SSL handshake failure

Former Member · ‎09-09-2008

Hi experts,

This message is a continuation of [5998967 |], where the problem is unfortunately still not resolved.

Let me first recap:

1.We establish HTTPS connection from SAP WebAS to Apache (which acts as reverse proxy).

2. SSL client certificate of class 3 (SAP-side) is signed by root certificate of own CA, and this own CA root certificate is available in SSL server side

3. SSL server certificate (Apache-side) is signed by TrustCenter and the TrustCenter root certificate is available in SSL Client (Standard) PSE.

4. The HTTPS connection works if the Apache authentication is switched to Basic Authentication.

5. If the Apache is configured to use client authentication, it doesn't work. In Apache log we can see that at the stage of SSL handshake no client certificate is required and HTTPS connection is establisched. The Apache asks for client certificate (sends re-negotiation request) at the next step, when the client tries to access some subfolders on the target server. It looks as if the SAP doesn't send the client certificate and the Apache closes the connection.

Can it really be the case that client certificate can only be sent at SSL handshake stage?

Do you have any other ideas what we can try?

Thanks in advance

Andrey

The search for OSS notes doesn't bring much.

System info:

SAPHTTP Unicode @(#) $Id: //bas/700_REL/src/krn/ftp/http.c#17 $

SAP_BASIS 700SP13

SAP-Kernel 700_REL Patch 128

Former Member · ‎09-09-2008

Basically, this is what you need to do:

1. Enable SSL with Client Authentication on the Apache Server.

2. Enable the Apache SSL parameter "+SSLEnvVars" (or some such) so that Apache puts the client certificate in an environment variable.

3. Enable SAP to use the client certificate from the environment as the authentication method.

Former Member · ‎09-11-2008

Hello,

the problem is solved. It was a mere Apache configuration error with SSLCACertificateFile und SSLCACertificatePath parameters.

Best regards

Andrey

Former Member · ‎09-18-2008

Hello Andrey,

We have a similiar problem. Could you send me or post the apache configuration?

Best regards,

Nils Kloth

Former Member · ‎09-19-2008

Hello Nils,

Our point was that we had many SSLCACertificateFile records, but it was not valid according to the Apache documentation. See the extract below:

Certificate Authority (CA):
Set the CA certificate verification path where to find CA
certificates for client authentication or alternatively one
huge file containing all of them (file must be PEM encoded)
Note: Inside SSLCACertificatePath you need hash symlinks
to point to the certificate files. Use the provided
Makefile to update the hash symlinks after changes.

SSLCACertificateFile "C:/Programme/Apache Software Foundation/Apache2.2/conf/sap.crt"

SSLCACertificateFile "C:/Programme/Apache Software Foundation/Apache2.2/conf/je.crt"

SSLCACertificateFile "C:/Programme/Apache Software Foundation/Apache2.2/conf/sap_self.crt"

SSLCACertificateFile "C:/Programme/Apache Software Foundation/Apache2.2/conf/ca.pem"

SSLCACertificatePath "C:/Programme/Apache Software Foundation/Apache2.2/conf/sap2.crt"

That was the only pitfall for us. The rest of the Apache config file is quite similar to the default.

Best regards

Andrey

Former Member · ‎09-19-2008

Hello Andrey,

could you post me your apache conf as example (without hostnames and IPs).

Thank you,

Nils