Skip to Content

G Type RFC with Client Certificate - TLS handshake Error

Hi Experts,

I have a requirement to connect third party portal with 'G' type RFC and authenticate using client certificate. I have added the client authentication certificate in SAPSSLC (SSL client certificate standard) in STRUST. When I try to test the connection, the connection is getting established but during authentication, it is getting SSL handshake error. I have enabled level 3 trace in ICM and analyzed but no explicit reason found why client certificate is being rejected in the third party portal side.

I am aware that third party provider has to add ABAP system as trusted but yet to get confirmation on this from third party vendor if they have done this already. It seems like SAP is not sending correct client certificate from SAPSSLC.PSE to 3rd Party ? anyone advice on this please?

I got the following error in ICM level 3 trace:

hr 42792] CCL[SSL]: Cli-000018D4: Server requested client authentication [ssl3_decode_certificate_request] [Thr 42792] CCL[SSL]: Cli-000018D4: Server supports 3 client certificate type(s) [ssl3_decode_certificate_request] [Thr 42792] CCL[SSL]: Cli-000018D4: certificate type<0>: rsa_sign (1) [ssl3_log_certificate_type] [Thr 42792] CCL[SSL]: Cli-000018D4: certificate type<1>: dss_sign (2) [ssl3_log_certificate_type] [Thr 42792] CCL[SSL]: Cli-000018D4: certificate type<2>: ecdsa_sign (64) [ssl3_log_certificate_type] [Thr 42792] CCL[SSL]: Cli-000018D4: Server sent 0 trusted CA name(s) for client authentication [ssl3_decode_certificate_request] [Thr 42792] SSL:SSL_read(netin= 35) handshake, processed= 35 [Thr 42792] SSL:SiRecv(sock=27340)== 0 (SI_OK) (in=1, max=16) [Thr 42792] CCL[SSL]: Cli-000018D4: Assembling Certificate message: Server submitted no CA names. [ssl3_check_for_ca] [Thr 42792] CCL[SSL]: Cli-000018D4: Sending own certificate [ssl3_output_cert_chain] [Thr 42792] CCL[SSL]: Cli-000018D4: Own TLS certificate: [Thr 42792] Subject: CN=<SAP SSL Certificate>, O=<Org Name>, ST="Vendersgade 28, 1. tv.", L=city, [Thr 42792] Issuer: CN=GlobalSign Extended Validation CA - SHA256 - G3, O=GlobalSign nv-sa, C=BE [Thr 42792] Serial Number: 28:A2:D9:0A:4D:A2:31:19:57::E6 [Thr 42792] [ssl3_output_cert_chain] [Thr 42792] CCL[SSL]: Cli-000018D4: CA certificate: [Thr 42792] Subject: CN=GlobalSign Extended Validation CA - SHA256 - G3, O=GlobalSign nv-sa, C=BE [Thr 42792] Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3 [Thr 42792] Serial Number: 48:A4:02:DD:27:92:0D:A2:08:D1:99:7B [Thr 42792] [ssl3_output_cert_chain] [Thr 42792] SSL:SSL_read(netin= 9) handshake, processed= 9 [Thr 42792] SSL:SiSend(sock=27340)== 0 (SI_OK) (out=3378 of 3378) [Thr 42792] SSL:SiRecv(sock=27340)==13 (SI_ETIMEOUT) (in=0, max=16) [Thr 42792]> SSL:SiSelect(sock=27340, evt=R, timeout=79502 ms) [Thr 42792] Thu May 16 09:33:29:738 2019 [Thr 42792] < SSL:SiSelect(sock=27340, evt=R, slept = 249 ms) Ready [Thr 42792] SSL:SiRecv(sock=27340)== 0 (SI_OK) (in=7, max=16) [Thr 42792] CCL[SSL]: Cli-000018D4: Error 0xA0600266(received a fatal TLS handshake failure alert message from the peer): received a [Thr 42792] CCL[SSL]: Cli-000018D4: Error 0xA0600266: [Thr 42792] received a fatal TLS handshake failure alert message from the peer [Thr 42792] SSL3 client handshake failed [Thr 42792] [Thr 42792] SSL:SSL_read(netin= 7) handshake, processed= 7 [Thr 42792] SSL_get_state()==0x21d0 "TLS read finished A" [Thr 42792] *** ERROR during secussl_read() from SSL_read()==SSL_ERROR_SSL [Thr 42792] cli SSL session PSE "S:\usr\sap\<SID>\DVEBMGS00\sec\SAPSSLC.pse" [Thr 42792] session ciphersuites=214:PFS:HIGH:MEDIUM::EC_P256:EC_HIGH [Thr 42792] Client SSL_CTX 0000014B8720D960 pvflags=960 (TLSv1.2,TLSv1.1,TLSv1.0,SSLv3) [Thr 42792] secussl_read: SSL_read() failed (536875072/0x20001040) [Thr 42792] => "received a fatal TLS handshake failure alert message from the peer" [Thr 42792] >> Begin of Secu-SSL Errorstack ---------- >> [Thr 42792] 0x20001040 SAPCRYPTOLIB SSL_read [Thr 42792] SSL API error [Thr 42792] received a fatal TLS handshake failure alert message from the peer [Thr 42792] 0xa0600266 SSL ssl3_read_bytes [Thr 42792] received a fatal TLS handshake failure alert message from the peer [Thr 42792] 0xa0600266 SSL ssl3_connect [Thr 42792] received a fatal TLS handshake failure alert message from the peer [Thr 42792] 0xa0600266 SSL ssl3_read_bytes [Thr 42792] received a fatal TLS handshake failure alert message from the peer [Thr 42792] << End of Secu-SSL Errorstack ---------- [Thr 42792] Server's List of trusted CAs (from initial CertRequest message): [Thr 42792] #1 "CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3" [Thr 42792] #2 "CN=WARNING-Fake List-Invalid CertificateRequest received" [Thr 42792] Target Hostname="<third party portal URL>" [Thr 42792] SSL NI-hdl 122: local=<SAPIP>:61772 peer=<3rd party portal IP>:443 [Thr 42792] <<- ERROR: SapSSLSessionStartNB(sssl_hdl=14b886f9eb0)==SSSLERR_SSL_READ [Thr 42792] ->> SapSSLSessionLastError(sssl_hdl=14b886f9eb0, &rc=47edb9ecec, &rc_name=47edb9ed00, &rc_desc=47edb9ecf8, &rc_detail=47 [Thr 42792] DpSesGetWorkerType: return workerType DIA for T20_U945 [Thr 42792] RqQQueueGetNumberOfRequests: Queue <T20_U945_M0> in slot 120 contains 0 requests of type DIA [Thr 42792] DpSesGetTasks: found 1 open tasks for T20_U945_M0 [Thr 42792] DpSesGetWorkerType: return workerType DIA for T20_U945 [Thr 42792] RqQQueueGetNumberOfRequests: Queue <T20_U945_M1> in slot 67 contains 0 requests of type DIA [Thr 42792] DpSesGetTasks: found 0 open tasks for T20_U945_M1 [Thr 42792] *** ERROR => SSL handshake with <third party portal URL>:443 failed: SSSLERR_SSL_READ (-58) [Thr 42792] SAPCRYPTO:SSL_read() failed [Thr 42792] [Thr 42792] SapSSLSessionStartNB()==SSSLERR_SSL_READ [Thr 42792] SSL:SSL_read() failed (536875072/0x20001040) [Thr 42792] => "received a fatal TLS handshake failure alert message from the peer" [Thr 42792] SSL:SSL_get_state()==0x21d0 "TLS read finished A" [Thr 42792] SSL NI-hdl 122: local=<SAPIP>:61772 peer=<3rd party portal IP>:443 [Thr 42792] cli SSL session PSE "S:\usr\sap\<SID>\DVEBMGS00\sec\SAPSSLC.pse" [Thr 42792] session ciphersuites=214:PFS:HIGH:MEDIUM::EC_P256:EC_HIGH [Thr 42792] Client SSL_CTX 0000014B8720D960 pvflags=960 (TLSv1.2,TLSv1.1,TLSv1.0,SSLv3) [Thr 42792] Target Hostname="<third party portal URL>" [Thr 42792] >> SecuSSL ErrStack: ---- [Thr 42792] 0x20001040 SAPCRYPTOLIB SSL_read [Thr 42792] SSL API error [Thr 42792] received a fatal TLS handshake failure alert message from the peer [Thr 42792] 0xa0600266 SSL ssl3_read_bytes [Thr 42792] received a fatal TLS handshake failure alert message from the peer [Thr 42792] 0xa0600266 SSL ssl3_connect [Thr 42792] received a fatal TLS handshake failure alert message from the peer [Thr 42792] 0xa0600266 SSL ssl3_read_bytes [Thr 42792] received a fatal TLS handshake failure alert message from the peer [Thr 42792] << [Thr 42792] [Thr 42792] {001b6ef3} {root-id=000D3A3DE7111EE99DF7B0F0DFE5894F} [icxxconn.c 2419] [Thr 42792] GUI T20_U945_M0, 001, <User ID>, COMPUTER12, time=09:33:28, W6, program=RSHTTPPIN, high priority, memory=0, task [Thr 42792] role: Client, protocol: HTTPS, local: <SAPIP>:61772, peer: <3rd party portal IP>:443

Add comment
10|10000 characters needed characters exceeded

  • Hi Michael,

    I set same as 2384290 (Parameters in Default profile but not set in ENV of sidadm/SAPServiceSID users) still got failed. The log I posted has cipher-suites that supports SSLV3 to TLS 1.2 (Testing purpose I enabled all but reverted to as per note 2384290).

    Any other reason could be the issue?

    Thanks,

    Pradeep

  • Hello Pradeep,

    according to note 510007 your settings meant:

    "Only as desperate last resort, you should consider re-enabling the old SSLv3 protocol for interop with very very old communication peers, with these parameter values:
    ssl/ciphersuites = 199:PFS:HIGH:MEDIUM::EC_P256:EC_HIGH
    ssl/client_ciphersuites = 214:PFS:HIGH:MEDIUM::EC_P256:EC_HIGH"

    But furthermore I have no other idea. Sorry.

    Regards, Michael

  • Hi Michael,

    Yes that is correct, I set it to enable SSLv3 but reverted back. Anyway Thanks :)

    Isaias Freitas can you please help here :) Many Thanks

    Thanks,

    Pradeep

  • Get RSS Feed

2 Answers

  • 5 days ago

    Hello Pradeep,

    Server sent 0 trusted CA name(s) for client authentication

    Thus, the SSL library at the ICM end does not know which client certificate it must send to authenticate.

    Is the parameter "icm/HTTPS/client_sni_enabled = true" set? Maybe the server does not send the list of CAs because the ICM did not sent SNI information. But this is just a "wild guess".

    Geferson Hess , any hints? :-)

    Regards,

    Isaías

    Add comment
    10|10000 characters needed characters exceeded

    • Hello Pradeep,

      The server is not sending the any CAs, but the trace shows that the system is sending its own certificate anyway:
      [Thr 42792] CCL[SSL]: Cli-000018D4: Server sent 0 trusted CA name(s) for client authentication
      [Thr 42792] CCL[SSL]: Cli-000018D4: Sending own certificate [ssl3_output_cert_chain]

      Probably because flag 16 is configured in the ssl/client_ciphersuites parameter (SAP Note 510007).
      The issue is that the peer is closing the connection:
      [Thr 42792] received a fatal TLS handshake failure alert message from the peer

      You can set the sni parameter that Isaias commented and try to use the recommended ciphersuites values as per SAP Note 510007.
      But to be sure about why it is failing, must check a trace in the peer, is it a NW ABAP too?

  • 3 days ago

    icm-logs-level3-new.txt

    Hi Isaias Freitas and Geferson Hess ,

    Thanks a lot for your help. Actually I have set icm/HTTPS/client_sni_enabled = TRUE in default profile and restarted ICM to take effect. I tried again but still no luck. I have set ciphersuites as per SAP note 510007 (Enabled TLS 1.0, TLS 1.1 and TLS 1.2). Please refer the attached screenshot. I have not set ciphersuites ENVs for sidadm and SAPServiceSID. Is this required?

    Third party website is running on non-SAP system.

    Please refer the attached latest logs. Thank you very much for your help.

    Thanks,

    Pradeep


    Add comment
    10|10000 characters needed characters exceeded

    • Hi Isaias,

      The old client certificate doesn't have complete certificate chain. I requested to provide the new client certificate with complete certificate chain(root certificate was missing in earlier certificate). I created PSE file from newly received pfx client authentication certificate using sapgenpse. I replaced "SAP client WSSE Web Service" in STRUST with newly created PSE file (Created out of new client authentication certificate).

      When I do a connection test with "SAP client WSSE Web Service" in SM59, connection test is ok and returned 200 HTTP code.

      But when I add the client certificate into SAPSSLC.PSE , it is getting SSL handshake error. I guess SAP system is not sending client certificate to peer. Any ciphersuite that we need to setup in server/client parameters to send client certificate?

      Thanks,

      Pradeep