cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

G Type RFC with Client Certificate - TLS handshake Error

Go to solution
tamil_arasan
Active Contributor

on ‎05-16-2019 10:58 AM

0 Kudos

Hi Experts,

I have a requirement to connect third party portal with 'G' type RFC and authenticate using client certificate. I have added the client authentication certificate in SAPSSLC (SSL client certificate standard) in STRUST. When I try to test the connection, the connection is getting established but during authentication, it is getting SSL handshake error. I have enabled level 3 trace in ICM and analyzed but no explicit reason found why client certificate is being rejected in the third party portal side.

I am aware that third party provider has to add ABAP system as trusted but yet to get confirmation on this from third party vendor if they have done this already. It seems like SAP is not sending correct client certificate from SAPSSLC.PSE to 3rd Party ? anyone advice on this please?

I got the following error in ICM level 3 trace:

hr 42792] CCL[SSL]: Cli-000018D4: Server requested client authentication [ssl3_decode_certificate_request] [Thr 42792] CCL[SSL]: Cli-000018D4: Server supports 3 client certificate type(s) [ssl3_decode_certificate_request] [Thr 42792] CCL[SSL]: Cli-000018D4: certificate type<0>: rsa_sign (1) [ssl3_log_certificate_type] [Thr 42792] CCL[SSL]: Cli-000018D4: certificate type<1>: dss_sign (2) [ssl3_log_certificate_type] [Thr 42792] CCL[SSL]: Cli-000018D4: certificate type<2>: ecdsa_sign (64) [ssl3_log_certificate_type] [Thr 42792] CCL[SSL]: Cli-000018D4: Server sent 0 trusted CA name(s) for client authentication [ssl3_decode_certificate_request] [Thr 42792] SSL:SSL_read(netin= 35) handshake, processed= 35 [Thr 42792] SSL:SiRecv(sock=27340)== 0 (SI_OK) (in=1, max=16) [Thr 42792] CCL[SSL]: Cli-000018D4: Assembling Certificate message: Server submitted no CA names. [ssl3_check_for_ca] [Thr 42792] CCL[SSL]: Cli-000018D4: Sending own certificate [ssl3_output_cert_chain] [Thr 42792] CCL[SSL]: Cli-000018D4: Own TLS certificate: [Thr 42792] Subject: CN=<SAP SSL Certificate>, O=<Org Name>, ST="Vendersgade 28, 1. tv.", L=city, [Thr 42792] Issuer: CN=GlobalSign Extended Validation CA - SHA256 - G3, O=GlobalSign nv-sa, C=BE [Thr 42792] Serial Number: 28:A2:D9:0A:4D:A2:31:19:57::E6 [Thr 42792] [ssl3_output_cert_chain] [Thr 42792] CCL[SSL]: Cli-000018D4: CA certificate: [Thr 42792] Subject: CN=GlobalSign Extended Validation CA - SHA256 - G3, O=GlobalSign nv-sa, C=BE [Thr 42792] Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3 [Thr 42792] Serial Number: 48:A4:02:DD:27:92:0D:A2:08:D1:99:7B [Thr 42792] [ssl3_output_cert_chain] [Thr 42792] SSL:SSL_read(netin= 9) handshake, processed= 9 [Thr 42792] SSL:SiSend(sock=27340)== 0 (SI_OK) (out=3378 of 3378) [Thr 42792] SSL:SiRecv(sock=27340)==13 (SI_ETIMEOUT) (in=0, max=16) [Thr 42792]> SSL:SiSelect(sock=27340, evt=R, timeout=79502 ms) [Thr 42792] Thu May 16 09:33:29:738 2019 [Thr 42792] < SSL:SiSelect(sock=27340, evt=R, slept = 249 ms) Ready [Thr 42792] SSL:SiRecv(sock=27340)== 0 (SI_OK) (in=7, max=16) [Thr 42792] CCL[SSL]: Cli-000018D4: Error 0xA0600266(received a fatal TLS handshake failure alert message from the peer😞 received a [Thr 42792] CCL[SSL]: Cli-000018D4: Error 0xA0600266: [Thr 42792] received a fatal TLS handshake failure alert message from the peer [Thr 42792] SSL3 client handshake failed [Thr 42792] [Thr 42792] SSL:SSL_read(netin= 7) handshake, processed= 7 [Thr 42792] SSL_get_state()==0x21d0 "TLS read finished A" [Thr 42792] *** ERROR during secussl_read() from SSL_read()==SSL_ERROR_SSL [Thr 42792] cli SSL session PSE "S:\usr\sap\<SID>\DVEBMGS00\sec\SAPSSLC.pse" [Thr 42792] session ciphersuites=214:PFS:HIGH:MEDIUM::EC_P256:EC_HIGH [Thr 42792] Client SSL_CTX 0000014B8720D960 pvflags=960 (TLSv1.2,TLSv1.1,TLSv1.0,SSLv3) [Thr 42792] secussl_read: SSL_read() failed (536875072/0x20001040) [Thr 42792] => "received a fatal TLS handshake failure alert message from the peer" [Thr 42792] >> Begin of Secu-SSL Errorstack ---------- >> [Thr 42792] 0x20001040 SAPCRYPTOLIB SSL_read [Thr 42792] SSL API error [Thr 42792] received a fatal TLS handshake failure alert message from the peer [Thr 42792] 0xa0600266 SSL ssl3_read_bytes [Thr 42792] received a fatal TLS handshake failure alert message from the peer [Thr 42792] 0xa0600266 SSL ssl3_connect [Thr 42792] received a fatal TLS handshake failure alert message from the peer [Thr 42792] 0xa0600266 SSL ssl3_read_bytes [Thr 42792] received a fatal TLS handshake failure alert message from the peer [Thr 42792] << End of Secu-SSL Errorstack ---------- [Thr 42792] Server's List of trusted CAs (from initial CertRequest message): [Thr 42792] #1 "CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3" [Thr 42792] #2 "CN=WARNING-Fake List-Invalid CertificateRequest received" [Thr 42792] Target Hostname="<third party portal URL>" [Thr 42792] SSL NI-hdl 122: local=<SAPIP>:61772 peer=<3rd party portal IP>:443 [Thr 42792] <<- ERROR: SapSSLSessionStartNB(sssl_hdl=14b886f9eb0)==SSSLERR_SSL_READ [Thr 42792] ->> SapSSLSessionLastError(sssl_hdl=14b886f9eb0, &rc=47edb9ecec, &rc_name=47edb9ed00, &rc_desc=47edb9ecf8, &rc_detail=47 [Thr 42792] DpSesGetWorkerType: return workerType DIA for T20_U945 [Thr 42792] RqQQueueGetNumberOfRequests: Queue <T20_U945_M0> in slot 120 contains 0 requests of type DIA [Thr 42792] DpSesGetTasks: found 1 open tasks for T20_U945_M0 [Thr 42792] DpSesGetWorkerType: return workerType DIA for T20_U945 [Thr 42792] RqQQueueGetNumberOfRequests: Queue <T20_U945_M1> in slot 67 contains 0 requests of type DIA [Thr 42792] DpSesGetTasks: found 0 open tasks for T20_U945_M1 [Thr 42792] *** ERROR => SSL handshake with <third party portal URL>:443 failed: SSSLERR_SSL_READ (-58) [Thr 42792] SAPCRYPTO:SSL_read() failed [Thr 42792] [Thr 42792] SapSSLSessionStartNB()==SSSLERR_SSL_READ [Thr 42792] SSL:SSL_read() failed (536875072/0x20001040) [Thr 42792] => "received a fatal TLS handshake failure alert message from the peer" [Thr 42792] SSL:SSL_get_state()==0x21d0 "TLS read finished A" [Thr 42792] SSL NI-hdl 122: local=<SAPIP>:61772 peer=<3rd party portal IP>:443 [Thr 42792] cli SSL session PSE "S:\usr\sap\<SID>\DVEBMGS00\sec\SAPSSLC.pse" [Thr 42792] session ciphersuites=214:PFS:HIGH:MEDIUM::EC_P256:EC_HIGH [Thr 42792] Client SSL_CTX 0000014B8720D960 pvflags=960 (TLSv1.2,TLSv1.1,TLSv1.0,SSLv3) [Thr 42792] Target Hostname="<third party portal URL>" [Thr 42792] >> SecuSSL ErrStack: ---- [Thr 42792] 0x20001040 SAPCRYPTOLIB SSL_read [Thr 42792] SSL API error [Thr 42792] received a fatal TLS handshake failure alert message from the peer [Thr 42792] 0xa0600266 SSL ssl3_read_bytes [Thr 42792] received a fatal TLS handshake failure alert message from the peer [Thr 42792] 0xa0600266 SSL ssl3_connect [Thr 42792] received a fatal TLS handshake failure alert message from the peer [Thr 42792] 0xa0600266 SSL ssl3_read_bytes [Thr 42792] received a fatal TLS handshake failure alert message from the peer [Thr 42792] << [Thr 42792] [Thr 42792] {001b6ef3} {root-id=000D3A3DE7111EE99DF7B0F0DFE5894F} [icxxconn.c 2419] [Thr 42792] GUI T20_U945_M0, 001, <User ID>, COMPUTER12, time=09:33:28, W6, program=RSHTTPPIN, high priority, memory=0, task [Thr 42792] role: Client, protocol: HTTPS, local: <SAPIP>:61772, peer: <3rd party portal IP>:443

Show replies
Show replies
MichaelTe
Contributor
‎05-17-2019 9:37 AM
0 Kudos

Hello,

don't know if it's of concern. But your ciphersuite parameter looks different as the one proposed in note 2384290:

https://launchpad.support.sap.com/#/notes/2384290

Regards, Michael

tamil_arasan
Active Contributor
‎05-17-2019 9:55 AM
0 Kudos

Hi Michael,

I set same as 2384290 (Parameters in Default profile but not set in ENV of sidadm/SAPServiceSID users) still got failed. The log I posted has cipher-suites that supports SSLV3 to TLS 1.2 (Testing purpose I enabled all but reverted to as per note 2384290).

Any other reason could be the issue?

Thanks,

Pradeep

MichaelTe
Contributor
‎05-17-2019 10:10 AM

Hello Pradeep,

according to note 510007 your settings meant:

"Only as desperate last resort, you should consider re-enabling the old SSLv3 protocol for interop with very very old communication peers, with these parameter values:
ssl/ciphersuites = 199:PFS:HIGH:MEDIUM::EC_P256:EC_HIGH
ssl/client_ciphersuites = 214:PFS:HIGH:MEDIUM::EC_P256:EC_HIGH"

But furthermore I have no other idea. Sorry.

Regards, Michael

tamil_arasan
Active Contributor
‎05-17-2019 1:33 PM
0 Kudos

Hi Michael,

Yes that is correct, I set it to enable SSLv3 but reverted back. Anyway Thanks 🙂

isaias.freitas can you please help here 🙂 Many Thanks

Thanks,

Pradeep

Answer

Accepted Solutions (1)

Accepted Solutions (1)

tamil_arasan
Active Contributor
‎06-24-2019 8:47 AM
0 Kudos

Hi isaias.freitas and ger.munsters ,

First of all, Thank you very much for your valuable inputs and infinite helps. I was unable to resolve the issue and then confirmed that Third party site is configured in such a way that it will accept .pfx certificate only (Both private and public keys). So I had to create new client identity in STRUST transaction by navigating to Environment-->SSL client identities. Then created new entry there, it automatically created new folder in STRUST transaction left hand side. I created .PSE file from .PFX using sapgenpse command line tool and loaded the .PSE file in newly created folder.

While calling the site, ABAP team has coded to load certificate from new SSL client identity folder. The call is successful.

Thank you so much for your help 🙂

Thanks,

Pradeep

Show replies
Show replies
isaias_freitas
Advisor
Advisor
‎06-26-2019 1:02 AM

You're welcome!

I'm glad that it was fixed :-), and thank you for sharing the solution with the community 🐵

Answers (3)

Answers (3)

isaias_freitas
Advisor
Advisor
‎05-17-2019 2:27 PM

Hello Pradeep,

Server sent 0 trusted CA name(s) for client authentication

Thus, the SSL library at the ICM end does not know which client certificate it must send to authenticate.

Is the parameter "icm/HTTPS/client_sni_enabled = true" set? Maybe the server does not send the list of CAs because the ICM did not sent SNI information. But this is just a "wild guess".

geferson.hess , any hints? 🙂

Regards,

Isaías

Show replies
Show replies
geferson_hess
Participant
‎05-17-2019 3:02 PM

Hello Pradeep,

The server is not sending the any CAs, but the trace shows that the system is sending its own certificate anyway:
[Thr 42792] CCL[SSL]: Cli-000018D4: Server sent 0 trusted CA name(s) for client authentication
[Thr 42792] CCL[SSL]: Cli-000018D4: Sending own certificate [ssl3_output_cert_chain]

Probably because flag 16 is configured in the ssl/client_ciphersuites parameter (SAP Note 510007).
The issue is that the peer is closing the connection:
[Thr 42792] received a fatal TLS handshake failure alert message from the peer

You can set the sni parameter that Isaias commented and try to use the recommended ciphersuites values as per SAP Note 510007.
But to be sure about why it is failing, must check a trace in the peer, is it a NW ABAP too?

grahamday28
Explorer
‎10-19-2020 3:18 PM
0 Kudos

Hi Pradeep, I have encountered a similar issue to this ( TLS protocol version issue ) the answers provided have given me some good pointers. Just have a small request, I have also created a Client Identity specific for the web service I was trying to access. Interested to read that your ABAP team were able to code it so that you could extract the Certificates linked to the STRUST entry. I don't suppose you tell me which Class / Method or FM they used to do this? Kind regards Graham

Show replies
Show replies
tamil_arasan
Active Contributor
‎05-20-2019 8:51 AM
0 Kudos

icm-logs-level3-new.txt

Hi isaias.freitas and geferson.hess ,

Thanks a lot for your help. Actually I have set icm/HTTPS/client_sni_enabled = TRUE in default profile and restarted ICM to take effect. I tried again but still no luck. I have set ciphersuites as per SAP note 510007 (Enabled TLS 1.0, TLS 1.1 and TLS 1.2). Please refer the attached screenshot. I have not set ciphersuites ENVs for sidadm and SAPServiceSID. Is this required?

Third party website is running on non-SAP system.

Please refer the attached latest logs. Thank you very much for your help.

Thanks,

Pradeep

Show replies
Show replies
geferson_hess
Participant
‎05-20-2019 11:17 AM

Hello Pradeep,

The best way is to address it right now is to check with the peer to understand why the connection is being closed on their side.
Maybe they don't trust the certificate sent from the ABAP system? Only a guess.

Regards,
Geferson

tamil_arasan
Active Contributor
‎05-20-2019 11:39 AM
0 Kudos

Thanks Geferson.

I'll check at peer trace and update you. Thank you so much 🙂

Thanks,

Pradeep

isaias_freitas
Advisor
Advisor
‎05-22-2019 11:43 PM
0 Kudos

Hello Pradeep,

Let us know what you find on the peer end.

The new trace did not reveal anything new.

Regards,

Isaías

tamil_arasan
Active Contributor
‎05-23-2019 9:07 AM
0 Kudos

Hi Isaias,

The old client certificate doesn't have complete certificate chain. I requested to provide the new client certificate with complete certificate chain(root certificate was missing in earlier certificate). I created PSE file from newly received pfx client authentication certificate using sapgenpse. I replaced "SAP client WSSE Web Service" in STRUST with newly created PSE file (Created out of new client authentication certificate).

When I do a connection test with "SAP client WSSE Web Service" in SM59, connection test is ok and returned 200 HTTP code.

But when I add the client certificate into SAPSSLC.PSE , it is getting SSL handshake error. I guess SAP system is not sending client certificate to peer. Any ciphersuite that we need to setup in server/client parameters to send client certificate? The current client ciphersuite parameter is 150:PFS:HIGH::EC_P256:EC_HIGH

Thanks,

Pradeep

isaias_freitas
Advisor
Advisor
‎06-21-2019 7:43 PM

Hello Pradeep,

(strange, I only saw the notification now...)

If you still need assistance, please provide a new level 2 trace from the ICM, collected while simulating the issue.

Regards,

Isaías

Ask a Question