Solved: RFC Destination SSL handshake failed

Hello,

I have an issue with a RFC Destination, since the certificate was changed (on server side).

When I press "Connection Test" I get the following message:

SSL handshake with evatr.bff-online.de:443 failed

We have already uploaded the new certificate in transaction STRUST and still getting the same error.

I have noticed that the algorithm changed from SHA-1 to SHA-256.

Therefore I checked the SAPCRYPTOLIB version:

New enough...

Here is the RFC Destination in SM59:

SSL is active and the correct list is selected:

Also HTTPS is enabled in Services in transaction SMICM:

Also I spoke to the guys from the networking and they said that SSLv3 communication isn't blocked and the systems are allowed to connect to the internet. They are sure that the problem is not network related.

I have no clue what to do now.

In the attachments you can find a ICM-Trace, where I tried a "Connection Test".

Thanks in advance.

Best regards

Dennis

SAP Managed Tags:
SAP Single Sign-On

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Accepted Solutions (1)

It may be related to SSLv3 security vulnerabilities. Please update your cryptographic software and try again. Please read SAP note 2110020 - Enabling TLS or disabling SSLv3 protocol versions on SAP WebDispatcher, or SAP WebAS (AS A....

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Hi Roman,

thanks for your reply.

According to the note we need SAPCRYPTOLIB 5.5.5pl38.

Currently we have SAPCRYPTOLIB 5.5.5C pl35 installed.

This could be the problem.

I'll speak to my colleague from the SAP system administration and report back later on.

Best regards,

Dennis

Can you provide values for ssl/ciphersuites and ssl/client_ciphersuites? TLSv1.0 must be used by default from SAPSRYPTOLIB 5.5.5pl28+ but instead it uses SSLv3.

[Thr 26986] =================================================

[Thr 26986] = SSL Initialization platform tag=(rs6000_6.1_64)

[Thr 26986] = (741_REL,Jan 31 2015,mt,ascii-uc,SAP_UC/size_t/void* = 16/64/64)

[Thr 26986] DIR_INSTANCE="/usr/sap/NGQ/DVEBMGS10"

[Thr 26986] DIR_LIBRARY="/usr/sap/NGQ/DVEBMGS10/exe"

[Thr 26986] ssl/ssl_lib="/usr/sap/NGQ/SLL/libsapcrypto.so"

[Thr 26986] profile param "ssl/ssl_lib" = "/usr/sap/NGQ/SLL/libsapcrypto.so"

[Thr 26986] resulting Filename = "/usr/sap/NGQ/SLL/libsapcrypto.so"

[Thr 26986] = found SAPCRYPTOLIB 5.5.5C pl35 (Sep 6 2013) MT-safe

[Thr 26986] = current UserID: "wgqadn", env-var USER="wgqadn"

[Thr 26986] = found SECUDIR environment variable

[Thr 26986] = using SECUDIR=/usr/sap/NGQ/DVEBMGS10/sec

[Thr 26986] ssl/ciphersuites="193:HIGH:MEDIUM:+e3DES:!aNULL"

[Thr 26986] ssl/client_ciphersuites="192:HIGH:MEDIUM:+e3DES:!aNULL"

[Thr 26986] = Success SapCryptoLib SSL ready!

[Thr 26986] =================================================

[Thr 26986]

[Thr 26986] Started service PORT=8011,PROT=HTTPS,TIMEOUT=90,PROCTIMEOUT=90,VCLIENT=1

[Thr 26986] SSL settings: verify_client: 1, cache_size: -1, cache_lifetime: -1, credfile: SAPSSLS.pse, ciphers: default

[Thr 26986] IcmNetCheck: network check passed without detecting problems

is this enough?

Looks Good Dennis needless to say (assuming) you will restart SMICM or SAP system if possible to ensure new library is being used.

Noticed the log seems to be SMICM log hope it works

The parameters seems to be ok. Try to check again.

Updating the SAPCRYPTOLIB was the solution to the problem.

Thank you very much!

Answers (2)

Hi,

Silly question after you uploaded the cert did you restart SMICM ICM processes? It is required.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Hi,

thanks for the reply.

Yes I did...

-Dennis

HI,

On the external server RFC it lists the connection as Default SSL-Client standard but the screenshot of the strust does not list if the certificate was uploaded for Default SSL-Client just check this.

Kind Regards,

Johan

This should be correct list, right?

-Dennis

HI Dennis,

That should be fine.

I know the network guys says it is open did you try telnetal to targ server port 443 ?

Johan

Hi Johan,

They tried it ping it with telnet last week, but it failed.

He said that it hasn't to be a problem, because the other side can turn it off.

We just tried to do a "Connection Test" with a test rfc-destination on a server of a friend of my colleague with port 443.

He received something from our server, so the port is open I guess.

The friend of my colleague said, that maybe the certificate is not correct... but I'm pretty sure it is...

I attached the ICM Log at trace level 2 you requested before editing.

-Dennis

HI.

What do you see if you run:

sapgenpse -l /usr/sap/SID/DVEBMGS10/sec/SAPSSLC.pse

Just change the sid part. You should see the certificate in the list of certificates.

Regards,

JOhan

Hi,

Could you please check the below SAP notes on this..

1249794 - Call of the involved service for SOAMANAGER fails

1472232 - ELENA: Problems during transfer via HTTPS

Regards,

Prithviraj.

Hello Dennis,

It's good that you confirmed with your network team that they are not blocking.

I see that you are passing through proxy server. Have you checked the proxy server logs ?

Another thing, silly as it may seem, reconfigure your browser to go through the same proxy as being used by SAP and then try going to the URL in your browser.

BZSt: USt-IdNr. Best&auml;tigung

KR,

Amerjit

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Hello Amerjit,

thanks for the reply.

We already tried a connection test without a proxy server entered.

The network team allowed the sap system to directly communicate with the internet.

Still the same SSL error...

btw.. the sap system and browser are using the same proxy server.

-Dennis

Hello Dennis,

Please always be carefull while sharing ICM trace. The ICM trace you attached has the certificate that was supplied to you by the external party.

Anyone can download it and create a certificate file.

In anycase, this SSL handshake is stopping with your proxy I think, its not even reaching out externally to your third party.

Regards,

Siddhesh

Hello Siddesh,

thanks for the reply.

The certificate can be downloaded by anyone.

I just downloaded it with the internet explorer from their website (the lock beside the URL):

BZSt: USt-IdNr. Best&auml;tigung

I exported it with Base-64 and DER coding (i tried both).

-Dennis

Okay,

My mistake, I didn't check what type of certificate it was, can you check if the certificate chain right up till root is installed on the proxy server.

The handshake seems to be failing there.


[Thr 16706] ->> SapSSLSetNiHdl(sssl_hdl=11bf716b0, ni_hdl=320)
[Thr 16706]   SSL NI-hdl 320: local=10.1.230.202:51179  peer=10.1.4.17:8080

After the above connection is established, you can see SSL error in handshake

I was assuming 10.1.230.202 is your local SAP server address and 10.1.4.17 is your proxy address.

Regards,

Siddhesh

You're right with the IP's, but what do you mean by


Siddhesh Ghag wrote:

..can you check if the certificate chain right up till root is installed on the proxy server.

exactly?

I only installed the certificate on the SAP system.

-Dennis

Hi Dennis,

He is referring to this.

1094342 - ICM trace contains verification of the server's certificate

Kind Regards

I wasn't sure with the proxy in between, how communication is handled. While forwarding connection on behalf of your SAP server, does the proxy try to validate the certificate?

if the proxy tries to validate the certificate, the proxy should have all the root and intermediate certificates that the certificate you supply corresponds to.

Regards,

Siddhesh

Hi Dennis,

WOW ... I see it's been a busy thread 🙂

1. Glad you already eliminated the proxy as a potential issue by having a direct connection. This takes that path of investigation of the table.

2. I don't want to muddy the waters but I think you were already on to the problem early on.

Bear in mind that your certificate from the tax authority went from SHA1 to SHA256 .......

3. Please <double click> on the PSE for SSL-CLIENT and post a screen shot here. I have a suspicion that your PSE is still SHA1 (possibly even 1024 BIT as well).

Q) What you are doing is something similar to Elster ?

Just for additional info:

2004653 - CommonCryptoLib 8 cryptographic algorithms

2065806 - Fixes and Features in CommonCryptoLib 8.4.31

1994240 - Zertifikat erstellen mit SHA256

1739681 - Kernel: Support creation of RSA-PSEs with SHA-256

MFG,

Amerjit

Message was edited by: Amerjit CHAHAL

Hi Amerjit,

thanks for the detailed reply.

2.) What do you mean? Last year before the certificate was changed (server side) we were able to connect to this RFC Destination. I developed a ABAP application and it already was tested succesfully.

3.) Do you mean this?

About Elster I will ask my colleague on monday. He is on vacation now.

I don't know anything about what Elster does. It's running on the HR-System, of which I'm not responsible for.

Thanks for the notes.

I checked them, but they didn't help me.

-Dennis

Hello Siddesh,

I spoke with my colleague from the networking team and he said that the proxy doesn't validate certificates.

For testing purposes I've tried a connection test without a proxy server entered (SM59) and it's showing me the exact same error...

The log is attached.

-Dennis

Hey Dennis,

The screen shot I am after is the "SSl Client Standard" and then you double click on the entry that shows to the right of "owner" under "own certificate"

This will then show you the details of this certificate in the certificate part of the screen.

I want to see if your PSE is using RSA1 (most likely also 1024 BIT)

KR,

Amerjit

I don't know exactly what you mean...

This?

or this?

Then post the screen shot of what appears under the "certificate" part of the screen.

Amerjit

When doubleclick the "owner" entry it's looking like this:

there is no (self-signed) at the top like at your screenshot.

It's just empty.

Only the information on the bottom part refrehses.

Hello Dennis,

Maybe the secure library that you have on your SAP doesn't support SHA256RSA and SHA256 for hashing, which is requested by your third party.

I think the following lines in the trace file are key.


[Thr 4113] *** ERROR during SecuSSL_SessionStart() from SSL_connnect()==SSL_ERROR_CONNECTION_LOST
[Thr 4113]    session uses PSE file "/usr/sap/NGQ/DVEBMGS10/sec/SAPSSLC.pse"
[Thr 4113] No LastError / ErrorStack available!
[Thr 4113]   SSL_get_state()==0x2180 "SSLv3 write client key exchange A"
[Thr 4113]   No certificate request received from Server

I think when the SAP Server (which acts as client) sends a hello message to third party, it also sends information about supported cryptographic algorithms to which the server may drop connection or accept it if it finds them acceptable.

In your case, the server (third party) seems to be dropping the connection.

Please have a look at the parameter ssl/ciphersuites

this is documented in the following note

510007 - Setting up SSL on Application Server ABAP

Check Point no 6 in the above note.

I am hoping it solves the problem, cause I can't think of anything else, good luck.

PS: It's an interesting thread, that helped me understand this concept, i'll bookmark it for future reference.

Regards,

Siddhesh

Hey Siddhesh,

Indeed an interesting thread. I love this kind of stuff 🙂

Exactly my sentiments about the cipher suite hence my pointing Dennis to the commoncryptolib notes and the SHA256 note in German.

I could be completely wrong (wouldn't be the first time in my life 🙂 ) but if it were my system (test system of course 🙂 ) then I would try with the commoncryptolib and also save my existing PSE (plus certificates), delete it and then recreate it as SHA256 with 2048.

Unfortunately I don't have a system where I can play with my idea.

Here hoping I'm not barking up the wrong tree.

Cheers,

Amerjit

I agree too, yes you pointed out about SHA256, but I was more keen to understand what could be happening as in what is the process, how does it really work. There is little or no documentation around this.

I too have no access to any systems to test these theories. Let us wait for Dennis to come back on this.

Regards,

Siddhesh

Hello Dennis,

Thanks for that. It's what I wanted to see.

Time for a recap.

1. Your old certificate SHA1 worked.

2. You new certificate SHA256 causes the problem you have mentioned.

Q) Do you still have you old certificate somewhere ? Try importing it again just to validate the above.

I think it's time for you to open a message with SAP for this.

There are plenty of other things I would try if this was my own system (assume responsibility of my actions). Of course I can't ask you to do something you may not feel comfortable doing.

1. Save certificates in existing PSE.

2. Save existing PSE

3. Delete existing PSE

4. Recreate PSE as SHA256 with 2048BIT

5. Import certificates save in step #1.

6. Update sapcryptolib (commoncryptolib) (means system downtime)

I may be completely off track with what I think the problem is but I live by "better to have tried and failed than to have never tried at all" 🙂

MFG,

Amerjit

Hello Amerjit,

I don't think sending the old certificate will work.

The very reason the third party seems to be dropping connection (which again is to be established yet) is because they seem to have upgraded their SSL infrastructure to TLS V3.

So updating the cryptographic library maybe the only solution. But let us wait and watch.

Regards,

Siddhesh

Dennis,

A good cup of tea and then I restored a old VM to test.

I tested with SSFLIB Version 1.555.36 (interestingly 1.555.35 is no longer on marketplace, 1.555.34, 1.555.36 onwards but no longer 1.555.35 )

1. I setup the SSL client and RFC destination and with 1.555.36 the RFC connection test works.

2. I have then tested with SSFLIB Version 1.840.40 and all still works.

See note: #1841573 SAPCRYPTOLIB 555pl36 fixes.

Check points #2 and #3 in the above note.

Please test with a version >= 1.555.36 and let us know how you get on.

It's the weekend and it's time to move onto something a bit more spirited than a cup of tea.

Cheers,

Amerjit

Message was edited by: Amerjit CHAHAL

Hello Dennis,

Have you looked at my suggestion above and the note/parameter described?

Regards,

Siddhesh

Hello Dennis,

Please check the document

http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/964f67ec-0701-0010-bd88-f995abf4e...

Although it is not directly related to this issue, the optional configuration describes key points about SSL handshake and cipher suites, which potentially could be the cause of this problem.

Regards,

Siddhesh

Hello Dennis,

Did you try with a more recent version of cryptolib as suggested ?

Amerjit

Hi Amerjit,

thanks for the tests you did!

I already spoke to the colleague from the SAP system administration.

I'll report back, when the update is done.

Regards

Dennis

Hello Siddhesh,

thanks for all your effort you put into this.

We'll try to update the SAPCRYPTOLIB, as suggested many times before in this thread.

I'll report back then.

Best regards

Dennis

Don't mention it Dennis, its an interesting thread, my takeaway from this thread is the process of authentication, which I would have never bothered to research until I came across such a problem.

Siddhesh,

Some bedtime reading:

It's for HCI but you get a nice overview of things.

Enjoy.

Amerjit

Yes, its very high level.

Good to know, I did mention this, so the root cause was that third party server upgraded their SSL libraries and hence were dropping connections from your server as it didn't support the protocols that they needed your server to support

Ask a Question

Top Q&A Solution Author

User

Count

RFC Destination SSL handshake failed

SSL handshake with evatr.bff-online.de:443 failed

Accepted Solutions (1)

Accepted Solutions (1)

Answers (2)

Answers (2)

Iterating through JSONModel with multiple nested a...

Re: Connecting SAP CAP with SAP Cloud ALM

How to use CopyProvider on Table created by TypeSc...

How to execute/fire onPost when user press enter o...

Re: Connecting SAP CAP with SAP Cloud ALM