Skip to Content
author's profile photo Former Member
Former Member

CertRequest with empty certificate_autorities list received

Hi,

In SM59 I've configured a HTTPS connection to a web service with a client certifiate authentication.

These are some key facts:

- I created Individual SSL Client PSE

- I imported the certifiate using sapgenpse import_p12 and then the generated PSE imported into STRUST.

- All root/intermediate CA certificates are stored in CA database.

- WS certificate is listed on Certificate list in STRUST

- ICM service restarted

I tested the certificate using openssl s_client and just with a browser.

This is truncated output of s_client command which shows that the SSL handshake has been completed:

SSL handshake has read 3902 bytes and written 4356 bytes

---

New, TLSv1/SSLv3, Cipher is RC4-SHA

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

SSL-Session:

Protocol : TLSv1

Cipher : RC4-SHA

Session-ID: 32B3D5F44DAA95D2674E0D630F6292AC81600E67CCFC38952C8C861C97F29555

Session-ID-ctx:

Master-Key: 84660C1FF3CF84483E3F21B6EE48F35C42F9D61B791000D495AE99979CBD468BE8571873C8CA07488B44311007D3AAA1

Key-Arg : None

Start Time: 1392321170

Timeout : 300 (sec)

Verify return code: 0 (ok)

.. but when I run connection test in SM59 I get this (dev_icm):

[Thr 140413440345856] Thu Feb 13 20:25:22 2014

[Thr 140413440345856] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL

[Thr 140413440345856] session uses PSE file "/usr/sap/P60/DVEBMGS60/sec/SAPSSLPKO2.pse"

[Thr 140413440345856] SecudeSSL_SessionStart: SSL_connect() failed --

[Thr 140413440345856] secude_error 536875072 (0x20001040) = "received a fatal SSLv3 handshake failure alert message from the peer"

[Thr 140413440345856] >> ---------- Begin of Secude-SSL Errorstack ---------- >>

[Thr 140413440345856] WARNING in ssl3_read_bytes: (536875072/0x20001040) received a fatal SSLv3 handshake failure alert message from the peer

[Thr 140413440345856] WARNING in ssl3_get_certificate_request: (536871681/0x20000301) CertRequest with empty certificate_autorities list received (violation of SSLv3/TLSv1.0 spec) -- declining request

[Thr 140413440345856] << ---------- End of Secude-SSL Errorstack ----------

[Thr 140413440345856] SSL_get_state() returned 0x000021d0 "SSLv3 read finished A"

[Thr 140413440345856] No certificate request received from Server

[Thr 140413440345856] SSL NI-sock: local=10.105.18.244:53167 peer=192.168.7.62:9000

[Thr 140413440345856] <<- ERROR: SapSSLSessionStart(sssl_hdl=11ff3e0)==SSSLERR_SSL_CONNECT

[Thr 140413440345856] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT {00000046} [icxxconn_mt.c 1957]

I can't seem to find any information on scn or in any sap note. Let me know if you need any additional details.

Best regards,

wojtek

Add a comment
10|10000 characters needed characters exceeded

Related questions

1 Answer

  • Best Answer
    author's profile photo Former Member
    Former Member
    Posted on Feb 18, 2014 at 10:25 AM

    Ok case closed. The problem turned out to be on the WS side. The WS administrator added the Issuer CA to the list of Certification Authorities whose clients the WS deals with.

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.