Skip to Content
Former Member
Feb 13, 2014 at 08:16 PM

CertRequest with empty certificate_autorities list received



In SM59 I've configured a HTTPS connection to a web service with a client certifiate authentication.

These are some key facts:

- I created Individual SSL Client PSE

- I imported the certifiate using sapgenpse import_p12 and then the generated PSE imported into STRUST.

- All root/intermediate CA certificates are stored in CA database.

- WS certificate is listed on Certificate list in STRUST

- ICM service restarted

I tested the certificate using openssl s_client and just with a browser.

This is truncated output of s_client command which shows that the SSL handshake has been completed:

SSL handshake has read 3902 bytes and written 4356 bytes


New, TLSv1/SSLv3, Cipher is RC4-SHA

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE


Protocol : TLSv1

Cipher : RC4-SHA

Session-ID: 32B3D5F44DAA95D2674E0D630F6292AC81600E67CCFC38952C8C861C97F29555


Master-Key: 84660C1FF3CF84483E3F21B6EE48F35C42F9D61B791000D495AE99979CBD468BE8571873C8CA07488B44311007D3AAA1

Key-Arg : None

Start Time: 1392321170

Timeout : 300 (sec)

Verify return code: 0 (ok)

.. but when I run connection test in SM59 I get this (dev_icm):

[Thr 140413440345856] Thu Feb 13 20:25:22 2014

[Thr 140413440345856] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL

[Thr 140413440345856] session uses PSE file "/usr/sap/P60/DVEBMGS60/sec/SAPSSLPKO2.pse"

[Thr 140413440345856] SecudeSSL_SessionStart: SSL_connect() failed --

[Thr 140413440345856] secude_error 536875072 (0x20001040) = "received a fatal SSLv3 handshake failure alert message from the peer"

[Thr 140413440345856] >> ---------- Begin of Secude-SSL Errorstack ---------- >>

[Thr 140413440345856] WARNING in ssl3_read_bytes: (536875072/0x20001040) received a fatal SSLv3 handshake failure alert message from the peer

[Thr 140413440345856] WARNING in ssl3_get_certificate_request: (536871681/0x20000301) CertRequest with empty certificate_autorities list received (violation of SSLv3/TLSv1.0 spec) -- declining request

[Thr 140413440345856] << ---------- End of Secude-SSL Errorstack ----------

[Thr 140413440345856] SSL_get_state() returned 0x000021d0 "SSLv3 read finished A"

[Thr 140413440345856] No certificate request received from Server

[Thr 140413440345856] SSL NI-sock: local= peer=

[Thr 140413440345856] <<- ERROR: SapSSLSessionStart(sssl_hdl=11ff3e0)==SSSLERR_SSL_CONNECT

[Thr 140413440345856] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT {00000046} [icxxconn_mt.c 1957]

I can't seem to find any information on scn or in any sap note. Let me know if you need any additional details.

Best regards,