cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

iaik.security.ssl.SSLException: Peer sent alert: Alert Fatal: handshake

Go to solution
wilbertkarremans
Participant

on ‎01-26-2016 1:43 PM

Hello all;

From SAP PI 7.30 we call we a SOAP web-service over https. This service was running for a long time. The provider of the web-service upgraded their SSL certificates from SHA-1 signing algorithm to the stronger and more robust SHA-256. After that, we get the following error: iaik.security.ssl.SSLException: Peer sent alert: Alert Fatal: handshake. As said, just before the change the connection was working. I have added the required VeriSign CA root certificates to the Trusted CA's keystore within NWA. (VeriSign Class 3 Secure Server CA - G4 and G5) Something must be wrong. When I look into SXMB_MONI, I see something for which I don't know if it is related: encryptionAlgorithmEncryptionEncriptionSignature value DES_EDE3_CBC. I am not an expert in this, but could it be possible that this should be AES256-CBC? How to change that?

Any help or suggestion is welcome. My next step will be to install XPI Inspector to figure out what is wrong.

Wilbert

Show replies
Show replies
wilbertkarremans
Participant
‎03-29-2016 10:40 AM
0 Kudos

Hi Pranav;

Yes I found the solution for my problem which was that the server I connect to requires TLSv1.2 and nothing else. If you have a similar case, you need to install 2 patches coming from SAP Security development. I logged an incident at SAP for this. SAP provided me a temporary fix.

Best regards;

Wilbert

Former Member
‎04-01-2016 10:59 AM
0 Kudos

Hi Wilbert,

is there an official note where I can find the patches or an howto?

Thanks

Sebastian

wilbertkarremans
Participant
‎04-01-2016 1:55 PM
0 Kudos

Hi Sebastian,

As far as I know, there is no official note. I have a call (incident) at SAP which is still open. Via that incident I received the (preliminary) patch. I have applied that patch in all our PI systems. You need such a patch if TLSv1.2 security is required.

Best regards;

Wilbert

former_member198633
Contributor
‎05-15-2016 9:56 AM
0 Kudos

Hi All,

Please keep on eye on this note:

2284059 - Update of SSL library within NW Java server

This is the resolution for this problem.

Best Regards,

Peter

former_member541302
Explorer
‎06-08-2016 4:08 PM
0 Kudos

Hi Peter,

Does that mean, PI supports TLSv1.2 on FTP adapter as well?

Thank you!

Regards,

Simran

former_member115916
Newcomer
‎07-20-2016 1:57 PM
0 Kudos

Would it be possible for you to tell us what patches you had to apply?  We are also having issues getting our interface between our PI 7.31 SP14 system to a Microsoft Azure system to work.  Getting a  handshake error on TLS 1.2, but TLS 1.0 works with them.  We do use the REST adapter.  Any and all information you can provide would be most helpful.

wilbertkarremans
Participant
‎07-20-2016 3:20 PM
0 Kudos

Hi Marlene

Our system still runs on temporary patches.

SAP replied on my incident:

The correcture is done in 7.30 starting with SP13 until now.

SAP note: 2284059 Update of SSL library within NW Java server

Hope this will help you.

Wilbert

Answer
View Entire Topic
former_member198633
Contributor
‎02-20-2016 9:02 PM
0 Kudos

Hello Wilbert,

The error message you posted above (iaik.security.ssl.SSLException: Peer sent alert: Alert Fatal: handshake failure) is a typical symptom of the issue I mentioned in this thread: . We have to differentiate between server and client scenarios here. The notes you mentioned above (2110020 and 510007) refer to the ICM parameters and to the server scenario only. If the AS Java is the client, changing the ICM parameters make no difference because then the "SAP Java Cryptographic Toolkit" is used (not the SAP Cryptolib or the CommonCryptoLib) which only have TLS1.0 support now.

Best Regards,

Peter

Show replies
Show replies
wilbertkarremans
Participant
‎02-21-2016 1:57 PM
0 Kudos

Hi Peter,

Thank you for this valuable input. This clears my question which was in my head, since SAP note 000510007 talks about setting up SSL on AS ABAP (and not on JAVA site). However, it was SAP support (I have an open incident on this) who advised me to go through SAP note 2110020. Nevertheless, the statement within SAP note 2110020 that TLSv1.1 and TLSv1.2 are not enabled by default for outgoing connections (client side) confuses me, as you stated that the note refers to ICM parameters and to the server scenario only. Especially the words server scenario confuses me, since the notes talks about client site. Perhaps it is only for ABAP. So my focus is now on the Java Cryptographic Toolkit. I will update my incident to SAP with that specific information and ask SAP when TLSv1.2 come available in that toolkit. What I do not understand in the following. SAP PI/PO in SAP's middleware. Most recent implementation is JAVA only, that is the direction. How is it possible that mid February 2016 TLSv1.2 is not yet supported if I understand your feedback correctly? Our payment provider PayPal will switch to TLSv1.2 only on June 17, 2016. If this is not solved in time, our business processes will be in danger. Peter, do you know if a workaround is available via SAP Web Dispatcher as a Intermediary Server? Or do we have the same issue with SAP Web Dispatcher?

Regards;

Wilbert

former_member198633
Contributor
‎02-22-2016 11:18 AM
0 Kudos

Hello Wilbert,

The notes may not be that obvious and should be read carefully. The thing is for outgoing SSL connections, TLS1.2 is not yet supported. I cannot comment on the workarounds but that is for sure the development is in progress and this issue will be addressed by SAP Development.

To have a better understanding please check out this picture:

The left side is for version 7.1 and above, the right side is for below 7.1.

The notes you mentioned all talk about the SAP Cryptolib or CommonCryptolib. But that does not play a part here as I mentioned earlier.

If you have already created an incident, you may have the answer already or it will be answered there.

(As soon as I have more info about the ETA, I will post it here.)

Best Regards,

Peter

wilbertkarremans
Participant
‎02-22-2016 3:25 PM
0 Kudos

Hi Peter;

Again thank you for your support, that is appreciated by me.

The notes I mentioned were suggested by the SAP person who was busy with my incident. Yesterday I asked to pass my incident to SAP Development team. I just got the confirmation that they have done that. If a have any news, I will update it here.

Yesterday already I looked at the pictures you have included. That was very useful for me.

Regards;

Wilbert

former_member541302
Explorer
‎03-01-2016 9:12 PM
0 Kudos

Hello Peter,

I am not sure if you have seen the thread  http://scn.sap.com/thread/3870902.

I have FTPS->PI->NFS(File) scenario where FTPS client is switching their SHA-1 intermediate certificate to SHA-2.

We getting "connection refused by remote host" error. As per the xpi_inspector logs, the handshake is initiated followed by the connection is closed by remote host.

The FTP client has asked us, if we support TLS1.1 version? We have SAP PI 7.31 Java only system with SAPCRYPTO-Library 5.5.5pl38.

Does this library supports TLS1.1 version for FTPS connection on sender side of PI?

Regards,

Simran

Ask a Question