cancel
Showing results for 
Search instead for 
Did you mean: 

GB E-filling Error after HRSP to patch 94: *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-102): SSSLERR_PEER_CERT_UNTRUSTED {0010cd0c} [icxxconn_m

0 Kudos

[Thr 11] Failed to verify peer certificate. Peer not trusted.

[Thr 11] 0xa0600203   SSL   ssl_verify_peer_certificates

[Thr 11] Peer not trusted

[Thr 11] 0xa0600297   SSL   ssl_cert_checker_verify_certificates

[Thr 11] peer certificate (chain) is not trusted

[Thr 11] PropertyBlock:

[Thr 11]   Status      :Not successful

[Thr 11]   Profile     :1.3.6.1.4.1.694.2.2.2.2

[Thr 11]   SignerStatus:Not successful

[Thr 11]   SignerVerificationResult:

[Thr 11]     element#no="1":

[Thr 11]       Status      :Not successful

[Thr 11]       Validity    :Successful

[Thr 11]       BasicConstraints:Successful

[Thr 11]       KeyUsage    :Successful

[Thr 11]       ObjectStatus:Not successful

[Thr 11]       SignerCert:

[Thr 11]         Certificate:

[Thr 11]             Subject     :CN=VeriSign Class 3 Secure Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)

[Thr 11]         Verification result:

[Thr 11]           Status      :Not successful

[Thr 11]           Profile     :1.3.6.1.4.1.694.2.2.2.2

[Thr 11]           SignerStatus:Not successful

[Thr 11]           BasicConstraintsPathLen:1

[Thr 11]           SignerVerificationResult: None

[Thr 11]

[Thr 11] <<            End of Secude-SSL Errorstack

[Thr 11]   SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"

[Thr 11]   SSL NI-sock: local=10.210.88.115:58105  peer=

[Thr 11] <<- ERROR: SapSSLSessionStart(sssl_hdl=108a87b10)==SSSLERR_PEER_CERT_UNTRUSTED

[Thr 11] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-102): SSSLERR_PEER_CERT_UNTRUSTED {0010cd0c} [icxxconn_m

[Thr 15] Wed Jan 13 16:11:48 2016

[Thr 15] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL

[Thr 15]    session uses PSE file "/usr/sap/XX/DVEBMGS02/sec/SAPSSLC.pse"

[Thr 15] SecudeSSL_SessionStart: SSL_connect() failed

[Thr 15]   secude_error 536872221 (0x2000051d) = "SSL API error"

[Thr 15] >>            Begin of Secude-SSL Errorstack            >>

[Thr 15] 0x2000051d   SAPCRYPTOLIB   SSL_connect

[Thr 15] SSL API error

[Thr 15] Failed to verify peer certificate. Peer not trusted.

[Thr 15] 0xa0600203   SSL   ssl_verify_peer_certificates

Accepted Solutions (1)

Accepted Solutions (1)

former_member185239
Active Contributor
0 Kudos

Hi B.O Wipro,

You need to import the certificate of verisign into the client PSE of SAPSSLC.pse.

With Regards

Ashutosh Chaturvedi

Answers (5)

Answers (5)

0 Kudos

Hello All,

We have imported both the certificates, still its not working.

current trace is as below:

[Thr 05] HttpSubHandlerClose: Call Handler: HttpSAPR3Handl

[Thr 05] HttpSubHandlerClose: Call Handler: HttpJ2EEHandle

[Thr 05] HttpJ2EEHandler called: task=3

[Thr 05] ConnPoolCloseNiHdl:

[Thr 05]    Pool Entry: 1070730d0:

[Thr 05]    NI: 137, SSL: (nil), allocated: 1, inuse: 1, d

[Thr 05] NiICloseHandle: shutdown and close hdl 137/sock 3

[Thr 05] IcmConnPoolFreeEntry: free conn pool entry 107073

[Thr 05] HttpSubHandlerClose: remove reference to table 10

[Thr 05] ICT: IctHttpCloseMessage( 107157b80 ) -> u=0 rc=0

[Thr 05] ICT: IctHttpCloseMessage( 107177f30 ) -> u=0 rc=0

[Thr 05] <<- SapSSLSessionDone()==SAP_O_K

[Thr 05]      in: sssl_hdl   = 1022281f0

[Thr 05]          ... ni_hdl = 79

[Thr 05] MPI<e6ed>1#7 Close( 1 ) opt=4 del=0( 1 0 ) wakeup

[Thr 05] MPI<e6ed>1#9 Delete( 1 ) -> MPI_OK

[Thr 05] MPI<e6ed>1#8 Close( 1 ) opt=4 del=1( 0 0 ) wakeup

[Thr 05] MPI<e6ee>2#5 Close( 2 ) opt=4 del=0( 0 1 ) wakeup

[Thr 05] MPI<e6ee>2#7 Delete( 2 ) -> MPI_OK

[Thr 05] MPI<e6ee>2#6 Close( 2 ) opt=4 del=1( 0 0 ) wakeup

[Thr 05] NiICloseHandle: shutdown and close hdl 79/sock 36

[Thr 05] IcmConnClose: Connection 3/31792 closed

[Thr 05] IcmConnFreeContext: context 3 released

[Thr 05] IcmServDecrRefCount: gbahev101.gb.tntpost.com:828

[Thr 05] REQ TRACE END: 3/31792/1

[Thr 05] IcmWorkerThread: Thread 1: Waiting for event

please suggest the correct values for ssl/ciphersuites & ssl/client_ciphersuites parameters.

isaias_freitas
Advisor
Advisor
0 Kudos

Hello,

I do not see any SSL related error at this new trace that you have posted.

In fact, I do not see any error at all...

Please send more details about the issue (like a screenshot of the error you are seeing).

Regards,

Isaías

former_member185239
Active Contributor
0 Kudos

Dear ,

Kindly remove the correct marks from my post as is provided the correct information to you.

Its a humble request to give him the correct marks and it will be also help other SCN members in near future.

Thank you

Ashutosh Chaturvedi

isaias_freitas
Advisor
Advisor
0 Kudos

Thanks .

0 Kudos

Hi Isaias,

Thanks for your reply.Do i need to apply the root certificate or the intermediate certificate.

CN=VeriSign Class 3 Secure Server CA - G3, OU=Terms of use at (This is an intermediate certificate)

CN=VeriSign Class 3 Secure Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

As per symantec  certificte

CN=VeriSign Class 3 Secure Server CA - G3, OU=Terms of use at (This is an intermediate certificate)

is not supporting SSL/TLS.

HMRC certificate has been migrated to TLS.

Pease let me know which are the certificate needs to be imported to fix the problem.

Root 2
VeriSign Class 3 Public Primary CA
Description:
Effective December 1, 2015, Symantec discontinued the use of this root for issuance of public TLS/SSL certificates and Code Signing certificates. Browsers may remove TLS/SSL support for certificates issued from this root. Web site visitors using these browsers will receive error messages if a TLS/SSL certificate is used that chains to this root. For Code Signing, it is unclear when platforms will remove or untrust this root. Symantec will continue to offer CRL and OCSP responses for unexpired TLS/SSL certificates and Code Signing certificates chaining up to this root.

Country = US

Organization = VeriSign, Inc.

Organizational Unit = Class 3 Public Primary Certification Authority

Serial Number: 3c 91 31 cb 1f f6 d0 1b 0e 9a b8 d0 44 bf 12 be

Valid From: Sunday, January 28, 1996 4:00:00 PM

Valid to: Wednesday, August 02, 2028 3:59:59 PM

Certificate SHA1 Thumbprint: a1 db 63 93 91 6f 17 e4 18 55 09 40 04 15 c7 02 40 b0 ae 6b

Key Size: RSA(1024 Bits)

Signature Algorithm: sha1RSA

File name in Root package: Class 3 Public Primary Certification Authority

isaias_freitas
Advisor
Advisor
0 Kudos

Hello,

Actually, both.

You need to import the CA and all intermediate certificates (e.g., the complete "certification chain").

Regards,

Isaías

0 Kudos

Hi,

Thanks for your replies.The verisign certificate is valid till 2020.What is the procedure to get the verisgn certificate.

Regards,

Wipro

isaias_freitas
Advisor
Advisor
0 Kudos

, isn't that exactly what I have recommended??

Hello Wipro, you need the base64 X.509 ".cer" file of VeriSign (contact VeriSign if you need help getting it).

Once you have it, you can use the transaction STRUST (if it is an ABAP system) in order to import it to the PSE file.

Regards,

Isaías

isaias_freitas
Advisor
Advisor
0 Kudos

Hello,

You need to import the CA root certificate (VeriSign) into the client PSE (SAPSSLC.pse), so the ICM can trust the server it is connecting to.

Regards,

Isaías