Skip to Content
0

SAP Web Dispatcher showing "ERROR during secussl_read()..."

Jun 01, 2017 at 11:03 AM

4.2k

avatar image
Former Member

Using SSL termination on Web Dispatcher.

The certificate installed in the Web Dispatcher is valid and accepted by the clients, yet our SAP Web Dispatcher is showing a lot of these. What can we do to get rid of these errors?

[Thr 1544]   SSL_get_state()==0x1180 "TLS read client certificate A"
[Thr 1544] *** ERROR during secussl_read() from SSL_read()==SSL_ERROR_SSL
[Thr 1544]   srv SSL session PSE "/usr/sap/WEB/W00/sec/SAPSSLS.pse"
[Thr 1544]   session ciphersuites=HIGH:MEDIUM:+e3DES:!aNULL
[Thr 1544]   Server SSL_CTX 1161b75f0 pvflags = 897 (TLSv1.2,TLSv1.1,TLSv1.0,BC)
[Thr 1544] secussl_read: SSL_read() failed  (536875078/0x20001046)
[Thr 1544]    => "received a fatal TLS certificate unknown alert message from the peer"
[Thr 1544] >> ---------- Begin of Secu-SSL Errorstack ---------- >>
[Thr 1544] 0x20001046 | SAPCRYPTOLIB | SSL_read
[Thr 1544] SSL API error
[Thr 1544] received a fatal TLS certificate unknown alert message from the peer
[Thr 1544] 0xa0600263 | SSL | ssl3_read_bytes
[Thr 1544] received a fatal TLS certificate unknown alert message from the peer
[Thr 1544] 0xa0600263 | SSL | ssl3_accept
[Thr 1544] received a fatal TLS certificate unknown alert message from the peer
[Thr 1544] 0xa0600263 | SSL | ssl3_read_bytes
[Thr 1544] received a fatal TLS certificate unknown alert message from the peer
[Thr 1544] << ---------- End of Secu-SSL Errorstack ----------
[Thr 1544]   SSL NI-hdl 2723: local=139.53.87.228:443  peer=139.53.87.218:46516
[Thr 1544] <<- ERROR: SapSSLSessionStartNB(sssl_hdl=11d178c10)==SSSLERR_SSL_READ
[Thr 1544] *** ERROR => IcmConnInitServerSSL: SapSSLSessionStartNB returned (-58): SSSLERR_SSL_READ [icxxconn.c   1803]
10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

3 Answers

Isaias Freitas
Jun 07, 2017 at 02:31 PM
1

Hello Pieter,

Increase the ICM trace level to 2 and capture one occurrence of those entries.

Then, take a look at the SAP Note 1318906.

If you need further assistance, please provide the level 2 trace entries (preferably the whole dev_icm trace file).

Regards,

Isaías

Share
10 |10000 characters needed characters left characters exceeded
avatar image
Former Member Jun 13, 2017 at 05:48 AM
0

Hi Pieter,

I'm facing the same problem in my web dispatcher.

Have you managed to find a solution?

Thanks and regards.

Share
10 |10000 characters needed characters left characters exceeded
avatar image
Former Member Aug 15, 2017 at 08:52 AM
0

I had the same error - during solman_setup when testing the SAP WebDispatcher configuration. Reason was a missing root certificate in the standard and anonymous client pse files of the ABAP instance. When installing the root certificate into the client pse, a connection of that client to the SSL server will have no warnings or errors like "peer not trusted". This is similar to certificate errors of a normal Internet Browser, when the root certificate of a SSL server is not installed.

You need to have the root and/or intermediate certificate from the CA, that also issued the SSL server certificate. Then simply install it:

setenv SECUDIR /usr/sap/<SID>/<instance dir>/sec 
cd $SECUDIR
sapgenpse maintain_pk -m CA_certificate_chain.p7b -p SAPSSLA.pse 

List result:

sapgenpse maintain_pk -l -p SAPSSLA.pse 

Do the same for SAPSSLC.pse

After installing this in the ABAP central instance of the Solman, the SSL connect went thru.

Regards, Marc

Share
10 |10000 characters needed characters left characters exceeded