cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSSLERR_PEER_CERT_UNTRUSTED

robert_warde4
Active Participant

on ‎03-10-2015 5:09 PM

0 Kudos

Hi,

We recently upgraded the kernel and sap cyrptolib on one of our PI sysems (7.11 SP6 Dual Stack. CommonCryptoLib 8 Version 8.4.34.

We have three vendors, all with untrusted certificates, who we cannot communicate with any more. When we test the RFC connection we receive the following error.

[Thr 3085] SSL API error

[Thr 3085] Failed to verify peer certificate. Peer not trusted.

[Thr 3085] 0xa0600203   SSL   ssl_verify_peer_certificates

[Thr 3085] Peer not trusted

[Thr 3085] 0xa0600297   SSL   ssl_cert_checker_verify_certificates

[Thr 3085] peer certificate (chain) is not trusted

[Thr 3085] <<- ERROR: SapSSLSessionStart(sssl_hdl=1184803f0)==SSSLERR_PEER_CERT_UNTRUSTED

[Thr 3085] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-102): SSSLERR_PEER_CERT_UNTRUSTED {0002e2b6} [icxxconn_mt.

The connections were working prior to the upgrade. The vendors certificates are stored in the NWA Certificate store (we don't use STRUST) and have not changes.

There is nothing wrong with the certificate OR the RFC destination. I have searched SCN without a relevant hit. Can anyone help?

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

robert_warde4
Active Participant
‎04-29-2015 12:36 PM
0 Kudos

Hi the Kernel is up to date. As I mentioned before, we recently upgraded the kernel and sap cyrptolib on one of our PI sysems (7.11 SP6 Dual Stack. CommonCryptoLib 8 Version 8.4.34. This interface was working before and not we get an untrusted error.

The particular vendor does not have a trust chain on his server certificate. Therefore, I do not have any other certificates to install.

As this was working before the SAP Cyrptolib library upgrade I assume that this new version does not allow untrusted certificates OR there is a parameter that needs to be set to allow untrusted certificates.

Regards

Show replies
Show replies
former_member185954
Active Contributor
‎04-29-2015 12:57 PM
0 Kudos

Hello Robert,

Assuming that nothing changed on your vendor side, maybe the vendor uses an older encryption algorithm which was supported by SAP Cryptolib and is by default not supported anymore.

Check the SAP Note

510007 - Setting up SSL on Application Server ABAP


Section 6 especially speaks about the following:



Outgoing SSL connection (SSL client) will all offer the cipher suites configured by (ssl/client_ciphersuites).  Netweaver Kernels predating the Kernel patch from SAP Note 1433874 use the "ssl/ciphersuites" setting also for outgoing SSL connections.  For backwards compatibility, Kernel patch 1433874 does not have a built-in default setting for "ssl/client_ciphersuites", and will use the "ssl/ciphersuites" setting as fallback unless a custom setting is configured.

Incoming SSL connections (SSL server/services) can optionally be configured to use service-specific cipher suite settings in the SSL configuration part icm/ssl_config_<xx> for an icm server port definitionicm/server_port_<xx> via the string parameter CIPHERS:
icm/server_port_<xx>=..., SSLCONFIG=ssl_config_<yy>
icm/ssl_config_<yy>=..., CIPHERS=...

It might be the case that if you don't set these parameters, the system runs with some assumptions.

Regards,

Siddhesh

robert_warde4
Active Participant
‎04-29-2015 1:43 PM
0 Kudos

Hi,

No nothing has changed and this is the only vendor we are having a problem with since we upgraded. We see the following error in our logs. For outbound connections we are still using the same ciphers.

[Thr 3085] SSL API error

[Thr 3085] Failed to verify peer certificate. Peer not trusted.

[Thr 3085] 0xa0600203   SSL   ssl_verify_peer_certificates

[Thr 3085] Peer not trusted

[Thr 3085] 0xa0600297   SSL   ssl_cert_checker_verify_certificates

former_member185954
Active Contributor
‎04-29-2015 3:35 PM
0 Kudos

Hello Robert,

Is that an SMICM trace ? if yes, can you increase the trace level and post a more detailed trace.

You mentioned 

The particular vendor does not have a trust chain on his server certificate

What does that mean ?

Regards,

Siddhesh

former_member185954
Active Contributor
‎04-29-2015 3:38 PM
0 Kudos

Since, normally any vendor will have a server certificate issued by a Certificate Authority or an Intermediate Authority, whose public root certificate you will have to import into 'Trusted CAs' in the certificate store.

Regards,

Siddhesh

robert_warde4
Active Participant
‎04-29-2015 5:31 PM
0 Kudos

Hi

yes I know this. All other vendors do. We just have the one without a trusted cert.

Regards

former_member185954
Active Contributor
‎04-29-2015 6:40 PM
0 Kudos

Hello Robert,

It's interesting to know, perhaps you might want to have a look at the following parameter.

icm/HTTPS/trust_client_with_issuer


Can't think of anything else, so I'll watch this thread.


Regards,

Siddhesh

Former Member
‎03-13-2015 9:16 AM
0 Kudos

Hallo Robert,

Is your kernel up-to-date?

Check also:

2138175 - SM21: No SSL access to remote instances


Regards,

Serhat

Show replies
Show replies
Ask a Question