cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

GB E-filling Error after HRSP to patch 94: *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-102): SSSLERR_PEER_CERT_UNTRUSTED {0010cd0c} [icxxconn_m

Go to solution
former_member265724
Explorer

on ‎01-14-2016 12:43 PM

0 Kudos

[Thr 11] Failed to verify peer certificate. Peer not trusted.

[Thr 11] 0xa0600203   SSL   ssl_verify_peer_certificates

[Thr 11] Peer not trusted

[Thr 11] 0xa0600297   SSL   ssl_cert_checker_verify_certificates

[Thr 11] peer certificate (chain) is not trusted

[Thr 11] PropertyBlock:

[Thr 11]   Status      :Not successful

[Thr 11]   Profile     :1.3.6.1.4.1.694.2.2.2.2

[Thr 11]   SignerStatus:Not successful

[Thr 11]   SignerVerificationResult:

[Thr 11]     element#no="1":

[Thr 11]       Status      :Not successful

[Thr 11]       Validity    :Successful

[Thr 11]       BasicConstraints:Successful

[Thr 11]       KeyUsage    :Successful

[Thr 11]       ObjectStatus:Not successful

[Thr 11]       SignerCert:

[Thr 11]         Certificate:

[Thr 11]             Subject     :CN=VeriSign Class 3 Secure Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)

[Thr 11]         Verification result:

[Thr 11]           Status      :Not successful

[Thr 11]           Profile     :1.3.6.1.4.1.694.2.2.2.2

[Thr 11]           SignerStatus:Not successful

[Thr 11]           BasicConstraintsPathLen:1

[Thr 11]           SignerVerificationResult: None

[Thr 11]

[Thr 11] <<            End of Secude-SSL Errorstack

[Thr 11]   SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"

[Thr 11]   SSL NI-sock: local=10.210.88.115:58105  peer=

[Thr 11] <<- ERROR: SapSSLSessionStart(sssl_hdl=108a87b10)==SSSLERR_PEER_CERT_UNTRUSTED

[Thr 11] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-102): SSSLERR_PEER_CERT_UNTRUSTED {0010cd0c} [icxxconn_m

[Thr 15] Wed Jan 13 16:11:48 2016

[Thr 15] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL

[Thr 15]    session uses PSE file "/usr/sap/XX/DVEBMGS02/sec/SAPSSLC.pse"

[Thr 15] SecudeSSL_SessionStart: SSL_connect() failed

[Thr 15]   secude_error 536872221 (0x2000051d) = "SSL API error"

[Thr 15] >>            Begin of Secude-SSL Errorstack            >>

[Thr 15] 0x2000051d   SAPCRYPTOLIB   SSL_connect

[Thr 15] SSL API error

[Thr 15] Failed to verify peer certificate. Peer not trusted.

[Thr 15] 0xa0600203   SSL   ssl_verify_peer_certificates

Show replies
Show replies
Answer
View Entire Topic
former_member265724
Explorer
‎01-15-2016 4:50 PM
0 Kudos

Hi Isaias,

Thanks for your reply.Do i need to apply the root certificate or the intermediate certificate.

CN=VeriSign Class 3 Secure Server CA - G3, OU=Terms of use at (This is an intermediate certificate)

CN=VeriSign Class 3 Secure Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

As per symantec  certificte

CN=VeriSign Class 3 Secure Server CA - G3, OU=Terms of use at (This is an intermediate certificate)

is not supporting SSL/TLS.

HMRC certificate has been migrated to TLS.

Pease let me know which are the certificate needs to be imported to fix the problem.

Root 2
VeriSign Class 3 Public Primary CA
Description: Effective December 1, 2015, Symantec discontinued the use of this root for issuance of public TLS/SSL certificates and Code Signing certificates. Browsers may remove TLS/SSL support for certificates issued from this root. Web site visitors using these browsers will receive error messages if a TLS/SSL certificate is used that chains to this root. For Code Signing, it is unclear when platforms will remove or untrust this root. Symantec will continue to offer CRL and OCSP responses for unexpired TLS/SSL certificates and Code Signing certificates chaining up to this root.

Country = US

Organization = VeriSign, Inc.

Organizational Unit = Class 3 Public Primary Certification Authority

Serial Number: 3c 91 31 cb 1f f6 d0 1b 0e 9a b8 d0 44 bf 12 be

Valid From: Sunday, January 28, 1996 4:00:00 PM

Valid to: Wednesday, August 02, 2028 3:59:59 PM

Certificate SHA1 Thumbprint: a1 db 63 93 91 6f 17 e4 18 55 09 40 04 15 c7 02 40 b0 ae 6b

Key Size: RSA(1024 Bits)

Signature Algorithm: sha1RSA

File name in Root package: Class 3 Public Primary Certification Authority

Show replies
Show replies
isaias_freitas
Advisor
Advisor
‎01-15-2016 7:29 PM
0 Kudos

Hello,

Actually, both.

You need to import the CA and all intermediate certificates (e.g., the complete "certification chain").

Regards,

Isaías

Ask a Question