on 04-14-2015 11:16 AM
Hello,
I have an issue with a RFC Destination, since the certificate was changed (on server side).
When I press "Connection Test" I get the following message:
We have already uploaded the new certificate in transaction STRUST and still getting the same error.
I have noticed that the algorithm changed from SHA-1 to SHA-256.
Therefore I checked the SAPCRYPTOLIB version:
New enough...
Here is the RFC Destination in SM59:
SSL is active and the correct list is selected:
Also HTTPS is enabled in Services in transaction SMICM:
Also I spoke to the guys from the networking and they said that SSLv3 communication isn't blocked and the systems are allowed to connect to the internet. They are sure that the problem is not network related.
I have no clue what to do now.
In the attachments you can find a ICM-Trace, where I tried a "Connection Test".
Thanks in advance.
Best regards
Dennis
It may be related to SSLv3 security vulnerabilities. Please update your cryptographic software and try again. Please read SAP note 2110020 - Enabling TLS or disabling SSLv3 protocol versions on SAP WebDispatcher, or SAP WebAS (AS A....
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
[Thr 26986] =================================================
[Thr 26986] = SSL Initialization platform tag=(rs6000_6.1_64)
[Thr 26986] = (741_REL,Jan 31 2015,mt,ascii-uc,SAP_UC/size_t/void* = 16/64/64)
[Thr 26986] DIR_INSTANCE="/usr/sap/NGQ/DVEBMGS10"
[Thr 26986] DIR_LIBRARY="/usr/sap/NGQ/DVEBMGS10/exe"
[Thr 26986] ssl/ssl_lib="/usr/sap/NGQ/SLL/libsapcrypto.so"
[Thr 26986] profile param "ssl/ssl_lib" = "/usr/sap/NGQ/SLL/libsapcrypto.so"
[Thr 26986] resulting Filename = "/usr/sap/NGQ/SLL/libsapcrypto.so"
[Thr 26986] = found SAPCRYPTOLIB 5.5.5C pl35 (Sep 6 2013) MT-safe
[Thr 26986] = current UserID: "wgqadn", env-var USER="wgqadn"
[Thr 26986] = found SECUDIR environment variable
[Thr 26986] = using SECUDIR=/usr/sap/NGQ/DVEBMGS10/sec
[Thr 26986] ssl/ciphersuites="193:HIGH:MEDIUM:+e3DES:!aNULL"
[Thr 26986] ssl/client_ciphersuites="192:HIGH:MEDIUM:+e3DES:!aNULL"
[Thr 26986] = Success SapCryptoLib SSL ready!
[Thr 26986] =================================================
[Thr 26986]
[Thr 26986] Started service PORT=8011,PROT=HTTPS,TIMEOUT=90,PROCTIMEOUT=90,VCLIENT=1
[Thr 26986] SSL settings: verify_client: 1, cache_size: -1, cache_lifetime: -1, credfile: SAPSSLS.pse, ciphers: default
[Thr 26986] IcmNetCheck: network check passed without detecting problems
is this enough?
Hi,
Silly question after you uploaded the cert did you restart SMICM ICM processes? It is required.
J
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Johan,
They tried it ping it with telnet last week, but it failed.
He said that it hasn't to be a problem, because the other side can turn it off.
We just tried to do a "Connection Test" with a test rfc-destination on a server of a friend of my colleague with port 443.
He received something from our server, so the port is open I guess.
The friend of my colleague said, that maybe the certificate is not correct... but I'm pretty sure it is...
I attached the ICM Log at trace level 2 you requested before editing.
-Dennis
Hi,
Could you please check the below SAP notes on this..
1249794 - Call of the involved service for SOAMANAGER fails
1472232 - ELENA: Problems during transfer via HTTPS
Regards,
Prithviraj.
Hello Dennis,
It's good that you confirmed with your network team that they are not blocking.
I see that you are passing through proxy server. Have you checked the proxy server logs ?
Another thing, silly as it may seem, reconfigure your browser to go through the same proxy as being used by SAP and then try going to the URL in your browser.
BZSt: USt-IdNr. Bestätigung
KR,
Amerjit
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Dennis,
Please always be carefull while sharing ICM trace. The ICM trace you attached has the certificate that was supplied to you by the external party.
Anyone can download it and create a certificate file.
In anycase, this SSL handshake is stopping with your proxy I think, its not even reaching out externally to your third party.
Regards,
Siddhesh
Hello Siddesh,
thanks for the reply.
The certificate can be downloaded by anyone.
I just downloaded it with the internet explorer from their website (the lock beside the URL):
BZSt: USt-IdNr. Bestätigung
I exported it with Base-64 and DER coding (i tried both).
-Dennis
Okay,
My mistake, I didn't check what type of certificate it was, can you check if the certificate chain right up till root is installed on the proxy server.
The handshake seems to be failing there.
[Thr 16706] ->> SapSSLSetNiHdl(sssl_hdl=11bf716b0, ni_hdl=320)
[Thr 16706] SSL NI-hdl 320: local=10.1.230.202:51179 peer=10.1.4.17:8080
After the above connection is established, you can see SSL error in handshake
I was assuming 10.1.230.202 is your local SAP server address and 10.1.4.17 is your proxy address.
Regards,
Siddhesh
I wasn't sure with the proxy in between, how communication is handled. While forwarding connection on behalf of your SAP server, does the proxy try to validate the certificate?
if the proxy tries to validate the certificate, the proxy should have all the root and intermediate certificates that the certificate you supply corresponds to.
Regards,
Siddhesh
Hi Dennis,
WOW ... I see it's been a busy thread 🙂
1. Glad you already eliminated the proxy as a potential issue by having a direct connection. This takes that path of investigation of the table.
2. I don't want to muddy the waters but I think you were already on to the problem early on.
Bear in mind that your certificate from the tax authority went from SHA1 to SHA256 .......
3. Please <double click> on the PSE for SSL-CLIENT and post a screen shot here. I have a suspicion that your PSE is still SHA1 (possibly even 1024 BIT as well).
Q) What you are doing is something similar to Elster ?
A)
Just for additional info:
2004653 - CommonCryptoLib 8 cryptographic algorithms
2065806 - Fixes and Features in CommonCryptoLib 8.4.31
1994240 - Zertifikat erstellen mit SHA256
1739681 - Kernel: Support creation of RSA-PSEs with SHA-256
MFG,
Amerjit
Message was edited by: Amerjit CHAHAL
Hi Amerjit,
thanks for the detailed reply.
2.) What do you mean? Last year before the certificate was changed (server side) we were able to connect to this RFC Destination. I developed a ABAP application and it already was tested succesfully.
3.) Do you mean this?
About Elster I will ask my colleague on monday. He is on vacation now.
I don't know anything about what Elster does. It's running on the HR-System, of which I'm not responsible for.
Thanks for the notes.
I checked them, but they didn't help me.
-Dennis
Hello Siddesh,
I spoke with my colleague from the networking team and he said that the proxy doesn't validate certificates.
For testing purposes I've tried a connection test without a proxy server entered (SM59) and it's showing me the exact same error...
The log is attached.
-Dennis
Hey Dennis,
The screen shot I am after is the "SSl Client Standard" and then you double click on the entry that shows to the right of "owner" under "own certificate"
This will then show you the details of this certificate in the certificate part of the screen.
I want to see if your PSE is using RSA1 (most likely also 1024 BIT)
KR,
Amerjit
Hello Dennis,
Maybe the secure library that you have on your SAP doesn't support SHA256RSA and SHA256 for hashing, which is requested by your third party.
I think the following lines in the trace file are key.
[Thr 4113] *** ERROR during SecuSSL_SessionStart() from SSL_connnect()==SSL_ERROR_CONNECTION_LOST
[Thr 4113] session uses PSE file "/usr/sap/NGQ/DVEBMGS10/sec/SAPSSLC.pse"
[Thr 4113] No LastError / ErrorStack available!
[Thr 4113] SSL_get_state()==0x2180 "SSLv3 write client key exchange A"
[Thr 4113] No certificate request received from Server
I think when the SAP Server (which acts as client) sends a hello message to third party, it also sends information about supported cryptographic algorithms to which the server may drop connection or accept it if it finds them acceptable.
In your case, the server (third party) seems to be dropping the connection.
Please have a look at the parameter ssl/ciphersuites
this is documented in the following note
510007 - Setting up SSL on Application Server ABAP
Check Point no 6 in the above note.
I am hoping it solves the problem, cause I can't think of anything else, good luck.
PS: It's an interesting thread, that helped me understand this concept, i'll bookmark it for future reference.
Regards,
Siddhesh
Hey Siddhesh,
Indeed an interesting thread. I love this kind of stuff 🙂
Exactly my sentiments about the cipher suite hence my pointing Dennis to the commoncryptolib notes and the SHA256 note in German.
I could be completely wrong (wouldn't be the first time in my life 🙂 ) but if it were my system (test system of course 🙂 ) then I would try with the commoncryptolib and also save my existing PSE (plus certificates), delete it and then recreate it as SHA256 with 2048.
Unfortunately I don't have a system where I can play with my idea.
Here hoping I'm not barking up the wrong tree.
Cheers,
Amerjit
I agree too, yes you pointed out about SHA256, but I was more keen to understand what could be happening as in what is the process, how does it really work. There is little or no documentation around this.
I too have no access to any systems to test these theories. Let us wait for Dennis to come back on this.
Regards,
Siddhesh
Hello Dennis,
Thanks for that. It's what I wanted to see.
Time for a recap.
1. Your old certificate SHA1 worked.
2. You new certificate SHA256 causes the problem you have mentioned.
Q) Do you still have you old certificate somewhere ? Try importing it again just to validate the above.
A)
I think it's time for you to open a message with SAP for this.
There are plenty of other things I would try if this was my own system (assume responsibility of my actions). Of course I can't ask you to do something you may not feel comfortable doing.
1. Save certificates in existing PSE.
2. Save existing PSE
3. Delete existing PSE
4. Recreate PSE as SHA256 with 2048BIT
5. Import certificates save in step #1.
6. Update sapcryptolib (commoncryptolib) (means system downtime)
I may be completely off track with what I think the problem is but I live by "better to have tried and failed than to have never tried at all" 🙂
MFG,
Amerjit
Hello Amerjit,
I don't think sending the old certificate will work.
The very reason the third party seems to be dropping connection (which again is to be established yet) is because they seem to have upgraded their SSL infrastructure to TLS V3.
So updating the cryptographic library maybe the only solution. But let us wait and watch.
Regards,
Siddhesh
Dennis,
A good cup of tea and then I restored a old VM to test.
I tested with SSFLIB Version 1.555.36 (interestingly 1.555.35 is no longer on marketplace, 1.555.34, 1.555.36 onwards but no longer 1.555.35 )
1. I setup the SSL client and RFC destination and with 1.555.36 the RFC connection test works.
2. I have then tested with SSFLIB Version 1.840.40 and all still works.
See note: #1841573 SAPCRYPTOLIB 555pl36 fixes.
Check points #2 and #3 in the above note.
Please test with a version >= 1.555.36 and let us know how you get on.
It's the weekend and it's time to move onto something a bit more spirited than a cup of tea.
Cheers,
Amerjit
Message was edited by: Amerjit CHAHAL
Hello Dennis,
Please check the document
Although it is not directly related to this issue, the optional configuration describes key points about SSL handshake and cipher suites, which potentially could be the cause of this problem.
Regards,
Siddhesh
User | Count |
---|---|
93 | |
10 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.