Skip to Content
author's profile photo Former Member
Former Member

Problem with SSL Cipher TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

Dear experts,

our logistic partner recently switched his ssl cipher from TLS_RSA_WITH_AES128_CBC_SHA to TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. I downloaded the according ssl certificate, but our RFC connection is still not working anymore and fails with a SSL handshake error (see log below). I tried to find out if the CommonCryptoLib (our version is 8.4.35) is able to handle this kind of cipher.


Unfortunately I didn't find any kind of information regarding this topic. Is this cypher currently supported by SAP and if yes how can I enable it?

These are my instance parameters:

sec/libsapsecu = $(ssl/ssl_lib)

ssf/ssfapi_lib = $(ssl/ssl_lib)

ssl/client_ciphersuites = 983:HIGH:MEDIUM:+e3DES:!aNULL (way to much enabled, but other combinations aren't working either)

ssl/ssl_lib = $(DIR_EXECUTABLE)$(DIR_SEP)$(FT_DLL_PREFIX)sapcrypto$(FT_DLL)

This is the error log from the ICF-Monitor:

[Thr 2571] IcmConnInitClientSSL: using pse /usr/sap/WED/DVEBMGS11/sec/SAPSSLA.pse, show client certificate if available

[Thr 2571] ->> SapSSLSetTargetHostname(sssl_hdl=187ef1c70, &hostname=181c36d30)

[Thr 2571] <<- SapSSLSetTargetHostname(sssl_hdl=187ef1c70)==SAP_O_K

[Thr 2571] in: hostname = "cig.dhl.de"

[Thr 2571] ->> SapSSLSessionStart(sssl_hdl=187ef1c70)

[Thr 2571] NiIBlockMode: set blockmode for hdl 93 TRUE

[Thr 2571] NiIBlockMode: set blockmode for hdl 93 FALSE

[Thr 2571] NiIHdlGetStatus: hdl 93/sock 27 ok, no data pending

[Thr 2571] NiIBlockMode: set blockmode for hdl 93 TRUE

[Thr 2571] SapISSLUseSessionCache(): Creating NEW session (0 cached)

[Thr 2571] *** ERROR during SecuSSL_SessionStart() from SSL_connnect()==SSL_ERROR_SSL

[Thr 2571] session uses PSE file "/usr/sap/WED/DVEBMGS11/sec/SAPSSLA.pse"

[Thr 2571] SecuSSL_SessionStart: SSL_connnect() failed (536875072/0x20001040)

[Thr 2571] => "SSL API error"

[Thr 2571] >> Begin of Secu-SSL Errorstack >>

[Thr 2571] 0x20001040 SAPCRYPTOLIB SSL_connect

[Thr 2571] SSL API error

[Thr 2571] received a fatal SSLv3 handshake failure alert message from the peer

[Thr 2571] 0xa0600266 SSL ssl23_connect

[Thr 2571] received a fatal SSLv3 handshake failure alert message from the peer

[Thr 2571] 0xa0600266 SSL ssl23_get_server_hello

[Thr 2571] received a fatal SSLv3 handshake failure alert message from the peer

[Thr 2571] << End of Secu-SSL Errorstack

[Thr 2571] SSL_get_state()==0x2220 "SSLv2/v3 read server hello A"

[Thr 2571] No certificate request received from Server

[Thr 2571] <<- ERROR: SapSSLSessionStart(sssl_hdl=187ef1c70)==SSSLERR_SSL_CONNECT

[Thr 2571] ->> SapSSLSessionLastError(sssl_hdl=187ef1c70, &rc=181a8a774, &rc_name=181a8a790, &rc_desc=181a8a788, &rc_detail=181a8a78

[Thr 2571] *** ERROR => SSL handshake with cig.dhl.de:443 failed: SSSLERR_SSL_CONNECT (-57)

[Thr 2571] SAPCRYPTO:SSL_connect() failed

[Thr 2571]

[Thr 2571] SapSSLSessionStart()==SSSLERR_SSL_CONNECT

[Thr 2571] SSL:SSL_connnect() failed (536875072/0x20001040)

[Thr 2571] => "SSL API error"

[Thr 2571] >> SecuSSL ErrStack:

[Thr 2571] 0x20001040 SAPCRYPTOLIB SSL_connect

[Thr 2571] SSL API error

[Thr 2571] received a fatal SSLv3 handshake failure alert message from the peer

[Thr 2571] 0xa0600266 SSL ssl23_connect

[Thr 2571] received a fatal SSLv3 handshake failure alert message from the peer

[Thr 2571] 0xa0600266 SSL ssl23_get_server_hello

[Thr 2571] received a fatal SSLv3 handshake failure alert message from the peer

[Thr 2571] <<

[Thr 2571] SSL:SSL_get_state()==0x2220 "SSLv2/v3 read server hello A"

[Thr 2571] SSL NI-hdl 93: local=10.0.1.72:42702 peer=149.239.114.113:443

[Thr 2571] cli SSL session PSE "/usr/sap/WED/DVEBMGS11/sec/SAPSSLA.pse"

[Thr 2571] Target Hostname="cig.dhl.de"

[Thr 2571] {00000070} [icxxconn.c 2159]

[Thr 2571] ->> SapSSLSessionDone(&sssl_hdl=181313560)

[Thr 2571] <<- SapSSLSessionDone()==SAP_O_K

[Thr 2571] in: sssl_hdl = 187ef1c70

[Thr 2571] in/out: ... ni_hdl = 93

[Thr 2571] DpSesGetWorkerType: return workerType DIA for T3_U447

[Thr 2571] RqQQueueGetNumberOfRequests: Queue <T3_U447_M0> in slot 38 contains 0 requests of type DIA

[Thr 2571] DpSesGetTasks: found 1 open tasks for T3_U447_M0

[Thr 2571] DpSesGetWorkerType: return workerType DIA for T3_U447

[Thr 2571] RqQQueueGetNumberOfRequests: Queue <T3_U447_M1> in slot 45 contains 0 requests of type DIA

[Thr 2571] DpSesGetTasks: found 0 open tasks for T3_U447_M1

[Thr 2571] DpSesGetWorkerType: return workerType DIA for T3_U447

[Thr 2571] RqQQueueGetNumberOfRequests: Queue <T3_U447_M3> in slot 35 contains 0 requests of type DIA

[Thr 2571] DpSesGetTasks: found 0 open tasks for T3_U447_M3

[Thr 2571] IcmConnConnect: Connect failed for session GUI T3_U447_M0, 200, KOBLITZ, PC-IT-KOBLITZ1, time=08:35:06, W8, program=RSHTT

[Thr 2571] IcmConnConnect(id=0/112): free MPI request blocks

[Thr 2571] MPI<7a>2#7 GetInbuf -1 1f41e0 295 (1) -> MPI_EOS: End Of Stream

[Thr 2571] MPI<7a>2#8 FreeInbuf#1 0 1f41e0 0 -> MPI_OK

[Thr 2571] MPI<79>1#4 GetOutbuf -1 1f41e0 65536 (0) -> 7000000901f4200 104857600 MPI_OK

[Thr 2571] NiIGetServNo: servicename '8011' = port 8011



Kind regards and thanks in advance for helping!

André Koblitz



Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

1 Answer

  • Best Answer
    Posted on Dec 04, 2015 at 12:45 PM

    Hi André, this functionality comes with CommonCryptolib 8.4.38. Have a look at these notes:

    • 1848999 - Central Note for CommonCryptoLib 8 (replacing SAPCRYPTOLIB)
    • 2181733 - Fixes and Features in CommonCryptoLib 8.4.38

    PFS ciphersuites are optional so you will have to activate them using ssl/client_ciphersuites parameter. We are currently experimenting with

    ssl/client_ciphersuites = 134:PFS:HIGH:+e3DES::EC_HIGH:+EC_OPT

    Regards,

    Lutz


    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.