cancel
Showing results for 
Search instead for 
Did you mean: 

SSL record with the wrong SSLPlaintext.version received

Former Member
0 Kudos

hello giuys,

I need an help for a webservices that needs to be interfaced with an https website.

We have succesfully implmented the sapcryptolib and the https port is available in SMICM.

We imported the certificate on client 000 for SSL - PSE - WS. The certificate is in all the certificate list place.

We restarted clearly ICM at the end.

But when we try to connect with this website thru SOAMANAGER we get this error (visible in SMICM trace)

[Thr 1084774720] SecudeSSL_SessionStart: SSL_connect() failed

secude_error 536871970 (0x20000422) = "SSL record with the wrong SSLPlaintext.version received"

[Thr 1084774720] >> Begin of Secude-SSL Errorstack >>

[Thr 1084774720] ERROR in ssl3_get_record: (536871970/0x20000422) SSL record with the wrong SSLPlaintext.version received

[Thr 1084774720] << End of Secude-SSL Errorstack

[Thr 1084774720] SSL_get_state() returned 0x00002120 "SSLv3 read server hello A"

DO you one of you have any advice to give?

regards

Edited by: Kir Sam on Nov 10, 2011 2:25 PM

Accepted Solutions (0)

Answers (1)

Answers (1)

JPReyes
Active Contributor
0 Kudos

This error message usually is linked to a couple of issues.

1. Your Certificate is not right

or

2. A problem with your SAP Cryptographic library.

I will suggest you to update your SAP cryptolib and try again... also check with the vendor that the certificates are ok

Regards

Juan

Former Member
0 Kudos

Hello Juan,

thank you for the quick answer. The sap crypto library is already updated to the latest version.

Can be the problem related to the certificate of the customer. He gave us a self-signed certificate with .pfx extension.

We tried to import with sapgenpse bt have a problem with the chained certificate named "root agency".

Do you have any suggestion?

Regards

Former Member
0 Kudos

Hi Kir,

You mean root certificate is missing from self-signed certificate? If yes, you should have root certificate as well to make SSL work properly.

Thanks,

Siva Kumar

Former Member
0 Kudos

Hello,

how extract or take the root certificate even if the supplier does not have it?

Do you have any suggestion?

Former Member
0 Kudos

Hi,

Please cross check with your customer about root certificate.

Thanks,

Siva Kumar

Former Member
0 Kudos

Hello, we have made those attempts:

Certificate .PFX is one SELF SIGNED made in .net ambience without password.

likely by "MakeCert.exe" program which is provided by the .NET Framework SDK.

By default, the Certificate Creation Tool (MakeCert.exe) creates certificates whose root authority is called "Root Agency." Because the "Root Agency" is not in the Trusted Root Certification Authorities store

The Big problem:

The certicate is working on several client so we can't ask to change the certificate because this would mean changing the infrastructure of our partner.

Note 662340 - SSF Encryption Using the SAPCryptolib - was implemented.

Below tests without successfu:

1)

we tried to transcode the certificate in format .PEM. by "OpenSSL" tool

This is the result:

*************************************************************************

Bag Attributes

localKeyID: 01 00 00 00

Microsoft CSP Name: Microsoft Strong Cryptographic Provider

friendlyName: PvkTmp:8184c3e4-....-4a6d-a6e5-............

Key Attributes

X509v3 Key Usage: 10

-


BEGIN PRIVATE KEY-----

MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAMfNZ+aRxCUwY/Fk

y2k4SokEr60rLQQhVZHpT0MXFxwS/pYw+bfB37Y8YT8/R1FBaWGKqVUaoosVSQJZ

....

ZPEz42NnWPe10Bw=

-


END PRIVATE KEY-----

Bag Attributes

localKeyID: 01 00 00 00

subject=/CN=x00Gx00Ux00Nx00_x0...

issuer=/CN=Root Agency

-


BEGIN CERTIFICATE-----

MIIBxjCCAXCgAwIBAgIQpK83Lv0cGqtBuXPxfAWS3zANBgkqhkiG9w0BAQQFADAW

MRQwEgYDVQQDEwtSb290IEFnZW5jeTAeFw0wODEyMzEyMjAwMDBaFw00MDEyMzAy

...

-


END CERTIFICATE-----

*************************************************************************

2)

We tried to eliminated section PRIVATE KEY and to import in STRUST the new certifcate.

3)

We tried to import by "MMC console" the certificate in section "Trusted Root Certification Authorities store"and than to download it with all elements, running a new conversion in .PEM fomat

This is the result:

*************************************************************************

Bag Attributes

Microsoft Local Key set: <No Values>

localKeyID: 01 00 00 00

friendlyName: {2F0D28D5-A25F-....-816D-............}

Microsoft CSP Name: Microsoft Strong Cryptographic Provider

Key Attributes

X509v3 Key Usage: 10

-


BEGIN PRIVATE KEY-----

MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAMfNZ+aRxCUwY/Fk

y2k4SokEr60rLQQhVZHpT0MXFxwS/pYw+bfB37Y8YT8/R1FBaWGKqVUaoosVSQJZ

...

-


END PRIVATE KEY-----

Bag Attributes

localKeyID: 01 00 00 00

subject=/CN=x00Gx00Ux00Nx00_x0...

issuer=/CN=Root Agency

-


BEGIN CERTIFICATE-----

MIIBxjCCAXCgAwIBAgIQpK83Lv0cGqtBuXPxfAWS3zANBgkqhkiG9w0BAQQFADAW

MRQwEgYDVQQDEwtSb290IEFnZW5jeTAeFw0wODEyMzEyMjAwMDBaFw00MDEyMzAy

...

-


END CERTIFICATE-----

Bag Attributes: <Empty Attributes>

subject=/CN=Root Agency

issuer=/CN=Root Agency

-


BEGIN CERTIFICATE-----

MIIByjCCAXSgAwIBAgIQBjdsAKoAZIoRz7jUqlw19DANBgkqhkiG9w0BAQQFADAW

MRQwEgYDVQQDEwtSb290IEFnZW5jeTAeFw05NjA1MjgyMjAyNTlaFw0zOTEyMzEy

...

-


END CERTIFICATE-----

*************************************************************************

4)

we tried to follow blogs "Note" -> ERROR: Incomplete certification path -- NEED certificate of of "Root-CA"!

By SAPGENPSE we tried to generate a new cerificate adding Root Agency downloaded by IE

Command line:

sapgenpse import_p12 -v -r "C:RootAgency.cer" -p "C:CERT.pse" "C:CERT.pfx"

we have a new error:

******************************************************************************

C:CAR tintel>sapgenpse import_p12 -v -r "C:RootAgency.cer" -p "C:CERT.pse" "C:CERT.pfx"

got absolute PSE path "C:CERT.pse".

pkcs12_decode("C:CERT.pfx") ... OK

P12 file version 3

MAC was verified successfully!

MAC algorithm: SHA-1

internal encryption algorithm: pbeWithSHA1........2-CBC

external key shrouding algorithm: pbeWithSHA1And3-........-CBC

minimal iteration count: 2000

SafeBag 1 (int_encryption FALSE):

+ FriendlyName: PvkTmp:8184c3e4-70c0-.....-a6e5-..........

+ LocalKeyID: OctetString (4 octets): 0 01000000 |.... |

(1) Private Key (Info version 0)

AlgId: Algorithm RSA (OID 1.2.840.//////.1.1.1), NULL

SafeBag 2 (int_encryption TRUE):

+ FriendlyName: -

+ LocalKeyID: OctetString (4 octets): 0 01000000 |.... |

(1) X.509 certificate

-


Subject : CN=CERT

Issuer : CN=Root Agency

Serialno: A4:AF:37:2E:FD:1C:1A://://://://:F1:7C:05:92:DF

KeyInfo : RSA, 1024-bit

Validity - NotBefore: Wed Dec 31 23:00:00 2008 (081231220000Z)

NotAfter: Sun Dec 30 23:00:00 2040 (401230220000Z)

-


P12 file contains 2 SafeBags (1 key, 1 cert, 1 keypair, 0 other)

-


PKCS#12/PFX file contains 1 keypair:

1. FriendlyName = "PvkTmp:8184c3e4-70c0-....-a6e5-..........."

X.509v3 (type=Both) RSA-1024 (signed with md5WithRsaEncryption)

Subject="CN=CERT"

Issuer ="CN=Root Agency"

Reading additional certificates from supplied files

Found binary ASN.1 Certificate

-


Subject : CN=Root Agency

Issuer : CN=Root Agency

Serialno: 06:37:6C:00:AA:00:64://://://://:D4:AA:5C:35:F4

KeyInfo : RSA, 512-bit

Validity - NotBefore: Wed May 29 00:02:59 1996 (960528220259Z)

NotAfter: Sun Jan 1 00:59:59 2040 (391231235959Z)

-


Found 1 additional cert in supplied extra files

ERROR in import_p12: (9/0x0009) af_verify_Certificates failed

ERROR in af_verify_Certificates: (12851/0x3233) Verification of one certificate of path failed because there are no basic constraints

ERROR in check_basicConstraints: (12851/0x3233) Verification of one certificate of path failed because there are no basic constraints

***********************************************************************************

5)

We try to consume Web services by SoapUI 4.0, we have the same problem:

<s:Fault>

<faultcode xmlns:a="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">a:InvalidSecurity</faultcode>

<faultstring xml:lang="en-US">An error occurred when verifying security for the message.</faultstring>

</s:Fault>