Skip to Content

SAP SSL handshake failed

I'm trying to retrieve data from an open data api. I have downloaded the certificate from the site and imported it into STRUST (SSL Client Anonymous). Then I created a HTTP connection to external server in SM59. In the beginning it worked fine, until last week when the api changed its URL and so its DNS. Ofcourse it could no longer be reached by the current host. So I did above steps again for the new URL (changed everything accordingly like hostname etc. in SM59), but this time I receive following error: SSL handshake with 'hostname:port' failed: SSSLERR_CONN_CLOSED (-10)#Remote Peer has closed the network connection##SapSSLSessionStartNB()==SSSLERR_CONN_C LOSED##

Anyone has an idea on how to solve this?

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Best Answer
    Apr 12 at 08:51 PM

    Hi Sven,

    Interesting question :) had me googling and I have got it to bypass the error SSSLERR_CONN_C LOSED message.

    By setting the parameter mentioned in this note to true on my NPL demo system 751

    2124480 - ICM / Web Dispatcher: TLS Extension Server Name Indication (SNI) as client

    "To enabled SNI seticm/HTTPS/client_sni_enabled to "true". This parameter is dynamic."

    If your interested :) my googling was a result of trying and failing with openssl client connections ( to see another non browser connection.)

    The errors in this connection led me to these links which mentioned Server Name Indication (SNI) as a way of using more certificates on one IP address. Which must be the case for "public.brussels-parking-guidance.om" and the SAP parameter is required.

    Hope it helps :)

    Cheers

    Robert

    Add comment
    10|10000 characters needed characters exceeded

  • Apr 06 at 10:40 PM

    Hello Sven,

    Have you imported the new SSL server certificate to the anonymous PSE (STRUST)?

    And is the SM59 still configured to use the anonymous PSE too (under the "technical settings" tab)?

    Did anything else change at the remote website? Like, now the website requires authentication using a client certificate?

    Simulating the issue with the ICM running on trace level 2 and providing the trace might help us to identify other possibilities.

    Regards,

    Isaías

    Add comment
    10|10000 characters needed characters exceeded

  • Apr 11 at 08:59 AM

    Can you connect to the target host through browser?

    I would also check the SSL config on the target (for example using it: https://www.ssllabs.com/ssltest/).

    This might also be a cipher issue - maybe you need to enable other cipher suite on AS.

    Check SAP Note 2570499 - How to adjust the supported SSL cipher suites in AS ABAP

    Add comment
    10|10000 characters needed characters exceeded

    • Sven Swennen Bartosz Jarkowski

      I'm not familiar with certificates so since I'm really stuck I'll let you know what I did. I need to get data of following site: https://public.brussels-parking-guidance.com/Datex/Export?publication=dynamic . I downloaded following certificates of the site (DST, X3 and the one of the site itself).

      I imported all these certificates into STRUST in the anonymous and standard PSE. Afterwards I created a new HTTP connection to external server in SM59 and filled in all the required fields as host I put public.brussels-parking-guidance.com and path prefix /Datex/Export?publication=dynamic. By logon & security I activated SSL certificate and put it on anonymous (I also configured the proxy correct). But for some reason it is not trusting the certificate.

      Is this the correct way to do it?

      EDIT: if you want also check above response, I added a level 2ICM trace file there if it helps.

      Kind reagerds

      Sven Swennen

      capture.png (5.7 kB)