'm certain the anonymous PSE is used. To be sure I also imported it all in standard but without success. Since I'm really stuck I'll provide the link from where I'm trying to get data: https://public.brussels-parking-guidance.com/Datex/Export?publication=dynamic .
I'm not to familiar with certificates so for you question of the CA certificate I tried following: I downloaded all the certificates of the site (DST Root, The X3 and the one of the site itself, see screenshot). Then I added them to STRUST by importing them.

Afterwards I created a new HTTP connection to external server in SM59 and filled in all the required fields as host I put public.brussels-parking-guidance.com and path prefix /Datex/Export?publication=dynamic. By logon & security I activated SSL certificate and put it on anonymous (I also configured the proxy correct). But for some reason it is not trusting the certificate.

Is this the correct way?

Kind reagrds
Sven

Hello Sven,

For the purposes of SSL trust, importing the certificate of "Let's Encrypt Authority X3" would suffice, but it would be recommended to import the "DST Root CA X3" too.

There is no need to import the last one ("public.brussels-parking-guidance.om").

Based on the SM59 settings you have mentioned (which seem correct), you would need to import those two certificates at the Anonymous PSE file.

To confirm that everything is correct with it, logon at operating system level as "SIDadm" and execute the following command:

sapgenpse maintain_pk -l -p <path to anonymous PSE - SAPSSLA.pse>

You should see the "DST Root" and the other "X3" certificates listed at the output.

If you see them there, try restarting the ICM (transaction SMICM, menu Administration -> ICM -> Exit Soft/Hard -> Local).

Depending on the SAP NetWeaver release in use, restarting the ICM manually would be required, so it reloads the PSE files.

Regards,

Isaías

Hello

Did it all except for the operating system level (I have no authorization to do this).

Unfortunately still having the same error. It's starting to look like this one just isn't going to work.

Thanks for all the help, if you got any other ideas feel free to still share them so I can test them :).

Kind regards

Sven Swennen

Hi!

Can you provide the complete "dev_icm" trace file?

Kind regards,

Isaías

Hi Isaias,

I tried to replicate the issue and I also encounter it.

Here my smicm logs (level 3)

[Thr 140608096933632] Thu Apr 12 14:05:07:547 2018
[Thr 140608096933632]      in: cred_hdl = 7fe1d405c670
[Thr 140608096933632] ->> SapSSLSetTargetHostname(sssl_hdl=7fe1a8001690, &hostname=7fe1a8001500)
[Thr 140608096933632] <<- SapSSLSetTargetHostname(sssl_hdl=7fe1a8001690)==SAP_O_K
[Thr 140608096933632]      in: hostname = "public.brussels-parking-guidance.com"
[Thr 140608096933632] ->> SapSSLSessionStartNB(sssl_hdl=7fe1a8001690, flags=00000000, timeout=80000, &IOstat=7fe1dfab7f30)
[Thr 140608096933632] NiIBlockMode: leave blockmode for hdl 96 FALSE
[Thr 140608096933632] NiIHdlGetStatus: hdl 96/sock 31 ok, no data pending
[Thr 140608096933632]   SapISSLUseSessionCache(): Creating NEW session (0 cached)
[Thr 140608096933632] CCL[SSL]: Cli-0000000C: Have no session to be resumed. Performing full handshake [ssl3_client_hello]
[Thr 140608096933632] CCL[SSL]: Cli-0000000C: ClientHello: Offering protocol version 3.1 (TLSv1.0) [ssl3_get_client_hello_version]
[Thr 140608096933632] CCL[SSL]: Cli-0000000C: ClientHello: no session resumption requested (empty session ID) [ssl3_client_hello]
[Thr 140608096933632] CCL[SSL]: Cli-0000000C: Summary: Offering 6 cipher suite(s) and SCSV(s):
[Thr 140608096933632]     < 0> : TLS_RSA_WITH_AES128_CBC_SHA
[Thr 140608096933632]     < 1> : TLS_RSA_WITH_AES256_CBC_SHA
[Thr 140608096933632]     < 2> : TLS_RSA_WITH_3DES_EDE_CBC_SHA
[Thr 140608096933632]     < 3> : TLS_RSA_WITH_RC4_128_SHA
[Thr 140608096933632]     < 4> : TLS_RSA_WITH_RC4_128_MD5
[Thr 140608096933632]     < 5> : Signaling cipher suite value (SCSV) secure renegotiation (RFC5746)
[Thr 140608096933632]  [ssl_cipher_suites_to_bytes]
[Thr 140608096933632] CCL[SSL]: Cli-0000000C: Sending SSLv3/TLS ClientHello [ssl3_client_hello]
[Thr 140608096933632]   SSL:SiSend(sock=  31)== 0 (SI_OK)       (out=60 of 60)
[Thr 140608096933632]   SSL:SiRecv(sock=  31)==13 (SI_ETIMEOUT) (in=0, max=16)
[Thr 140608096933632]     > SSL:SiPoll(sock=31, evt=R, timeout=80000 ms)
[Thr 140608096933632]   <   SSL:SiPoll(sock=31, evt=R, slept  =  19 ms) Ready
[Thr 140608096933632]   SSL:SiRecv(sock=  31)==12 (SI_ECONN_BROKEN) (in=0, max=16)
[Thr 140608096933632]   SSL_get_state()==0x2120 "TLS read server hello A"
[Thr 140608096933632]   SSLSessionStart: new SSL session (TLSv1.0) no CertRequest
[Thr 140608096933632]   Stop! Required server certificate not present
[Thr 140608096933632] <<- SapSSLSessionStartNB(sssl_hdl=7fe1a8001690)==SSSLERR_CONN_CLOSED
[Thr 140608096933632] ->> SapSSLSessionLastError(sssl_hdl=7fe1a8001690, &rc=7fe1dfab7f20, &rc_name=7fe1dfab7f40, &rc_desc=7fe1dfab7f50, &rc_detail=7fe1dfab7f60)
[Thr 140608096933632] DpSesGetWorkerType: return workerType DIA for T6_U108
[Thr 140608096933632] RqQQueueGetNumberOfRequests: Queue <T6_U108_M0> in slot 45 contains 0 requests of type DIA
[Thr 140608096933632] DpSesGetTasks: found 0 open tasks for T6_U108_M0
[Thr 140608096933632] DpSesGetWorkerType: return workerType DIA for T6_U108
[Thr 140608096933632] RqQQueueGetNumberOfRequests: Queue <T6_U108_M1> in slot 41 contains 0 requests of type DIA
[Thr 140608096933632] DpSesGetTasks: found 1 open tasks for T6_U108_M1
[Thr 140608096933632] *** ERROR => SSL handshake with public.brussels-parking-guidance.com:443 failed: SSSLERR_CONN_CLOSED (-10)
[Thr 140608096933632] Remote Peer has closed the network connection<br>

I thought it may be related to SSL/TLS version, so I checked it with profile parameter

ssl/client_ciphersuites = 208:HIGH:MEDIUM

But it didn't change anything. Sorry for interrupting in your answer, but I hope this will help to solve Sven issue.

BTW. I'm 99,99% sure my config is correct - I added all certs, restarted ICM etc.

Hello

This is the end of the level 2 ICM trace.

Let me know if this is what you wanted to see (I couldn't upload the whole file since it is 30MB and SCN only allows 1MB)?

icm-end.txt

Kind reagrds

Sven Swennen

Ask a Question

Top Q&A Solution Author

User

Count

By Category

Related Content

Activity Groups

Industry Groups

Influence and Feedback Groups

Interest Groups

Location Groups

Customer Only Groups

Forums

Related Resources

Products

Learning and Support

About

My Account

My Account

SAP SSL handshake failed

Know the answer?

Need more details?