Skip to Content

SAP Web Dispatcher showing "ERROR during secussl_read()..."

Using SSL termination on Web Dispatcher.

The certificate installed in the Web Dispatcher is valid and accepted by the clients, yet our SAP Web Dispatcher is showing a lot of these. What can we do to get rid of these errors?

[Thr 1544]   SSL_get_state()==0x1180 "TLS read client certificate A"
[Thr 1544] *** ERROR during secussl_read() from SSL_read()==SSL_ERROR_SSL
[Thr 1544]   srv SSL session PSE "/usr/sap/WEB/W00/sec/SAPSSLS.pse"
[Thr 1544]   session ciphersuites=HIGH:MEDIUM:+e3DES:!aNULL
[Thr 1544]   Server SSL_CTX 1161b75f0 pvflags = 897 (TLSv1.2,TLSv1.1,TLSv1.0,BC)
[Thr 1544] secussl_read: SSL_read() failed  (536875078/0x20001046)
[Thr 1544]    => "received a fatal TLS certificate unknown alert message from the peer"
[Thr 1544] >> ---------- Begin of Secu-SSL Errorstack ---------- >>
[Thr 1544] 0x20001046 | SAPCRYPTOLIB | SSL_read
[Thr 1544] SSL API error
[Thr 1544] received a fatal TLS certificate unknown alert message from the peer
[Thr 1544] 0xa0600263 | SSL | ssl3_read_bytes
[Thr 1544] received a fatal TLS certificate unknown alert message from the peer
[Thr 1544] 0xa0600263 | SSL | ssl3_accept
[Thr 1544] received a fatal TLS certificate unknown alert message from the peer
[Thr 1544] 0xa0600263 | SSL | ssl3_read_bytes
[Thr 1544] received a fatal TLS certificate unknown alert message from the peer
[Thr 1544] << ---------- End of Secu-SSL Errorstack ----------
[Thr 1544]   SSL NI-hdl 2723: local=139.53.87.228:443  peer=139.53.87.218:46516
[Thr 1544] <<- ERROR: SapSSLSessionStartNB(sssl_hdl=11d178c10)==SSSLERR_SSL_READ
[Thr 1544] *** ERROR => IcmConnInitServerSSL: SapSSLSessionStartNB returned (-58): SSSLERR_SSL_READ [icxxconn.c   1803]
Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Jun 07, 2017 at 02:31 PM

    Hello Pieter,

    Increase the ICM trace level to 2 and capture one occurrence of those entries.

    Then, take a look at the SAP Note 1318906.

    If you need further assistance, please provide the level 2 trace entries (preferably the whole dev_icm trace file).

    Regards,

    IsaĆ­as

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Jun 13, 2017 at 05:48 AM

    Hi Pieter,

    I'm facing the same problem in my web dispatcher.

    Have you managed to find a solution?

    Thanks and regards.

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Aug 15, 2017 at 08:52 AM

    I had the same error - during solman_setup when testing the SAP WebDispatcher configuration. Reason was a missing root certificate in the standard and anonymous client pse files of the ABAP instance. When installing the root certificate into the client pse, a connection of that client to the SSL server will have no warnings or errors like "peer not trusted". This is similar to certificate errors of a normal Internet Browser, when the root certificate of a SSL server is not installed.

    You need to have the root and/or intermediate certificate from the CA, that also issued the SSL server certificate. Then simply install it:

    setenv SECUDIR /usr/sap/<SID>/<instance dir>/sec 
    cd $SECUDIR
    sapgenpse maintain_pk -m CA_certificate_chain.p7b -p SAPSSLA.pse 

    List result:

    sapgenpse maintain_pk -l -p SAPSSLA.pse 

    Do the same for SAPSSLC.pse

    After installing this in the ABAP central instance of the Solman, the SSL connect went thru.

    Regards, Marc

    Add comment
    10|10000 characters needed characters exceeded