cancel
Showing results for 
Search instead for 
Did you mean: 

SAP SSL handshake failed

SvenS
Participant
70,327

I'm trying to retrieve data from an open data api. I have downloaded the certificate from the site and imported it into STRUST (SSL Client Anonymous). Then I created a HTTP connection to external server in SM59. In the beginning it worked fine, until last week when the api changed its URL and so its DNS. Ofcourse it could no longer be reached by the current host. So I did above steps again for the new URL (changed everything accordingly like hostname etc. in SM59), but this time I receive following error: SSL handshake with 'hostname:port' failed: SSSLERR_CONN_CLOSED (-10)#Remote Peer has closed the network connection##SapSSLSessionStartNB()==SSSLERR_CONN_C LOSED##

Anyone has an idea on how to solve this?

SvenS
Participant
0 Kudos

Hello Matt

Thank you very much for adding the tags, I'm new to SAP and SCN so I didn't really know which tags where the best. I read a bit about tags on a blog and tried to pick the most logic ones for me. Do you maybe have a link to some useful tips for picking the correct tags (I'm planning on writing a blog soon and I don't want to post it somewhere incorrect)?

Also a solution has been found and mentioned below, hope it can also help some other people out.

Kind regards

Sven Swennen

Matt_Fraser
Active Contributor

Congrats on getting a solution!

With regard to tags, probably the best resource is the 'about' page at https://www.sap.com/community/about/using-tags.html. Some of the tag names can be a bit confusing, so if you're not certain, you might check around the SAP support website to see if they refer to a product name, as they often do. For instance, many people have questions about master data in their ECC system, i.e. working with MM01, etc, and they tag it with "SAP Master Data Management." That ends up being incorrect, because Master Data Management, or MDM, is a product separate from ECC. So, it can take getting used to.

My usual rule of thumb for choosing tags is to pick a "topic" tag for your primary, then "product" or "function" tags for secondaries, as appropriate. That doesn't always work out, but usually it does. For instance, for most blogs or questions about Basis functions on an ABAP server, I would put "SAP NetWeaver" as the primary tag and "SAP NetWeaver Application Server for ABAP" as the secondary. It's about ABAP user management, I might use those two, but also add "NW ABAP User Administration" (or whatever it is, it's something similar to that), and so on.

Cheers,
Matt

View Entire Topic
Robert_Russell
Contributor

Hi Sven,

Interesting question 🙂 had me googling and I have got it to bypass the error SSSLERR_CONN_C LOSED message.

By setting the parameter mentioned in this note to true on my NPL demo system 751

2124480 - ICM / Web Dispatcher: TLS Extension Server Name Indication (SNI) as client

"To enabled SNI seticm/HTTPS/client_sni_enabled to "true". This parameter is dynamic."

If your interested 🙂 my googling was a result of trying and failing with openssl client connections ( to see another non browser connection.)

The errors in this connection led me to these links which mentioned Server Name Indication (SNI) as a way of using more certificates on one IP address. Which must be the case for "public.brussels-parking-guidance.om" and the SAP parameter is required.

Hope it helps 🙂

Cheers

Robert

Isaías
Product and Topic Expert
Product and Topic Expert

Hi all,

I could simulate the issue using an internal test system.

I was discussing this case with a BC-SEC-SSL colleague, and then I saw Robert's update.

I performed some tests and it worked for me. Thus, setting "icm/HTTPS/client_sni_enabled = TRUE" should be the solution.

Thank you, Robert! Well done :-).

Regards,

Isaías

Notify: db8ac33b71d34a778adf273b064c4883 , svenswennen

BJarkowski
Active Contributor

Wow! Congrats Rob!

SvenS
Participant
0 Kudos

Hello Robert

Thanks for the answer. I'm new to SAP and I want to verify if I'm going to do this correctly. For this paramater am I correct that I have to go to RZ10, fill in the profile I'm using and then create this parameter (because I don't see the parameter in any of the profiles)?

Or am i completely incorrect and is "icm/HTTPS/client_sni_enabled = TRUE" found somewhere else? I tried googling it but it only says what it is and does but not where to modify it.

Kind regards

Sven Swennen

Isaías
Product and Topic Expert
Product and Topic Expert

Hello Sven,

You are correct.

You access the transaction RZ10 and create the parameter there, at the instance profile (or even at the DEFAULT.PFL, so all instances have this parameter set; this also avoids the need to set the parameter on each instance profile).

You would have to restart SAP to activate the changes made to the profiles.

However, the parameter in question (icm/HTTPS/client_sni_enabled) is dynamically switchable.

Thus, besides creating the parameter through RZ10 (so SAP already starts with the desired value when restarted), you can activate the new value immediately through the transaction RZ11.

Kind regards,

Isaías

SvenS
Participant

Thank you so much, all of you for helping me out.

I will create this paramater, but I'll have to discuss with my boss if it's possible to restart SAP overnight or if I have to wait till the next update since I'm doing this on our company server they will probably won't like it if I casually restart it now. I'll let it know if it worked or not, so fingers crossed :).

UPDATE: if everything goes to plan I should be able to test it wednesday, so if it all works I'll mark this one as the correct answer.

Thanks for all the help & kind regards

Sven Swennen

Isaías
Product and Topic Expert
Product and Topic Expert

Hello Sven,

Just remarking that you can switch the value of the parameter dynamically, through transaction RZ11.

Therefore, there is no need to restart SAP :-).

This, however, does not eliminate the need to set the parameter at the profile too (RZ10).

Being a dynamic change, it will be lost if/when SAP is restarted. Setting the parameter at the profile ensures that SAP already starts with the desired value.

Kind regards,

Isaías

SvenS
Participant
0 Kudos

Hello Isaias

Yes I read it in the other comments too but I forgot to mention that I'm not authorized to use RZ11, but I'm authorized to use RZ10 (no idea why). Asking for new authorizations will take longer then waiting for the restart of the application server.

Kind regards

Sven Swennen

SvenS
Participant

Problem has been resolved thank you very much!

Kind regards

Sven

0 Kudos

Hi there, your answer was very helpful, thank you so much!

However, I was wondering if I could set the parameter to TRUE in my ABAP code? Since I don't want to set it permanently to true but only during the execution of a script.. would that be possible? and if yes, how?

Matt_Fraser
Active Contributor

sonjadeissenboeck , theoretically, that should be possible with function module SPFL_PARAMETER_CHANGE_VALUE, but my gut feeling is that manipulating profile parameters in ABAP programs is likely to be a bad idea. You might want to take this question over to the ABAP Development tag and see what folks think of it there. Why not set this parameter regularly and keep it that way? Does it break an existing connection you have to an external resource? If so, when you dynamically set it in your code, you're going to break that connection temporarily anyway, so it seems a better option would be to work with that external resource to get it to support SNI.

Cheers,
Matt