Skip to Content

iaik.security.ssl.SSLException: Peer sent alert: Alert Fatal: handshake

Hello all;

From SAP PI 7.30 we call we a SOAP web-service over https. This service was running for a long time. The provider of the web-service upgraded their SSL certificates from SHA-1 signing algorithm to the stronger and more robust SHA-256. After that, we get the following error: iaik.security.ssl.SSLException: Peer sent alert: Alert Fatal: handshake. As said, just before the change the connection was working. I have added the required VeriSign CA root certificates to the Trusted CA's keystore within NWA. (VeriSign Class 3 Secure Server CA - G4 and G5) Something must be wrong. When I look into SXMB_MONI, I see something for which I don't know if it is related: encryptionAlgorithmEncryptionEncriptionSignature value DES_EDE3_CBC. I am not an expert in this, but could it be possible that this should be AES256-CBC? How to change that?

Any help or suggestion is welcome. My next step will be to install XPI Inspector to figure out what is wrong.

Wilbert

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

9 Answers

  • Best Answer
    Posted on Feb 20, 2016 at 09:02 PM

    Hello Wilbert,

    The error message you posted above (iaik.security.ssl.SSLException: Peer sent alert: Alert Fatal: handshake failure) is a typical symptom of the issue I mentioned in this thread: . We have to differentiate between server and client scenarios here. The notes you mentioned above (2110020 and 510007) refer to the ICM parameters and to the server scenario only. If the AS Java is the client, changing the ICM parameters make no difference because then the "SAP Java Cryptographic Toolkit" is used (not the SAP Cryptolib or the CommonCryptoLib) which only have TLS1.0 support now.

    Best Regards,

    Peter

    Add a comment
    10|10000 characters needed characters exceeded

    • Hello Peter,

      I am not sure if you have seen the thread http://scn.sap.com/thread/3870902.

      I have FTPS->PI->NFS(File) scenario where FTPS client is switching their SHA-1 intermediate certificate to SHA-2.

      We getting "connection refused by remote host" error. As per the xpi_inspector logs, the handshake is initiated followed by the connection is closed by remote host.

      The FTP client has asked us, if we support TLS1.1 version? We have SAP PI 7.31 Java only system with SAPCRYPTO-Library 5.5.5pl38.

      Does this library supports TLS1.1 version for FTPS connection on sender side of PI?

      Regards,

      Simran

  • Posted on Feb 14, 2016 at 12:01 PM

    Hi all;

    After some additional tests via a IE browser, I came to the conclusion that my web service on the site https://api-3t.sandbox.paypal.com/2.0/ requires TLSv1.2. When TLSv1.2 is de-selected the site cannot be reached. So at this point, my issue is not related to SHA-256 hashing. To verify that, I also tested via XPI Inspector to another URL of a bank which is using SHA-256 for signing/hashing. SAP note 2110020 tells us that protocols TLSv1.1 and TLSv1.2 are not enabled by default for outgoing connections (client side). Currently I am investigating that in combination with sap note 510007. It looks like we have to set some profile parameters like ssl/ciphersuites and ssl/client_ciphersuites. We are running SAP PI 7.30. Does anyone have experience with does parameters? Note that we don't want to disable SSLv3 (yet).

    Wilbert

    Add a comment
    10|10000 characters needed characters exceeded

    • Hi all;

      We tried to implement sap notes 2110020 and 510007, unfortunately without success.

      This is what we tried: (we put parameters in DEFAULT profile with R10).

      We are on SAP PI 7.30 SP05, Kernel 721_EXT_REL path 600,CommonCryptoLib 8.4.41 pl40.

      Test 01:

      ssl/client_ciphersuites = 982:HIGH:MEDIUM:+e3DES

      Restart SAP PI.

      Test 02:

      ssl/ciphersuites = 982:HIGH:MEDIUM:+e3DES

      ssl/client_ciphersuites = 982:HIGH:MEDIUM:+e3DES

      Restart SAP PI.

      Test 03:

      ssl/ciphersuites = HIGH:MEDIUM:+e3DES

      ssl/client_ciphersuites = HIGH:MEDIUM:+e3DES

      Restart SAP PI.

      Best regards;

      Wilbert

  • Posted on Jan 26, 2016 at 02:06 PM

    Hello wilbert,

    After the WS upgrade did you import the cerficiates required for new algorithm SHA-256.?

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Jan 27, 2016 at 01:26 AM

    Hi Wilbert

    XPI Inspector is really your best bet in this situation. It provides you a clear view of the certificate chain used as well as a thorough IAIK debug log as described in my blog below.

    Using XPI Inspector to troubleshoot HTTP SSL connections (Part 1 - Server Authentication)

    I'd suggest you execute the troubleshooting steps there and post up the results here for further analysis.

    Rgds

    Eng Swee

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Feb 17, 2016 at 01:39 PM

    Hi Wilbert,

    We are having the same experience with the same API provider. We are single stack 7.4 environment with Verisign G5 installed and XPI shows fatal handshake after the initial hello. Our authentication

    is certificate, so are attempting to load new 2048 bit cert since our current cert is 1024. Our first attempt at converting from PEM to PCKS12 failed. We also do not want to disable SSLv3 yet. I will keep you posted of any progress, please share teh same.

    Regards,

    Dave

    Add a comment
    10|10000 characters needed characters exceeded

    • Hi Dave/Wilbert - I am also in the same boat. I am on single stack 7.4 and trying to connect to client with TLS 1.2 and getting the same error"Failed to get the input stream from socket: iaik.security.ssl.SSLException: Peer sent alert: Alert Fatal: handshake failure". I tried few different things like installing G5 cert to keystore, upgrading cryptography library per note 2110020 and setting profile parameter ssl/ciphersuite but not luck. Please update the thread once you find the solution. I will do the same. I also have message open with SAP too.

  • Posted on Feb 20, 2016 at 10:30 AM

    Hi all;

    I asked SAP how I can see if our SAP PI is actually sending/supporting TLSv1.2 as a java client. The misunderstood my question, so I have to go back to them. SAP came with the suggestion to perform the ssl-hellotest using a Perl script as mentioned in SAP note 2110020.

    Here is the result of my test proving that I need TLSv1.2 support.

    Sandbox PayPal:

    Live PayPal (move to TLSv1.2 mid June)

    @Dave and Dhirendra, can you run your test and confirm that your provider also needs exclusively TLSv1.2? How do you call your provider, using SOAP over https?

    Regards,

    Wilbert


    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Feb 22, 2016 at 06:29 PM

    Hi Wilbert,

    We are also facing the same issue while communicating with one of our clients who have moved onto TLS. (iaik.security.ssl.SSLException: Peer sent alert: Alert Fatal: handshake failure). We updated the latest crypto library files and also the profile parameters as per SAP recommendation. We have set the values to below as we need to allow both SSL and TLS communication in our landscape.

    ssl/ciphersuites 721:HIGH:MEDIUM:+e3DES

    ssl/client_ciphersuites 726:HIGH:MEDIUM:+e3DES


    However when we are trying to send communication with the client it failed with mentioned exception. It seems like the request is still being sent out as SSL and not TLS and hence the client system is rejecting it. We have been following up with SAP for long but no luck yet to get this working. Please let me know if you get any resolution from SAP. We even tried to set the value for both parameters to 512 so that it will only allow TLS. But still it didn't worked. Can't really find a way to test if the request is being sent out as SSL or TLS.


    Thanks

    Pranav

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Mar 29, 2016 at 06:59 AM

    Hello Wilbert,

    Have you found a solution?

    I'm facing a similar issue connecting PI -> Microsoft Azure IIS 8 with soap 1.1.

    Same issue on 7.3 SP05 and 7.4 SP11.

    client cert authentication (mutual ssl) required.

    Sending small payload work but above 700kb fails with connection reset usingh PI/PO.

    Sending the same payload using microsoft wcf soap client, curl or firefox rest client works fine.

    Any ideas?

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Apr 21, 2016 at 08:08 PM

    Hi Wilbert,

    I do want to mention to you that the Advantco REST Adapter supports TLS 1.2.

    https://www.advantco.com/product/REST

    Regards,

    Brandt

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.