cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SOAP: Call failed: java.io.IOException: Failed to get the input stream from socket: iaik.security.ssl.SSLException: Peer sent alert: Alert Fatal: decrypt error

Former Member

on ‎12-03-2015 11:39 AM

0 Kudos

Hi everybody,

We have a synchronous scenario which involves ABAP proxy To third party HTTPS Web Service with client authentication.

We have received the client certificate and the server certificate from the third party.

Our SOAP receiver channel has the option "Configure Client authentication" with this client certificate, which is stored in the proper keystore of the NWA. We also have the server certificate in the keystore "TrustedCAs" in order to avoid the error "Peer certificate rejected by ChainVerifier".

However, we're having problems while stablishing the SSL handshake between the web service and our PI 7.4 ( JAVA single stack).

We think that the problem is related to cipher suites or something like this.

Any help would be very appreciated.

Thanks!

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

Former Member
‎12-04-2015 9:18 AM
0 Kudos

Hello José,

where is this error produced? You have to analyse the error on server side. If this is PI then take the XPI_Inspector. The security analyser in NWA won't give you sufficient details. Naturally, in these security scenarios the client does not get much error information.

Regards,

Jörg

Show replies
Show replies
Former Member
‎12-04-2015 9:44 AM
0 Kudos

Hi Jörg & Enf Swee Yeoh,

XPI_Inspector was sucesfully installed and here is the extended SSL debug log

Begin IAIK Debug:

ssl_debug(14): Starting handshake (iSaSiLk 4.403)...

ssl_debug(14): Sending v3 client_hello message to "Web Service URL", requesting version 3.1...

ssl_debug(14): Received v3 server_hello handshake message.

ssl_debug(14): Server selected SSL version 3.1.

ssl_debug(14): Server created new session AE:23:30:5E:25:92:96:70...

ssl_debug(14): CipherSuite selected by server: SSL_RSA_WITH_3DES_EDE_CBC_SHA

ssl_debug(14): CompressionMethod selected by server: NULL

ssl_debug(14): TLS extensions sent by the server: renegotiation_info (65281)

ssl_debug(14): Server supports secure renegotiation.

ssl_debug(14): Received certificate handshake message with server certificate.

ssl_debug(14): Server sent a 2048 bit RSA certificate, chain has 2 elements.

ssl_debug(14): ChainVerifier: Found a trusted certificate, returning true

ssl_debug(14): Received certificate_request handshake message.

ssl_debug(14): Accepted certificate types: RSA, DSA, Unknown (64)

ssl_debug(14): Accepted certificate authorities:

ssl_debug(14):   CN=-----,O=--------

ssl_debug(14):   CN=------,O=---- ---

ssl_debug(14):   CN=Certificate Manager,O=---,C=ES

ssl_debug(14):   CN=----OU=----,O=----,C=es

ssl_debug(14):   CN=------,O=------

ssl_debug(14): Received server_hello_done handshake message.

ssl_debug(14): Sending certificate handshake message with RSA client certificate...

ssl_debug(14): Sending client_key_exchange handshake...

ssl_debug(14): Sending certificate_verify handshake message...

ssl_debug(14): Sending change_cipher_spec message...

ssl_debug(14): Sending finished message...

ssl_debug(14): Received alert message: Alert Fatal: decrypt error

ssl_debug(14): SSLException while handshaking: Peer sent alert: Alert Fatal: decrypt error

ssl_debug(14): Shutting down SSL layer...

ssl_debug(14): Closing transport...

The problem is related to the client certificate. This step shows the problem...

Verify Local SSL Client Key Pair.......

Private Key View/Entry: DEFAULT/ClientCertificate

Algorithm: RSA

Format: PKCS#8

Found Certificate chain with 2 elements:

Certificate #0

    SubjectDN: CN=----,O=-----

    IssuerDN: CN=----,O=-----

    Self Signed CA

    Verifying KeyPair: !!! EXCEPTION OCCURRED: Signature decryption error: javax.crypto.BadPaddingException: Invalid PKCS#1 padding: no leading zero!

Certificate #1

    SubjectDN: UID=ClientCertificate,CN=-----,

     OU=----,O=-----,C=ES

    IssuerDN: CN=----,O=-----

Some additional Info:

Chain Verifier is OK, the CA is trusted and also de server certificate. Both certs are in TrustedCAs keystore.

The client certificate belongs to the "DEFAULT" keystore.

Help please. SOAPUI is working with the same client certificate.

Former Member
‎12-04-2015 10:07 AM
0 Kudos

Hello José,

do you have access to the server logs? The server should have all the details about the error.

From what you post here I assume that it is a problem of misinterpretation of the encryption algorithm. For example, you take a PKCS#8 certificate, but interprete it as PKCS#1. I found this regarding the leading zeros:

http://stackoverflow.com/questions/5054036/what-is-the-difference-between-the-different-padding-type...

So it looks like your server expects a PKCS#1 with a leading zero like in #2 in that article, but you send a different format that has no leading zeros.

Your soapUI might have different settings in this regard. So the certificate is certainly correct, but the settings must have an error somewhere.

Hope that helps,

Jörg

engswee
Active Contributor
‎12-04-2015 1:15 AM
0 Kudos

Hi Jose

XPI inspector is the best tool to troubleshoot this. Use Example 11 (Authentication, SSL & PP) and if you still can't resolve it, post the SSL debug log here for further analysis.

Rgds

Eng Swee

Show replies
Show replies
Former Member
‎12-03-2015 2:57 PM
0 Kudos

Up!

Show replies
Show replies
former_member186851
Active Contributor
‎12-03-2015 4:19 PM
0 Kudos

Check for Proxy settings and firewalls which might be blocking.

Former Member
‎12-03-2015 5:13 PM
0 Kudos

Hi Raghuraman,

The handshake takes place but is not finishing. I don't think the problem is something related to the firewall and proxy settings.

I'll check it anyway. Thanks.

Ask a Question