cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

G Type RFC with Client Certificate - TLS handshake Error

Go to solution
tamil_arasan
Active Contributor

on ‎05-16-2019 10:58 AM

0 Kudos

Hi Experts,

I have a requirement to connect third party portal with 'G' type RFC and authenticate using client certificate. I have added the client authentication certificate in SAPSSLC (SSL client certificate standard) in STRUST. When I try to test the connection, the connection is getting established but during authentication, it is getting SSL handshake error. I have enabled level 3 trace in ICM and analyzed but no explicit reason found why client certificate is being rejected in the third party portal side.

I am aware that third party provider has to add ABAP system as trusted but yet to get confirmation on this from third party vendor if they have done this already. It seems like SAP is not sending correct client certificate from SAPSSLC.PSE to 3rd Party ? anyone advice on this please?

I got the following error in ICM level 3 trace:

hr 42792] CCL[SSL]: Cli-000018D4: Server requested client authentication [ssl3_decode_certificate_request] [Thr 42792] CCL[SSL]: Cli-000018D4: Server supports 3 client certificate type(s) [ssl3_decode_certificate_request] [Thr 42792] CCL[SSL]: Cli-000018D4: certificate type<0>: rsa_sign (1) [ssl3_log_certificate_type] [Thr 42792] CCL[SSL]: Cli-000018D4: certificate type<1>: dss_sign (2) [ssl3_log_certificate_type] [Thr 42792] CCL[SSL]: Cli-000018D4: certificate type<2>: ecdsa_sign (64) [ssl3_log_certificate_type] [Thr 42792] CCL[SSL]: Cli-000018D4: Server sent 0 trusted CA name(s) for client authentication [ssl3_decode_certificate_request] [Thr 42792] SSL:SSL_read(netin= 35) handshake, processed= 35 [Thr 42792] SSL:SiRecv(sock=27340)== 0 (SI_OK) (in=1, max=16) [Thr 42792] CCL[SSL]: Cli-000018D4: Assembling Certificate message: Server submitted no CA names. [ssl3_check_for_ca] [Thr 42792] CCL[SSL]: Cli-000018D4: Sending own certificate [ssl3_output_cert_chain] [Thr 42792] CCL[SSL]: Cli-000018D4: Own TLS certificate: [Thr 42792] Subject: CN=<SAP SSL Certificate>, O=<Org Name>, ST="Vendersgade 28, 1. tv.", L=city, [Thr 42792] Issuer: CN=GlobalSign Extended Validation CA - SHA256 - G3, O=GlobalSign nv-sa, C=BE [Thr 42792] Serial Number: 28:A2:D9:0A:4D:A2:31:19:57::E6 [Thr 42792] [ssl3_output_cert_chain] [Thr 42792] CCL[SSL]: Cli-000018D4: CA certificate: [Thr 42792] Subject: CN=GlobalSign Extended Validation CA - SHA256 - G3, O=GlobalSign nv-sa, C=BE [Thr 42792] Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3 [Thr 42792] Serial Number: 48:A4:02:DD:27:92:0D:A2:08:D1:99:7B [Thr 42792] [ssl3_output_cert_chain] [Thr 42792] SSL:SSL_read(netin= 9) handshake, processed= 9 [Thr 42792] SSL:SiSend(sock=27340)== 0 (SI_OK) (out=3378 of 3378) [Thr 42792] SSL:SiRecv(sock=27340)==13 (SI_ETIMEOUT) (in=0, max=16) [Thr 42792]> SSL:SiSelect(sock=27340, evt=R, timeout=79502 ms) [Thr 42792] Thu May 16 09:33:29:738 2019 [Thr 42792] < SSL:SiSelect(sock=27340, evt=R, slept = 249 ms) Ready [Thr 42792] SSL:SiRecv(sock=27340)== 0 (SI_OK) (in=7, max=16) [Thr 42792] CCL[SSL]: Cli-000018D4: Error 0xA0600266(received a fatal TLS handshake failure alert message from the peer😞 received a [Thr 42792] CCL[SSL]: Cli-000018D4: Error 0xA0600266: [Thr 42792] received a fatal TLS handshake failure alert message from the peer [Thr 42792] SSL3 client handshake failed [Thr 42792] [Thr 42792] SSL:SSL_read(netin= 7) handshake, processed= 7 [Thr 42792] SSL_get_state()==0x21d0 "TLS read finished A" [Thr 42792] *** ERROR during secussl_read() from SSL_read()==SSL_ERROR_SSL [Thr 42792] cli SSL session PSE "S:\usr\sap\<SID>\DVEBMGS00\sec\SAPSSLC.pse" [Thr 42792] session ciphersuites=214:PFS:HIGH:MEDIUM::EC_P256:EC_HIGH [Thr 42792] Client SSL_CTX 0000014B8720D960 pvflags=960 (TLSv1.2,TLSv1.1,TLSv1.0,SSLv3) [Thr 42792] secussl_read: SSL_read() failed (536875072/0x20001040) [Thr 42792] => "received a fatal TLS handshake failure alert message from the peer" [Thr 42792] >> Begin of Secu-SSL Errorstack ---------- >> [Thr 42792] 0x20001040 SAPCRYPTOLIB SSL_read [Thr 42792] SSL API error [Thr 42792] received a fatal TLS handshake failure alert message from the peer [Thr 42792] 0xa0600266 SSL ssl3_read_bytes [Thr 42792] received a fatal TLS handshake failure alert message from the peer [Thr 42792] 0xa0600266 SSL ssl3_connect [Thr 42792] received a fatal TLS handshake failure alert message from the peer [Thr 42792] 0xa0600266 SSL ssl3_read_bytes [Thr 42792] received a fatal TLS handshake failure alert message from the peer [Thr 42792] << End of Secu-SSL Errorstack ---------- [Thr 42792] Server's List of trusted CAs (from initial CertRequest message): [Thr 42792] #1 "CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3" [Thr 42792] #2 "CN=WARNING-Fake List-Invalid CertificateRequest received" [Thr 42792] Target Hostname="<third party portal URL>" [Thr 42792] SSL NI-hdl 122: local=<SAPIP>:61772 peer=<3rd party portal IP>:443 [Thr 42792] <<- ERROR: SapSSLSessionStartNB(sssl_hdl=14b886f9eb0)==SSSLERR_SSL_READ [Thr 42792] ->> SapSSLSessionLastError(sssl_hdl=14b886f9eb0, &rc=47edb9ecec, &rc_name=47edb9ed00, &rc_desc=47edb9ecf8, &rc_detail=47 [Thr 42792] DpSesGetWorkerType: return workerType DIA for T20_U945 [Thr 42792] RqQQueueGetNumberOfRequests: Queue <T20_U945_M0> in slot 120 contains 0 requests of type DIA [Thr 42792] DpSesGetTasks: found 1 open tasks for T20_U945_M0 [Thr 42792] DpSesGetWorkerType: return workerType DIA for T20_U945 [Thr 42792] RqQQueueGetNumberOfRequests: Queue <T20_U945_M1> in slot 67 contains 0 requests of type DIA [Thr 42792] DpSesGetTasks: found 0 open tasks for T20_U945_M1 [Thr 42792] *** ERROR => SSL handshake with <third party portal URL>:443 failed: SSSLERR_SSL_READ (-58) [Thr 42792] SAPCRYPTO:SSL_read() failed [Thr 42792] [Thr 42792] SapSSLSessionStartNB()==SSSLERR_SSL_READ [Thr 42792] SSL:SSL_read() failed (536875072/0x20001040) [Thr 42792] => "received a fatal TLS handshake failure alert message from the peer" [Thr 42792] SSL:SSL_get_state()==0x21d0 "TLS read finished A" [Thr 42792] SSL NI-hdl 122: local=<SAPIP>:61772 peer=<3rd party portal IP>:443 [Thr 42792] cli SSL session PSE "S:\usr\sap\<SID>\DVEBMGS00\sec\SAPSSLC.pse" [Thr 42792] session ciphersuites=214:PFS:HIGH:MEDIUM::EC_P256:EC_HIGH [Thr 42792] Client SSL_CTX 0000014B8720D960 pvflags=960 (TLSv1.2,TLSv1.1,TLSv1.0,SSLv3) [Thr 42792] Target Hostname="<third party portal URL>" [Thr 42792] >> SecuSSL ErrStack: ---- [Thr 42792] 0x20001040 SAPCRYPTOLIB SSL_read [Thr 42792] SSL API error [Thr 42792] received a fatal TLS handshake failure alert message from the peer [Thr 42792] 0xa0600266 SSL ssl3_read_bytes [Thr 42792] received a fatal TLS handshake failure alert message from the peer [Thr 42792] 0xa0600266 SSL ssl3_connect [Thr 42792] received a fatal TLS handshake failure alert message from the peer [Thr 42792] 0xa0600266 SSL ssl3_read_bytes [Thr 42792] received a fatal TLS handshake failure alert message from the peer [Thr 42792] << [Thr 42792] [Thr 42792] {001b6ef3} {root-id=000D3A3DE7111EE99DF7B0F0DFE5894F} [icxxconn.c 2419] [Thr 42792] GUI T20_U945_M0, 001, <User ID>, COMPUTER12, time=09:33:28, W6, program=RSHTTPPIN, high priority, memory=0, task [Thr 42792] role: Client, protocol: HTTPS, local: <SAPIP>:61772, peer: <3rd party portal IP>:443

Show replies
Show replies
MichaelTe
Contributor
‎05-17-2019 9:37 AM
0 Kudos

Hello,

don't know if it's of concern. But your ciphersuite parameter looks different as the one proposed in note 2384290:

https://launchpad.support.sap.com/#/notes/2384290

Regards, Michael

tamil_arasan
Active Contributor
‎05-17-2019 9:55 AM
0 Kudos

Hi Michael,

I set same as 2384290 (Parameters in Default profile but not set in ENV of sidadm/SAPServiceSID users) still got failed. The log I posted has cipher-suites that supports SSLV3 to TLS 1.2 (Testing purpose I enabled all but reverted to as per note 2384290).

Any other reason could be the issue?

Thanks,

Pradeep

MichaelTe
Contributor
‎05-17-2019 10:10 AM

Hello Pradeep,

according to note 510007 your settings meant:

"Only as desperate last resort, you should consider re-enabling the old SSLv3 protocol for interop with very very old communication peers, with these parameter values:
ssl/ciphersuites = 199:PFS:HIGH:MEDIUM::EC_P256:EC_HIGH
ssl/client_ciphersuites = 214:PFS:HIGH:MEDIUM::EC_P256:EC_HIGH"

But furthermore I have no other idea. Sorry.

Regards, Michael

tamil_arasan
Active Contributor
‎05-17-2019 1:33 PM
0 Kudos

Hi Michael,

Yes that is correct, I set it to enable SSLv3 but reverted back. Anyway Thanks 🙂

isaias.freitas can you please help here 🙂 Many Thanks

Thanks,

Pradeep

Answer
View Entire Topic
tamil_arasan
Active Contributor
‎06-24-2019 8:47 AM
0 Kudos

Hi isaias.freitas and ger.munsters ,

First of all, Thank you very much for your valuable inputs and infinite helps. I was unable to resolve the issue and then confirmed that Third party site is configured in such a way that it will accept .pfx certificate only (Both private and public keys). So I had to create new client identity in STRUST transaction by navigating to Environment-->SSL client identities. Then created new entry there, it automatically created new folder in STRUST transaction left hand side. I created .PSE file from .PFX using sapgenpse command line tool and loaded the .PSE file in newly created folder.

While calling the site, ABAP team has coded to load certificate from new SSL client identity folder. The call is successful.

Thank you so much for your help 🙂

Thanks,

Pradeep

Show replies
Show replies
isaias_freitas
Advisor
Advisor
‎06-26-2019 1:02 AM

You're welcome!

I'm glad that it was fixed :-), and thank you for sharing the solution with the community 🐵

Ask a Question