cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the se

Former Member

on ‎12-07-2009 8:42 AM

0 Kudos

Hello,

We are getting the following error in the dev_icm trace file:

=================================================================

[Thr 04] *** ERROR => IcmConnInitServerSSL: SapSSLSessionStart returned (-56): SSSLERR_SSL_ACCEPT [icxxconn_mt. 1777]

[Thr 11] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT [icxxconn_mt.c 2012]

[Thr 11] *** ERROR => IcmJ2EEScheduleFunc: Connection to medpoolP45.os.fth.sbs.de:8443 failed - please check host configuration

[Thr 05] Mon Dec 7 08:14:40 2009

[Thr 05] SSL_get_state() returned 0x00001180 "SSLv3 read client certificate A"

[Thr 08] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL

[Thr 05] *** ERROR during SecudeSSL_SessionStart() from SSL_accept()==SSL_ERROR_SSL

[Thr 08] SecudeSSL_SessionStart: SSL_connect() failed

secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed"

[Thr 05] SecudeSSL_SessionStart: SSL_accept() failed

secude_error 536875074 (0x20001042) = "received a fatal SSLv3 bad certificate alert message from the peer"

[Thr 08] >> Begin of Secude-SSL Errorstack >>

[Thr 05] >> Begin of Secude-SSL Errorstack >>

[Thr 08] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed

ERROR in af_verify_Certificates: (24/0x0018) Chain of certificates is incomplete : "OU=VeriSign Trust Network, OU="(c) 1998 Veri

ERROR in get_path: (24/0x0018) Can't get path because the chain of certificates is incomplete

[Thr 05] WARNING in ssl3_read_bytes: (536875074/0x20001042) received a fatal SSLv3 bad certificate alert message from the peer

[Thr 08] << End of Secude-SSL Errorstack

[Thr 05] << End of Secude-SSL Errorstack

[Thr 08] SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"

[Thr 05] SSL NI-sock: unix domain socket="/tmp/.sapicm8443"

[Thr 08] SSL NI-sock: unix domain socket="/tmp/.sapicm8443"

[Thr 05] <<- ERROR: SapSSLSessionStart(sssl_hdl=60000000051ad9b0)==SSSLERR_SSL_ACCEPT

[Thr 08] <<- ERROR: SapSSLSessionStart(sssl_hdl=60000000052c0030)==SSSLERR_SSL_CONNECT

=================================================================

But in STRUST all the SSL server certificate and SSL client certificate are in green.

Kindly let us know how to solve this error.

Thanks,

Rajesh

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

jitendra_it
Active Contributor
‎05-19-2012 9:03 PM
0 Kudos

Hi Rajesh,

Have you got solution ??? Please share. I am also facing same issue.

Show replies
Show replies
Former Member
‎10-02-2012 9:52 AM
0 Kudos

Hi Jitendra,

We resolved the issues by referring to Note 1249794

  • Call transaction STRUST and double-click the entry "SSL server standard". Include the issuer of the certificate of "SSL server standard" in the certificate list of "SSL Client standard" or "SSL Client Anonymous" (for more information, see Notes 1094342 and 745103).

Hope this help

Daniel

Former Member
‎01-27-2010 12:28 PM
0 Kudos

Hi,

Did you manage the sub-CA certificate ? Verisign always use a Root CA certificate and a sub CA certificate.

This what is called 'the chain of certificates".

Regards,

Olivier

Show replies
Show replies
mvoros
Active Contributor
‎12-07-2009 12:28 PM
0 Kudos

Hi,

it looks like the problem is in certificate verification. Probably you need to import root certificate into SAP. have a look at note 1094342. It's well described there.

Cheers

Show replies
Show replies
Former Member
‎01-26-2010 4:52 PM
0 Kudos

Hello Rajesh,

Ensure that you have added the certificate for "VeriSign Trust Network". Remember that any changes to "STRUST" will require a restart of ICM to take effect. You should also take a look at OSS Note 1249794 as well as the one outlined by Martin.

Regards

Todd

Ask a Question