Solved: SSL Handshake failure via ABAP Code / SM59

manishkhanna · ‎10-27-2018

Greetings

I am facing challenge in accessing a HTTPS URL https://iam.bluemix.net and am looking for some help.

Setup

- SAP Basis 740
- HTTPS Service setup

ssl/ciphersuites         135:PFS:HIGH::EC_P256:EC_HIGH 
ssl/client_ciphersuites  918:PFS:HIGH::EC_P256:EC_HIGH " Have tried with 150 as well

Certificate from TLD iam.bluemix.net has been imported in Base64-X509 format to ANONYM PSE

ABAP Code

I've tried sample code found on SCN/Google but it didn't work.

ICM Log

SM59

I tried to setup a G connection without SSL + No Auth + No Logon and got following error.

I've tried various combinations but they always land in the SSLV3 No certificate error (as in first screenshot). I've run out of ideas and in desperate need of some advice.

ABAP Code

REPORT .
DATA  html_control TYPE REF TO cl_gui_html_viewer.
DATA: l_empty_co    TYPE REF TO cl_gui_container.
DATA : gv_url TYPE string VALUE 'https://iam.bluemix.net'.
DATA : url_char TYPE C LENGTH 255.
DATA : http_client TYPE REF TO if_http_client.
DATA : post_data_string TYPE string.
DATA : data_length TYPE I.
DATA : lt_table TYPE TABLE OF char255 WITH HEADER LINE.
DATA : page_content TYPE xstring.
DATA : lt_ex_tab  LIKE  lxe_xtab OCCURS 1 WITH HEADER LINE.

CREATE OBJECT html_control
EXPORTING
  parent = l_empty_co.

CALL METHOD cl_http_client=>create_by_url
EXPORTING
  url    = gv_url
IMPORTING
  CLIENT = http_client
EXCEPTIONS
  OTHERS = 1.

CALL METHOD http_client->request->set_header_field
EXPORTING
  name  = '~request_method'
  VALUE = 'POST'.

CALL METHOD http_client->request->set_header_field
EXPORTING
  name  = 'Content-Type'
  VALUE = 'application/x-www-form-urlencoded'.

* post_data_string = 'lang=TR....'.

* data_length = STRLEN( post_data_string ).

* CALL METHOD http_client->request->set_cdata
* EXPORTING
*DATA   = post_data_string
*      offset = 0
*      length = data_length.


CALL METHOD http_client->send
EXCEPTIONS
  http_communication_failure = 1
  http_invalid_state         = 2.


IF sy-subrc <> 0.
MESSAGE ID sy-msgid TYPE 'I' NUMBER sy-msgno
WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4 DISPLAY LIKE sy-msgty.
EXIT.
ENDIF.


*   5 - Get the result back

************* FAILS AT THIS POINT ***************
CALL METHOD http_client->receive
EXCEPTIONS
  http_communication_failure = 1
  http_invalid_state         = 2
  http_processing_failed     = 3.


IF sy-subrc <> 0.
MESSAGE ID sy-msgid TYPE 'I' NUMBER sy-msgno
WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4 DISPLAY LIKE sy-msgty.
EXIT.
ENDIF.


*   6 - Get the content of the returned page
page_content = http_client->response->get_data( ).


CALL FUNCTION 'LXE_COMMON_XSTRING_TO_TABLE'
EXPORTING
  in_xstring = page_content
TABLES
  ex_string  = lt_ex_tab.


CLEAR lt_table[].
LOOP AT lt_ex_tab.
APPEND lt_ex_tab-TEXT TO lt_table.
ENDLOOP.


url_char = gv_url.


CALL METHOD html_control->load_data
EXPORTING
  url                  = url_char
IMPORTING
  assigned_url         = url_char
CHANGING
  data_table           = lt_table[]
EXCEPTIONS
  dp_invalid_parameter = 1
  dp_error_general     = 2
  cntl_error           = 3
  OTHERS               = 4.
IF sy-subrc <> 0.
MESSAGE ID sy-msgid TYPE 'I' NUMBER sy-msgno
WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4 DISPLAY LIKE sy-msgty.
EXIT.
ENDIF.


CALL METHOD html_control->('DETACH_URL_IN_BROWSER')
EXPORTING
  url = gv_url.
cl_gui_cfw=>flush( ).

Domi · ‎10-28-2018

Hi

You need to import all 3 certificates from the chain!

Also set ssl_id = 'ANONYM'

regards

Domi

Domi · ‎10-28-2018

Hi

You need to import all 3 certificates from the chain!

Also set ssl_id = 'ANONYM'

regards

Domi

manishkhanna · ‎10-30-2018

Thanks but did not work. I imported all 3 certificates in the chain to PSE. Then ran the code and tested SM59 connect. Same issue "No certificaste request ...."

SimoneMilesi · ‎10-31-2018

Did you restart the ICM after you imported the SSL certificates?
It's a little thing i discovered when i started to play with SSL: go to SMICM, choose menu Administration -> ICM ->Exit Hard ->Global

Once ICM restart, try again the connection in SM59

manishkhanna · ‎10-31-2018

Thanks

Yes. I do that every time I import the certificates. If it is not inconvenient, can I request you to try at your end. I just want to ensure if it's me or the site is not at all accessible via SAP.

Domi · ‎11-01-2018

Hi

Report works fine (with some release dependent adjustments)

Which version of SAPCRYPTOLIB is installed (Report SSF02)?

regards domi

manishkhanna · ‎11-02-2018

Aha. That's good news. If you are able to access web page that means there is an issue which can be fixed. Thank you for taking out time for the same

I'll check the cryptolib version and update here

Edit :

SSFLIB Version 1.840.40 ; CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.32

manishkhanna · ‎11-16-2018

Hi Domi

I have upgraded SAPCRYPTOLIB to 8.5.23. Still doesn't works. ( Have restarted server and ICM)

Further I've created a new PSE with only 4 certificates.

Chain of 3 certificates from iam.bluemix.net
github certificate as required

Below is a side-by-side comparison

github connects ok where bluemix gives same error. Could you share necessary info on your side that made the report work for you ? Thanks for your help.

manishkhanna · ‎11-21-2018

Thank you all for your inputs. The issue is finally resolved. It was a cipher suit issue. I forced TLS 1.2 and that worked. Appreciate your time and valueable inputs.

h_h_ak · ‎01-10-2019

Hello Manish,

how did you solved the problem. We are facing the same issue.

After an update to CommonCryptoLib Version : 8.5.23 ,Kernel Patch 614 with Kernel 749 and TLS 1.2.

We do not face this ssl handshake(-10) issue on our sandbox which is 8.5.21 , Kernel Patch 520 and Kernel 749. and TLS 1.0.

Do know the issue, what parameter did you set ?

Thanks & regards,

Hasan