Skip to Content
avatar image
Former Member

GB E-filling Error after HRSP to patch 94: *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-102): SSSLERR_PEER_CERT_UNTRUSTED {0010cd0c} [icxxconn_m

[Thr 11] Failed to verify peer certificate. Peer not trusted.

[Thr 11] 0xa0600203   SSL   ssl_verify_peer_certificates

[Thr 11] Peer not trusted

[Thr 11] 0xa0600297   SSL   ssl_cert_checker_verify_certificates

[Thr 11] peer certificate (chain) is not trusted

[Thr 11] PropertyBlock:

[Thr 11]   Status      :Not successful

[Thr 11]   Profile     :1.3.6.1.4.1.694.2.2.2.2

[Thr 11]   SignerStatus:Not successful

[Thr 11]   SignerVerificationResult:

[Thr 11]     element#no="1":

[Thr 11]       Status      :Not successful

[Thr 11]       Validity    :Successful

[Thr 11]       BasicConstraints:Successful

[Thr 11]       KeyUsage    :Successful

[Thr 11]       ObjectStatus:Not successful

[Thr 11]       SignerCert:

[Thr 11]         Certificate:

[Thr 11]             Subject     :CN=VeriSign Class 3 Secure Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)

[Thr 11]         Verification result:

[Thr 11]           Status      :Not successful

[Thr 11]           Profile     :1.3.6.1.4.1.694.2.2.2.2

[Thr 11]           SignerStatus:Not successful

[Thr 11]           BasicConstraintsPathLen:1

[Thr 11]           SignerVerificationResult: None

[Thr 11]

[Thr 11] <<            End of Secude-SSL Errorstack

[Thr 11]   SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"

[Thr 11]   SSL NI-sock: local=10.210.88.115:58105  peer=

[Thr 11] <<- ERROR: SapSSLSessionStart(sssl_hdl=108a87b10)==SSSLERR_PEER_CERT_UNTRUSTED

[Thr 11] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-102): SSSLERR_PEER_CERT_UNTRUSTED {0010cd0c} [icxxconn_m

[Thr 15] Wed Jan 13 16:11:48 2016

[Thr 15] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL

[Thr 15]    session uses PSE file "/usr/sap/XX/DVEBMGS02/sec/SAPSSLC.pse"

[Thr 15] SecudeSSL_SessionStart: SSL_connect() failed

[Thr 15]   secude_error 536872221 (0x2000051d) = "SSL API error"

[Thr 15] >>            Begin of Secude-SSL Errorstack            >>

[Thr 15] 0x2000051d   SAPCRYPTOLIB   SSL_connect

[Thr 15] SSL API error

[Thr 15] Failed to verify peer certificate. Peer not trusted.

[Thr 15] 0xa0600203   SSL   ssl_verify_peer_certificates

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

6 Answers

  • Best Answer
    avatar image
    Former Member
    Jan 14, 2016 at 02:49 PM

    Hi B.O Wipro,

    You need to import the certificate of verisign into the client PSE of SAPSSLC.pse.

    With Regards

    Ashutosh Chaturvedi

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Jan 16, 2016 at 03:34 PM

    Dear Former Member,

    Kindly remove the correct marks from my post as @Isaias Freitas is provided the correct information to you.

    Its a humble request to give him the correct marks and it will be also help other SCN members in near future.

    Thank you

    Ashutosh Chaturvedi

    Add comment
    10|10000 characters needed characters exceeded

  • Jan 14, 2016 at 12:55 PM

    Hello,

    You need to import the CA root certificate (VeriSign) into the client PSE (SAPSSLC.pse), so the ICM can trust the server it is connecting to.

    Regards,

    Isaías

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Jan 14, 2016 at 02:54 PM

    Hi,

    Thanks for your replies.The verisign certificate is valid till 2020.What is the procedure to get the verisgn certificate.

    Regards,

    Wipro

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member, isn't that exactly what I have recommended??

      Hello Wipro, you need the base64 X.509 ".cer" file of VeriSign (contact VeriSign if you need help getting it).

      Once you have it, you can use the transaction STRUST (if it is an ABAP system) in order to import it to the PSE file.

      Regards,

      Isaías

  • avatar image
    Former Member
    Jan 15, 2016 at 04:50 PM

    Hi Isaias,

    Thanks for your reply.Do i need to apply the root certificate or the intermediate certificate.

    CN=VeriSign Class 3 Secure Server CA - G3, OU=Terms of use at (This is an intermediate certificate)

    CN=VeriSign Class 3 Secure Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

    As per symantec  certificte

    CN=VeriSign Class 3 Secure Server CA - G3, OU=Terms of use at (This is an intermediate certificate)

    is not supporting SSL/TLS.

    HMRC certificate has been migrated to TLS.

    Pease let me know which are the certificate needs to be imported to fix the problem.

    Root 2
    VeriSign Class 3 Public Primary CA
    Description:
    Effective December 1, 2015, Symantec discontinued the use of this root for issuance of public TLS/SSL certificates and Code Signing certificates. Browsers may remove TLS/SSL support for certificates issued from this root. Web site visitors using these browsers will receive error messages if a TLS/SSL certificate is used that chains to this root. For Code Signing, it is unclear when platforms will remove or untrust this root. Symantec will continue to offer CRL and OCSP responses for unexpired TLS/SSL certificates and Code Signing certificates chaining up to this root.

    Country = US

    Organization = VeriSign, Inc.

    Organizational Unit = Class 3 Public Primary Certification Authority

    Serial Number: 3c 91 31 cb 1f f6 d0 1b 0e 9a b8 d0 44 bf 12 be

    Valid From: Sunday, January 28, 1996 4:00:00 PM

    Valid to: Wednesday, August 02, 2028 3:59:59 PM

    Certificate SHA1 Thumbprint: a1 db 63 93 91 6f 17 e4 18 55 09 40 04 15 c7 02 40 b0 ae 6b

    Key Size: RSA(1024 Bits)

    Signature Algorithm: sha1RSA

    File name in Root package: Class 3 Public Primary Certification Authority

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Jan 21, 2016 at 10:47 AM

    Hello All,

    We have imported both the certificates, still its not working.

    current trace is as below:

    [Thr 05] HttpSubHandlerClose: Call Handler: HttpSAPR3Handl

    [Thr 05] HttpSubHandlerClose: Call Handler: HttpJ2EEHandle

    [Thr 05] HttpJ2EEHandler called: task=3

    [Thr 05] ConnPoolCloseNiHdl:

    [Thr 05]    Pool Entry: 1070730d0:

    [Thr 05]    NI: 137, SSL: (nil), allocated: 1, inuse: 1, d

    [Thr 05] NiICloseHandle: shutdown and close hdl 137/sock 3

    [Thr 05] IcmConnPoolFreeEntry: free conn pool entry 107073

    [Thr 05] HttpSubHandlerClose: remove reference to table 10

    [Thr 05] ICT: IctHttpCloseMessage( 107157b80 ) -> u=0 rc=0

    [Thr 05] ICT: IctHttpCloseMessage( 107177f30 ) -> u=0 rc=0

    [Thr 05] <<- SapSSLSessionDone()==SAP_O_K

    [Thr 05]      in: sssl_hdl   = 1022281f0

    [Thr 05]          ... ni_hdl = 79

    [Thr 05] MPI<e6ed>1#7 Close( 1 ) opt=4 del=0( 1 0 ) wakeup

    [Thr 05] MPI<e6ed>1#9 Delete( 1 ) -> MPI_OK

    [Thr 05] MPI<e6ed>1#8 Close( 1 ) opt=4 del=1( 0 0 ) wakeup

    [Thr 05] MPI<e6ee>2#5 Close( 2 ) opt=4 del=0( 0 1 ) wakeup

    [Thr 05] MPI<e6ee>2#7 Delete( 2 ) -> MPI_OK

    [Thr 05] MPI<e6ee>2#6 Close( 2 ) opt=4 del=1( 0 0 ) wakeup

    [Thr 05] NiICloseHandle: shutdown and close hdl 79/sock 36

    [Thr 05] IcmConnClose: Connection 3/31792 closed

    [Thr 05] IcmConnFreeContext: context 3 released

    [Thr 05] IcmServDecrRefCount: gbahev101.gb.tntpost.com:828

    [Thr 05] REQ TRACE END: 3/31792/1

    [Thr 05] IcmWorkerThread: Thread 1: Waiting for event

    please suggest the correct values for ssl/ciphersuites & ssl/client_ciphersuites parameters.

    Add comment
    10|10000 characters needed characters exceeded

    • Hello,

      I do not see any SSL related error at this new trace that you have posted.

      In fact, I do not see any error at all...

      Please send more details about the issue (like a screenshot of the error you are seeing).

      Regards,

      Isaías