cancel
Showing results for 
Search instead for 
Did you mean: 

SAP SSL handshake failed

SvenS
Participant
71,990

I'm trying to retrieve data from an open data api. I have downloaded the certificate from the site and imported it into STRUST (SSL Client Anonymous). Then I created a HTTP connection to external server in SM59. In the beginning it worked fine, until last week when the api changed its URL and so its DNS. Ofcourse it could no longer be reached by the current host. So I did above steps again for the new URL (changed everything accordingly like hostname etc. in SM59), but this time I receive following error: SSL handshake with 'hostname:port' failed: SSSLERR_CONN_CLOSED (-10)#Remote Peer has closed the network connection##SapSSLSessionStartNB()==SSSLERR_CONN_C LOSED##

Anyone has an idea on how to solve this?

SvenS
Participant
0 Kudos

Hello Matt

Thank you very much for adding the tags, I'm new to SAP and SCN so I didn't really know which tags where the best. I read a bit about tags on a blog and tried to pick the most logic ones for me. Do you maybe have a link to some useful tips for picking the correct tags (I'm planning on writing a blog soon and I don't want to post it somewhere incorrect)?

Also a solution has been found and mentioned below, hope it can also help some other people out.

Kind regards

Sven Swennen

Matt_Fraser
Active Contributor

Congrats on getting a solution!

With regard to tags, probably the best resource is the 'about' page at https://www.sap.com/community/about/using-tags.html. Some of the tag names can be a bit confusing, so if you're not certain, you might check around the SAP support website to see if they refer to a product name, as they often do. For instance, many people have questions about master data in their ECC system, i.e. working with MM01, etc, and they tag it with "SAP Master Data Management." That ends up being incorrect, because Master Data Management, or MDM, is a product separate from ECC. So, it can take getting used to.

My usual rule of thumb for choosing tags is to pick a "topic" tag for your primary, then "product" or "function" tags for secondaries, as appropriate. That doesn't always work out, but usually it does. For instance, for most blogs or questions about Basis functions on an ABAP server, I would put "SAP NetWeaver" as the primary tag and "SAP NetWeaver Application Server for ABAP" as the secondary. It's about ABAP user management, I might use those two, but also add "NW ABAP User Administration" (or whatever it is, it's something similar to that), and so on.

Cheers,
Matt

Accepted Solutions (1)

Accepted Solutions (1)

Robert_Russell
Contributor

Hi Sven,

Interesting question 🙂 had me googling and I have got it to bypass the error SSSLERR_CONN_C LOSED message.

By setting the parameter mentioned in this note to true on my NPL demo system 751

2124480 - ICM / Web Dispatcher: TLS Extension Server Name Indication (SNI) as client

"To enabled SNI seticm/HTTPS/client_sni_enabled to "true". This parameter is dynamic."

If your interested 🙂 my googling was a result of trying and failing with openssl client connections ( to see another non browser connection.)

The errors in this connection led me to these links which mentioned Server Name Indication (SNI) as a way of using more certificates on one IP address. Which must be the case for "public.brussels-parking-guidance.om" and the SAP parameter is required.

Hope it helps 🙂

Cheers

Robert

Isaías
Product and Topic Expert
Product and Topic Expert

Hi all,

I could simulate the issue using an internal test system.

I was discussing this case with a BC-SEC-SSL colleague, and then I saw Robert's update.

I performed some tests and it worked for me. Thus, setting "icm/HTTPS/client_sni_enabled = TRUE" should be the solution.

Thank you, Robert! Well done :-).

Regards,

Isaías

Notify: db8ac33b71d34a778adf273b064c4883 , svenswennen

BJarkowski
Active Contributor

Wow! Congrats Rob!

SvenS
Participant
0 Kudos

Hello Robert

Thanks for the answer. I'm new to SAP and I want to verify if I'm going to do this correctly. For this paramater am I correct that I have to go to RZ10, fill in the profile I'm using and then create this parameter (because I don't see the parameter in any of the profiles)?

Or am i completely incorrect and is "icm/HTTPS/client_sni_enabled = TRUE" found somewhere else? I tried googling it but it only says what it is and does but not where to modify it.

Kind regards

Sven Swennen

Isaías
Product and Topic Expert
Product and Topic Expert

Hello Sven,

You are correct.

You access the transaction RZ10 and create the parameter there, at the instance profile (or even at the DEFAULT.PFL, so all instances have this parameter set; this also avoids the need to set the parameter on each instance profile).

You would have to restart SAP to activate the changes made to the profiles.

However, the parameter in question (icm/HTTPS/client_sni_enabled) is dynamically switchable.

Thus, besides creating the parameter through RZ10 (so SAP already starts with the desired value when restarted), you can activate the new value immediately through the transaction RZ11.

Kind regards,

Isaías

SvenS
Participant

Thank you so much, all of you for helping me out.

I will create this paramater, but I'll have to discuss with my boss if it's possible to restart SAP overnight or if I have to wait till the next update since I'm doing this on our company server they will probably won't like it if I casually restart it now. I'll let it know if it worked or not, so fingers crossed :).

UPDATE: if everything goes to plan I should be able to test it wednesday, so if it all works I'll mark this one as the correct answer.

Thanks for all the help & kind regards

Sven Swennen

Isaías
Product and Topic Expert
Product and Topic Expert

Hello Sven,

Just remarking that you can switch the value of the parameter dynamically, through transaction RZ11.

Therefore, there is no need to restart SAP :-).

This, however, does not eliminate the need to set the parameter at the profile too (RZ10).

Being a dynamic change, it will be lost if/when SAP is restarted. Setting the parameter at the profile ensures that SAP already starts with the desired value.

Kind regards,

Isaías

SvenS
Participant
0 Kudos

Hello Isaias

Yes I read it in the other comments too but I forgot to mention that I'm not authorized to use RZ11, but I'm authorized to use RZ10 (no idea why). Asking for new authorizations will take longer then waiting for the restart of the application server.

Kind regards

Sven Swennen

SvenS
Participant

Problem has been resolved thank you very much!

Kind regards

Sven

0 Kudos

Hi there, your answer was very helpful, thank you so much!

However, I was wondering if I could set the parameter to TRUE in my ABAP code? Since I don't want to set it permanently to true but only during the execution of a script.. would that be possible? and if yes, how?

Matt_Fraser
Active Contributor

sonjadeissenboeck , theoretically, that should be possible with function module SPFL_PARAMETER_CHANGE_VALUE, but my gut feeling is that manipulating profile parameters in ABAP programs is likely to be a bad idea. You might want to take this question over to the ABAP Development tag and see what folks think of it there. Why not set this parameter regularly and keep it that way? Does it break an existing connection you have to an external resource? If so, when you dynamically set it in your code, you're going to break that connection temporarily anyway, so it seems a better option would be to work with that external resource to get it to support SNI.

Cheers,
Matt

Answers (3)

Answers (3)

BJarkowski
Active Contributor

Can you connect to the target host through browser?

I would also check the SSL config on the target (for example using it: https://www.ssllabs.com/ssltest/).

This might also be a cipher issue - maybe you need to enable other cipher suite on AS.

Check SAP Note 2570499 - How to adjust the supported SSL cipher suites in AS ABAP

SvenS
Participant
0 Kudos

Thanks for the response

Yes I can connect to the target host via browser.

Could you explain what you mean by other cipher suite? and how I can know if I need another one? I'm not familiar with certificates so I don't really get what you mean.

But if it has anything to do with following:

I can tell you that it is the same as another certificate which is working at the moment.

UPDATE:

Could it be that this is the problem? the other certificate that works at the moment has this enabled.

Kind regards

Sven

BJarkowski
Active Contributor
0 Kudos

That was just a guess with the cipher suite, maybe not the best 🙂

One more question - did you import to STRUST the full certification path? I mean also the certificate of the CA that signed the certificate for the website.

SvenS
Participant
0 Kudos

I'm not familiar with certificates so since I'm really stuck I'll let you know what I did. I need to get data of following site: https://public.brussels-parking-guidance.com/Datex/Export?publication=dynamic . I downloaded following certificates of the site (DST, X3 and the one of the site itself).

I imported all these certificates into STRUST in the anonymous and standard PSE. Afterwards I created a new HTTP connection to external server in SM59 and filled in all the required fields as host I put public.brussels-parking-guidance.com and path prefix /Datex/Export?publication=dynamic. By logon & security I activated SSL certificate and put it on anonymous (I also configured the proxy correct). But for some reason it is not trusting the certificate.

Is this the correct way to do it?

EDIT: if you want also check above response, I added a level 2ICM trace file there if it helps.

Kind reagerds

Sven Swennen

Isaías
Product and Topic Expert
Product and Topic Expert

Hello Sven,

Have you imported the new SSL server certificate to the anonymous PSE (STRUST)?

And is the SM59 still configured to use the anonymous PSE too (under the "technical settings" tab)?

Did anything else change at the remote website? Like, now the website requires authentication using a client certificate?

Simulating the issue with the ICM running on trace level 2 and providing the trace might help us to identify other possibilities.

Regards,

Isaías

SvenS
Participant
0 Kudos

Hello Isaias

Yes I imported the new SSL server certificate to the anonymous PSE. In SM59 I configured everything correctly. I've been looking into it the past days and I think that the new remote site requests a key of the certificate which isn't provided. I came to this conclusion because at the moment without key it is even impossible to send a request to the site via Postman. I'm gonna try and generate a key via the command prompt and see if I can reach retrieve a request via Postman.

Let me know if you have any other ideas that I could try.


Kind reagrds

Sven Swennen

Isaías
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hello Sven,

A level 2 trace of the ICM could help us verifying whether we can suggest anything else.

You can increase its trace level through the transaction SMICM, then perform a "connection test" at SM59 and reduce the trace level as soon as the issue is simulated.

Besides attaching the trace file to this thread, we would need the name of the target server.

Kind regards,

Isaías

SvenS
Participant
0 Kudos

Hello

Only thing the trace is outputting at level 1 is the Remote peer has closed the network connection.

So not really helpful.

The traces at higher levels don't output any errors.

Seems like it is an issue with the certificate. But I don't know how to solve it.

Kind regards

Sven

Isaías
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hello Sven,

The trace says "Failed to verify peer certificate. Peer not trusted".

This would mean that SAP does not trust the certificate it received from the remote server.

You would need to either import the certificate itself, or import the certificate of the "issuer" (the CA - Certification Authority - that signed the certificate).

The screenshot does not show whether the client or anonymous PSE ("SAPSSLC.pse" and "SAPSSLA.pse", by default) was in use. So, maybe import the certificate at both, to be on the safe side, as this would not cause any issues.

This wiki page might help.

Kind regards,

Isaías

SvenS
Participant
0 Kudos

Hello

The screenshot doesn't show it but I'm certain the anonymous PSE is used. To be sure I also imported it all in standard but without success. Since I'm really stuck I'll provide the link from where I'm trying to get data: https://public.brussels-parking-guidance.com/Datex/Export?publication=dynamic .
I'm not to familiar with certificates so for you question of the CA certificate I tried following: I downloaded all the certificates of the site (DST Root, The X3 and the one of the site itself, see screenshot). Then I added them to STRUST by importing them.

Afterwards I created a new HTTP connection to external server in SM59 and filled in all the required fields as host I put public.brussels-parking-guidance.com and path prefix /Datex/Export?publication=dynamic. By logon & security I activated SSL certificate and put it on anonymous (I also configured the proxy correct). But for some reason it is not trusting the certificate.

Is this the correct way?

Kind reagrds
Sven

Isaías
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hello Sven,

For the purposes of SSL trust, importing the certificate of "Let's Encrypt Authority X3" would suffice, but it would be recommended to import the "DST Root CA X3" too.

There is no need to import the last one ("public.brussels-parking-guidance.om").

Based on the SM59 settings you have mentioned (which seem correct), you would need to import those two certificates at the Anonymous PSE file.

To confirm that everything is correct with it, logon at operating system level as "SIDadm" and execute the following command:

sapgenpse maintain_pk -l -p <path to anonymous PSE - SAPSSLA.pse>

You should see the "DST Root" and the other "X3" certificates listed at the output.

If you see them there, try restarting the ICM (transaction SMICM, menu Administration -> ICM -> Exit Soft/Hard -> Local).

Depending on the SAP NetWeaver release in use, restarting the ICM manually would be required, so it reloads the PSE files.

Regards,

Isaías

SvenS
Participant
0 Kudos

Hello

Did it all except for the operating system level (I have no authorization to do this).

Unfortunately still having the same error. It's starting to look like this one just isn't going to work.

Thanks for all the help, if you got any other ideas feel free to still share them so I can test them :).

Kind regards

Sven Swennen

Isaías
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi!

Can you provide the complete "dev_icm" trace file?

Kind regards,

Isaías

BJarkowski
Active Contributor

Hi Isaias,

I tried to replicate the issue and I also encounter it.

Here my smicm logs (level 3)

[Thr 140608096933632] Thu Apr 12 14:05:07:547 2018
[Thr 140608096933632]      in: cred_hdl = 7fe1d405c670
[Thr 140608096933632] ->> SapSSLSetTargetHostname(sssl_hdl=7fe1a8001690, &hostname=7fe1a8001500)
[Thr 140608096933632] <<- SapSSLSetTargetHostname(sssl_hdl=7fe1a8001690)==SAP_O_K
[Thr 140608096933632]      in: hostname = "public.brussels-parking-guidance.com"
[Thr 140608096933632] ->> SapSSLSessionStartNB(sssl_hdl=7fe1a8001690, flags=00000000, timeout=80000, &IOstat=7fe1dfab7f30)
[Thr 140608096933632] NiIBlockMode: leave blockmode for hdl 96 FALSE
[Thr 140608096933632] NiIHdlGetStatus: hdl 96/sock 31 ok, no data pending
[Thr 140608096933632]   SapISSLUseSessionCache(): Creating NEW session (0 cached)
[Thr 140608096933632] CCL[SSL]: Cli-0000000C: Have no session to be resumed. Performing full handshake [ssl3_client_hello]
[Thr 140608096933632] CCL[SSL]: Cli-0000000C: ClientHello: Offering protocol version 3.1 (TLSv1.0) [ssl3_get_client_hello_version]
[Thr 140608096933632] CCL[SSL]: Cli-0000000C: ClientHello: no session resumption requested (empty session ID) [ssl3_client_hello]
[Thr 140608096933632] CCL[SSL]: Cli-0000000C: Summary: Offering 6 cipher suite(s) and SCSV(s):
[Thr 140608096933632]     < 0> : TLS_RSA_WITH_AES128_CBC_SHA
[Thr 140608096933632]     < 1> : TLS_RSA_WITH_AES256_CBC_SHA
[Thr 140608096933632]     < 2> : TLS_RSA_WITH_3DES_EDE_CBC_SHA
[Thr 140608096933632]     < 3> : TLS_RSA_WITH_RC4_128_SHA
[Thr 140608096933632]     < 4> : TLS_RSA_WITH_RC4_128_MD5
[Thr 140608096933632]     < 5> : Signaling cipher suite value (SCSV) secure renegotiation (RFC5746)
[Thr 140608096933632]  [ssl_cipher_suites_to_bytes]
[Thr 140608096933632] CCL[SSL]: Cli-0000000C: Sending SSLv3/TLS ClientHello [ssl3_client_hello]
[Thr 140608096933632]   SSL:SiSend(sock=  31)== 0 (SI_OK)       (out=60 of 60)
[Thr 140608096933632]   SSL:SiRecv(sock=  31)==13 (SI_ETIMEOUT) (in=0, max=16)
[Thr 140608096933632]     > SSL:SiPoll(sock=31, evt=R, timeout=80000 ms)
[Thr 140608096933632]   <   SSL:SiPoll(sock=31, evt=R, slept  =  19 ms) Ready
[Thr 140608096933632]   SSL:SiRecv(sock=  31)==12 (SI_ECONN_BROKEN) (in=0, max=16)
[Thr 140608096933632]   SSL_get_state()==0x2120 "TLS read server hello A"
[Thr 140608096933632]   SSLSessionStart: new SSL session (TLSv1.0) no CertRequest
[Thr 140608096933632]   Stop! Required server certificate not present
[Thr 140608096933632] <<- SapSSLSessionStartNB(sssl_hdl=7fe1a8001690)==SSSLERR_CONN_CLOSED
[Thr 140608096933632] ->> SapSSLSessionLastError(sssl_hdl=7fe1a8001690, &rc=7fe1dfab7f20, &rc_name=7fe1dfab7f40, &rc_desc=7fe1dfab7f50, &rc_detail=7fe1dfab7f60)
[Thr 140608096933632] DpSesGetWorkerType: return workerType DIA for T6_U108
[Thr 140608096933632] RqQQueueGetNumberOfRequests: Queue <T6_U108_M0> in slot 45 contains 0 requests of type DIA
[Thr 140608096933632] DpSesGetTasks: found 0 open tasks for T6_U108_M0
[Thr 140608096933632] DpSesGetWorkerType: return workerType DIA for T6_U108
[Thr 140608096933632] RqQQueueGetNumberOfRequests: Queue <T6_U108_M1> in slot 41 contains 0 requests of type DIA
[Thr 140608096933632] DpSesGetTasks: found 1 open tasks for T6_U108_M1
[Thr 140608096933632] *** ERROR => SSL handshake with public.brussels-parking-guidance.com:443 failed: SSSLERR_CONN_CLOSED (-10)
[Thr 140608096933632] Remote Peer has closed the network connection<br>

I thought it may be related to SSL/TLS version, so I checked it with profile parameter

ssl/client_ciphersuites = 208:HIGH:MEDIUM

But it didn't change anything. Sorry for interrupting in your answer, but I hope this will help to solve Sven issue.

BTW. I'm 99,99% sure my config is correct - I added all certs, restarted ICM etc.

SvenS
Participant
0 Kudos

Hello

This is the end of the level 2 ICM trace.

Let me know if this is what you wanted to see (I couldn't upload the whole file since it is 30MB and SCN only allows 1MB)?

icm-end.txt

Kind reagrds

Sven Swennen

former_member145793
Discoverer
0 Kudos

Is your issue got resolved? I am facing similar issue

SvenS
Participant
0 Kudos

Yes the issue was resolved.The answer from Robert to change the parameter in RZ10 was the solution for my problem.

Kind regards
Sven