cancel
Showing results for 
Search instead for 
Did you mean: 

HTTP/1.0 500 Native SSL error

0 Kudos
5,776

Hello Team,

I am trying to connect to an external webserver from SAP ECC.

I have created an SSL client identity and imported the Server certificates to this PSE in STRUST. I have also added the other certificates in the entire server certificate chain to the PSE. When I try to test the connection, I get the following error:

***************************************************************************************************

[Thr 11512] SSL NI-sock: local=x.y.z.a:8000 peer=a.b.c.d:443

[Thr 11512] <<- SapSSLSetNiHdl(sssl_hdl=52134acd0, ni_hdl=163)==SAP_O_K

[Thr 11512] IcmConnInitClientSSL: using default pse, show client certificate if available

[Thr 11512] <<- SapSSLSetTargetHostname(sssl_hdl=52134acd0)==SAP_O_K

[Thr 11512] in: hostname = "client web url"

[Thr 11512] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_CONNECTION_LOST

[Thr 11512] session uses PSE file "/usr/sap/hostname/D02/sec/SAPSSLC.pse"

[Thr 11512] No Secude Error present in trace stack!

[Thr 11512] SSL_get_state() returned 0x00002120 "SSLv3 read server hello A"

[Thr 11512] No certificate request received from Server

[Thr 11512] <<- ERROR: SapSSLSessionStart(sssl_hdl=52134acd0)==SSSLERR_SSL_CONNECT

[Thr 11512] <<- SapSSLErrorName()==SSSLERR_SSL_CONNECT

[Thr 11512] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT {00010090} [icxxconn_mt.

[Thr 11512] <<- SapSSLSessionDone()==SAP_O_K

[Thr 11512] in: sssl_hdl = 52134acd0

[Thr 11512] ... ni_hdl = 193

***************************************************************************************

Accepted Solutions (1)

Accepted Solutions (1)

Isaías
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hello Praveen,

The first error that is occurring is:

[Thr 11512] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_CONNECTION_LOST

This would occur when the network connection was closed.

You can capture a network trace (tcpdump) to see whether anything unusual is occurring (like the SAP server receiven reset - RST - packets).

The analysis should continue from a network perspective.

Regards,

Isaías

0 Kudos

Hello Isaias,

Thanks for your inputs. While i check on the network part , i wanted to update you that connection seems to work fine from the browser level. Do you think there would a chance that it works with the same certificates in browser level but stop working from SAP due to Network issue. Kindly confirm. Thanks.

Regards,

Praveen

Isaías
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hello Praveen,

You are welcome! 🙂

Did you execute the browser on the same machine where SAP is running?

If not it would mean that different network paths could be involved. So, yes, it could still be something at the network even if it worked on the browser.

Regards,

Isaías

0 Kudos

Hello Isaias,

Sorry for the delayed response. I was trying to check on how to initiate the trace and i wasn't sure on how to do it. Would you know if there is any SAP note i can refer to get the exact command to use to check this.

Thanks,

Praveen

Isaías
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hello Praveen,

I do not know any SAP Note that would address network tracing.

You network / operating system team should be able to help you.

"tcpdump" would have to be executed as "root".

A typical command for Linux would be "tcpdump -i any -n -w <file.pcap>".

Usually executing "man <command>" works on any Linux/UNIX server, so you get help with the command ;-).

Regards,

Isaías

0 Kudos

Thanks Isaias.

Isaías
Product and Topic Expert
Product and Topic Expert
0 Kudos

You are welcome!

0 Kudos

Hello Isaias,

If tcpdump is not an option , would you recommend any other tools to identify the issue as the connection is established initially and then lost in between and we are unsure on what is causing the connection lost. Thanks.

Isaías
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hello Praveen,

Your network team should assist you with this.

They should indicate which tool they prefer to use.

For Linux/UNIX servers, "tcpdump" is the most common tool.

For Windows, it is "Wireshark".

Regards,

Isaías

Answers (1)

Answers (1)

0 Kudos

This was resolved by adding ssl/client_ciphersuites = 982:HIGH:MEDIUM:+e3DES profile parameter.