Skip to Content
1

SAP SSL handshake failed

Apr 03 at 01:45 PM

1.1k

avatar image

I'm trying to retrieve data from an open data api. I have downloaded the certificate from the site and imported it into STRUST (SSL Client Anonymous). Then I created a HTTP connection to external server in SM59. In the beginning it worked fine, until last week when the api changed its URL and so its DNS. Ofcourse it could no longer be reached by the current host. So I did above steps again for the new URL (changed everything accordingly like hostname etc. in SM59), but this time I receive following error: SSL handshake with 'hostname:port' failed: SSSLERR_CONN_CLOSED (-10)#Remote Peer has closed the network connection##SapSSLSessionStartNB()==SSSLERR_CONN_C LOSED##

Anyone has an idea on how to solve this?

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

3 Answers

Best Answer
Robert Russell Apr 12 at 08:51 PM
5

Hi Sven,

Interesting question :) had me googling and I have got it to bypass the error SSSLERR_CONN_C LOSED message.

By setting the parameter mentioned in this note to true on my NPL demo system 751

2124480 - ICM / Web Dispatcher: TLS Extension Server Name Indication (SNI) as client

"To enabled SNI seticm/HTTPS/client_sni_enabled to "true". This parameter is dynamic."

If your interested :) my googling was a result of trying and failing with openssl client connections ( to see another non browser connection.)

The errors in this connection led me to these links which mentioned Server Name Indication (SNI) as a way of using more certificates on one IP address. Which must be the case for "public.brussels-parking-guidance.om" and the SAP parameter is required.

Hope it helps :)

Cheers

Robert

Show 8 Share
10 |10000 characters needed characters left characters exceeded

Hi all,

I could simulate the issue using an internal test system.

I was discussing this case with a BC-SEC-SSL colleague, and then I saw Robert's update.

I performed some tests and it worked for me. Thus, setting "icm/HTTPS/client_sni_enabled = TRUE" should be the solution.

Thank you, Robert! Well done :-).

Regards,

Isaías

Notify: Bartosz Jarkowski , Sven Swennen

2

Wow! Congrats Rob!

1

Hello Robert

Thanks for the answer. I'm new to SAP and I want to verify if I'm going to do this correctly. For this paramater am I correct that I have to go to RZ10, fill in the profile I'm using and then create this parameter (because I don't see the parameter in any of the profiles)?

Or am i completely incorrect and is "icm/HTTPS/client_sni_enabled = TRUE" found somewhere else? I tried googling it but it only says what it is and does but not where to modify it.

Kind regards

Sven Swennen

0

Hello Sven,

You are correct.

You access the transaction RZ10 and create the parameter there, at the instance profile (or even at the DEFAULT.PFL, so all instances have this parameter set; this also avoids the need to set the parameter on each instance profile).

You would have to restart SAP to activate the changes made to the profiles.

However, the parameter in question (icm/HTTPS/client_sni_enabled) is dynamically switchable.

Thus, besides creating the parameter through RZ10 (so SAP already starts with the desired value when restarted), you can activate the new value immediately through the transaction RZ11.

Kind regards,

Isaías

3

Thank you so much, all of you for helping me out.

I will create this paramater, but I'll have to discuss with my boss if it's possible to restart SAP overnight or if I have to wait till the next update since I'm doing this on our company server they will probably won't like it if I casually restart it now. I'll let it know if it worked or not, so fingers crossed :).

UPDATE: if everything goes to plan I should be able to test it wednesday, so if it all works I'll mark this one as the correct answer.

Thanks for all the help & kind regards

Sven Swennen

1

Hello Sven,

Just remarking that you can switch the value of the parameter dynamically, through transaction RZ11.

Therefore, there is no need to restart SAP :-).

This, however, does not eliminate the need to set the parameter at the profile too (RZ10).

Being a dynamic change, it will be lost if/when SAP is restarted. Setting the parameter at the profile ensures that SAP already starts with the desired value.

Kind regards,

Isaías

1

Hello Isaias

Yes I read it in the other comments too but I forgot to mention that I'm not authorized to use RZ11, but I'm authorized to use RZ10 (no idea why). Asking for new authorizations will take longer then waiting for the restart of the application server.

Kind regards

Sven Swennen

0

Problem has been resolved thank you very much!

Kind regards

Sven

2
Isaias Freitas
Apr 06 at 10:40 PM
1

Hello Sven,

Have you imported the new SSL server certificate to the anonymous PSE (STRUST)?

And is the SM59 still configured to use the anonymous PSE too (under the "technical settings" tab)?

Did anything else change at the remote website? Like, now the website requires authentication using a client certificate?

Simulating the issue with the ICM running on trace level 2 and providing the trace might help us to identify other possibilities.

Regards,

Isaías

Show 10 Share
10 |10000 characters needed characters left characters exceeded

Hello Isaias

Yes I imported the new SSL server certificate to the anonymous PSE. In SM59 I configured everything correctly. I've been looking into it the past days and I think that the new remote site requests a key of the certificate which isn't provided. I came to this conclusion because at the moment without key it is even impossible to send a request to the site via Postman. I'm gonna try and generate a key via the command prompt and see if I can reach retrieve a request via Postman.

Let me know if you have any other ideas that I could try.


Kind reagrds

Sven Swennen

0

Hello Sven,

A level 2 trace of the ICM could help us verifying whether we can suggest anything else.

You can increase its trace level through the transaction SMICM, then perform a "connection test" at SM59 and reduce the trace level as soon as the issue is simulated.

Besides attaching the trace file to this thread, we would need the name of the target server.

Kind regards,

Isaías

0

Hello

Only thing the trace is outputting at level 1 is the Remote peer has closed the network connection.

So not really helpful.

The traces at higher levels don't output any errors.

Seems like it is an issue with the certificate. But I don't know how to solve it.

Kind regards

Sven

capture.png (36.9 kB)
0

Hello Sven,

The trace says "Failed to verify peer certificate. Peer not trusted".

This would mean that SAP does not trust the certificate it received from the remote server.

You would need to either import the certificate itself, or import the certificate of the "issuer" (the CA - Certification Authority - that signed the certificate).

The screenshot does not show whether the client or anonymous PSE ("SAPSSLC.pse" and "SAPSSLA.pse", by default) was in use. So, maybe import the certificate at both, to be on the safe side, as this would not cause any issues.

This wiki page might help.

Kind regards,

Isaías

0

Hi Isaias,

I tried to replicate the issue and I also encounter it.

Here my smicm logs (level 3)

[Thr 140608096933632] Thu Apr 12 14:05:07:547 2018
[Thr 140608096933632]      in: cred_hdl = 7fe1d405c670
[Thr 140608096933632] ->> SapSSLSetTargetHostname(sssl_hdl=7fe1a8001690, &hostname=7fe1a8001500)
[Thr 140608096933632] <<- SapSSLSetTargetHostname(sssl_hdl=7fe1a8001690)==SAP_O_K
[Thr 140608096933632]      in: hostname = "public.brussels-parking-guidance.com"
[Thr 140608096933632] ->> SapSSLSessionStartNB(sssl_hdl=7fe1a8001690, flags=00000000, timeout=80000, &IOstat=7fe1dfab7f30)
[Thr 140608096933632] NiIBlockMode: leave blockmode for hdl 96 FALSE
[Thr 140608096933632] NiIHdlGetStatus: hdl 96/sock 31 ok, no data pending
[Thr 140608096933632]   SapISSLUseSessionCache(): Creating NEW session (0 cached)
[Thr 140608096933632] CCL[SSL]: Cli-0000000C: Have no session to be resumed. Performing full handshake [ssl3_client_hello]
[Thr 140608096933632] CCL[SSL]: Cli-0000000C: ClientHello: Offering protocol version 3.1 (TLSv1.0) [ssl3_get_client_hello_version]
[Thr 140608096933632] CCL[SSL]: Cli-0000000C: ClientHello: no session resumption requested (empty session ID) [ssl3_client_hello]
[Thr 140608096933632] CCL[SSL]: Cli-0000000C: Summary: Offering 6 cipher suite(s) and SCSV(s):
[Thr 140608096933632]     < 0> : TLS_RSA_WITH_AES128_CBC_SHA
[Thr 140608096933632]     < 1> : TLS_RSA_WITH_AES256_CBC_SHA
[Thr 140608096933632]     < 2> : TLS_RSA_WITH_3DES_EDE_CBC_SHA
[Thr 140608096933632]     < 3> : TLS_RSA_WITH_RC4_128_SHA
[Thr 140608096933632]     < 4> : TLS_RSA_WITH_RC4_128_MD5
[Thr 140608096933632]     < 5> : Signaling cipher suite value (SCSV) secure renegotiation (RFC5746)
[Thr 140608096933632]  [ssl_cipher_suites_to_bytes]
[Thr 140608096933632] CCL[SSL]: Cli-0000000C: Sending SSLv3/TLS ClientHello [ssl3_client_hello]
[Thr 140608096933632]   SSL:SiSend(sock=  31)== 0 (SI_OK)       (out=60 of 60)
[Thr 140608096933632]   SSL:SiRecv(sock=  31)==13 (SI_ETIMEOUT) (in=0, max=16)
[Thr 140608096933632]     > SSL:SiPoll(sock=31, evt=R, timeout=80000 ms)
[Thr 140608096933632]   <   SSL:SiPoll(sock=31, evt=R, slept  =  19 ms) Ready
[Thr 140608096933632]   SSL:SiRecv(sock=  31)==12 (SI_ECONN_BROKEN) (in=0, max=16)
[Thr 140608096933632]   SSL_get_state()==0x2120 "TLS read server hello A"
[Thr 140608096933632]   SSLSessionStart: new SSL session (TLSv1.0) no CertRequest
[Thr 140608096933632]   Stop! Required server certificate not present
[Thr 140608096933632] <<- SapSSLSessionStartNB(sssl_hdl=7fe1a8001690)==SSSLERR_CONN_CLOSED
[Thr 140608096933632] ->> SapSSLSessionLastError(sssl_hdl=7fe1a8001690, &rc=7fe1dfab7f20, &rc_name=7fe1dfab7f40, &rc_desc=7fe1dfab7f50, &rc_detail=7fe1dfab7f60)
[Thr 140608096933632] DpSesGetWorkerType: return workerType DIA for T6_U108
[Thr 140608096933632] RqQQueueGetNumberOfRequests: Queue <T6_U108_M0> in slot 45 contains 0 requests of type DIA
[Thr 140608096933632] DpSesGetTasks: found 0 open tasks for T6_U108_M0
[Thr 140608096933632] DpSesGetWorkerType: return workerType DIA for T6_U108
[Thr 140608096933632] RqQQueueGetNumberOfRequests: Queue <T6_U108_M1> in slot 41 contains 0 requests of type DIA
[Thr 140608096933632] DpSesGetTasks: found 1 open tasks for T6_U108_M1
[Thr 140608096933632] *** ERROR => SSL handshake with public.brussels-parking-guidance.com:443 failed: SSSLERR_CONN_CLOSED (-10)
[Thr 140608096933632] Remote Peer has closed the network connection<br>

I thought it may be related to SSL/TLS version, so I checked it with profile parameter

ssl/client_ciphersuites = 208:HIGH:MEDIUM

But it didn't change anything. Sorry for interrupting in your answer, but I hope this will help to solve Sven issue.

BTW. I'm 99,99% sure my config is correct - I added all certs, restarted ICM etc.

1

Hello

The screenshot doesn't show it but I'm certain the anonymous PSE is used. To be sure I also imported it all in standard but without success. Since I'm really stuck I'll provide the link from where I'm trying to get data: https://public.brussels-parking-guidance.com/Datex/Export?publication=dynamic .
I'm not to familiar with certificates so for you question of the CA certificate I tried following: I downloaded all the certificates of the site (DST Root, The X3 and the one of the site itself, see screenshot). Then I added them to STRUST by importing them.

Afterwards I created a new HTTP connection to external server in SM59 and filled in all the required fields as host I put public.brussels-parking-guidance.com and path prefix /Datex/Export?publication=dynamic. By logon & security I activated SSL certificate and put it on anonymous (I also configured the proxy correct). But for some reason it is not trusting the certificate.

Is this the correct way?

Kind reagrds
Sven

capture.png (5.7 kB)
0

Hello Sven,

For the purposes of SSL trust, importing the certificate of "Let's Encrypt Authority X3" would suffice, but it would be recommended to import the "DST Root CA X3" too.

There is no need to import the last one ("public.brussels-parking-guidance.om").

Based on the SM59 settings you have mentioned (which seem correct), you would need to import those two certificates at the Anonymous PSE file.

To confirm that everything is correct with it, logon at operating system level as "SIDadm" and execute the following command:

sapgenpse maintain_pk -l -p <path to anonymous PSE - SAPSSLA.pse>

You should see the "DST Root" and the other "X3" certificates listed at the output.

If you see them there, try restarting the ICM (transaction SMICM, menu Administration -> ICM -> Exit Soft/Hard -> Local).

Depending on the SAP NetWeaver release in use, restarting the ICM manually would be required, so it reloads the PSE files.

Regards,

Isaías

0

Hello

Did it all except for the operating system level (I have no authorization to do this).

Unfortunately still having the same error. It's starting to look like this one just isn't going to work.

Thanks for all the help, if you got any other ideas feel free to still share them so I can test them :).

Kind regards

Sven Swennen

0

Hi!

Can you provide the complete "dev_icm" trace file?

Kind regards,

Isaías

0

Hello

This is the end of the level 2 ICM trace.

Let me know if this is what you wanted to see (I couldn't upload the whole file since it is 30MB and SCN only allows 1MB)?

icm-end.txt

Kind reagrds

Sven Swennen

icm-end.txt (66.0 kB)
0
Bartosz Jarkowski Apr 11 at 08:59 AM
1

Can you connect to the target host through browser?

I would also check the SSL config on the target (for example using it: https://www.ssllabs.com/ssltest/).

This might also be a cipher issue - maybe you need to enable other cipher suite on AS.

Check SAP Note 2570499 - How to adjust the supported SSL cipher suites in AS ABAP

Show 3 Share
10 |10000 characters needed characters left characters exceeded

Thanks for the response

Yes I can connect to the target host via browser.

Could you explain what you mean by other cipher suite? and how I can know if I need another one? I'm not familiar with certificates so I don't really get what you mean.

But if it has anything to do with following:

I can tell you that it is the same as another certificate which is working at the moment.

UPDATE:

Could it be that this is the problem? the other certificate that works at the moment has this enabled.

Kind regards

Sven

capture.png (17.9 kB)
capture.png (3.8 kB)
0

That was just a guess with the cipher suite, maybe not the best :)

One more question - did you import to STRUST the full certification path? I mean also the certificate of the CA that signed the certificate for the website.

0
Bartosz Jarkowski

I'm not familiar with certificates so since I'm really stuck I'll let you know what I did. I need to get data of following site: https://public.brussels-parking-guidance.com/Datex/Export?publication=dynamic . I downloaded following certificates of the site (DST, X3 and the one of the site itself).

I imported all these certificates into STRUST in the anonymous and standard PSE. Afterwards I created a new HTTP connection to external server in SM59 and filled in all the required fields as host I put public.brussels-parking-guidance.com and path prefix /Datex/Export?publication=dynamic. By logon & security I activated SSL certificate and put it on anonymous (I also configured the proxy correct). But for some reason it is not trusting the certificate.

Is this the correct way to do it?

EDIT: if you want also check above response, I added a level 2ICM trace file there if it helps.

Kind reagerds

Sven Swennen

capture.png (5.7 kB)
0