cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

CertRequest with empty certificate_autorities list received

Go to solution
Former Member

on ‎02-13-2014 8:16 PM

0 Kudos

Hi,

In SM59 I've configured a HTTPS connection to a web service with a client certifiate authentication.

These are some key facts:

- I created Individual SSL Client PSE

- I imported the certifiate using sapgenpse import_p12 and then the generated PSE imported into STRUST.

- All root/intermediate CA certificates are stored in CA database.

- WS certificate is listed on Certificate list in STRUST

- ICM service restarted

I tested the certificate using openssl s_client and just with a browser.

This is truncated output of s_client command which shows that the SSL handshake has been completed:

SSL handshake has read 3902 bytes and written 4356 bytes

---

New, TLSv1/SSLv3, Cipher is RC4-SHA

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

SSL-Session:

    Protocol  : TLSv1

    Cipher    : RC4-SHA

    Session-ID: 32B3D5F44DAA95D2674E0D630F6292AC81600E67CCFC38952C8C861C97F29555

    Session-ID-ctx:

    Master-Key: 84660C1FF3CF84483E3F21B6EE48F35C42F9D61B791000D495AE99979CBD468BE8571873C8CA07488B44311007D3AAA1

    Key-Arg   : None

    Start Time: 1392321170

    Timeout   : 300 (sec)

    Verify return code: 0 (ok)

.. but when I run connection test in SM59 I get this (dev_icm):

[Thr 140413440345856] Thu Feb 13 20:25:22 2014

[Thr 140413440345856] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL

[Thr 140413440345856]    session uses PSE file "/usr/sap/P60/DVEBMGS60/sec/SAPSSLPKO2.pse"

[Thr 140413440345856] SecudeSSL_SessionStart: SSL_connect() failed --

[Thr 140413440345856]   secude_error 536875072 (0x20001040) = "received a fatal SSLv3 handshake failure alert message from the peer"

[Thr 140413440345856] >> ---------- Begin of Secude-SSL Errorstack ---------- >>

[Thr 140413440345856] WARNING in ssl3_read_bytes: (536875072/0x20001040) received a fatal SSLv3 handshake failure alert message from the peer

[Thr 140413440345856] WARNING in ssl3_get_certificate_request: (536871681/0x20000301) CertRequest with empty certificate_autorities list received (violation of SSLv3/TLSv1.0 spec) -- declining request

[Thr 140413440345856] << ---------- End of Secude-SSL Errorstack ----------

[Thr 140413440345856]   SSL_get_state() returned 0x000021d0 "SSLv3 read finished A"

[Thr 140413440345856]   No certificate request received from Server

[Thr 140413440345856]   SSL NI-sock: local=10.105.18.244:53167  peer=192.168.7.62:9000

[Thr 140413440345856] <<- ERROR: SapSSLSessionStart(sssl_hdl=11ff3e0)==SSSLERR_SSL_CONNECT

[Thr 140413440345856] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT {00000046} [icxxconn_mt.c 1957]

I can't seem to find any information on scn or in any sap note. Let me know if you need any additional details.

Best regards,

wojtek

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎02-18-2014 10:25 AM
0 Kudos

Ok case closed. The problem turned out to be on the WS side. The WS administrator added the Issuer CA to the list of Certification Authorities whose clients the WS deals with.

Show replies
Show replies

Answers (0)

Ask a Question