on 08-22-2016 7:22 PM
Hi,
I'm trying to consume a web service hosted by AWS from ABAP. I can run it normally from my web browser, it's a public service with no authentication. However, when I try to create a connection in SM59 or even call it directly from ABAP using the class CL_HTTP_CLIENT, I get the error SSSLERR_SSL_CONNECT.
I have already added the AWS certificate to my anonymous PSE in STRUST, so I don't get trust error anymore. However, for the error I'm getting now I could not find any clue in the log, that I'm pasting below.
[Thr 2828] Mon Aug 22 13:57:48 2016
[Thr 2828] SSL_get_state()==0x2120 "SSLv3 read server hello A"
[Thr 2828] *** ERROR during SecuSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL
[Thr 2828] session uses PSE file "/usr/sap/XXX/DVEBMGS02/sec/SAPSSLA.pse"
[Thr 2828] SecuSSL_SessionStart: SSL_connect() failed (536875072/0x20001040)
[Thr 2828] => "received a fatal SSLv3 handshake failure alert message from the peer"
[Thr 2828] >> ---------- Begin of Secu-SSL Errorstack ---------- >>
[Thr 2828] 0x20001040 | SAPCRYPTOLIB | SSL_connect
[Thr 2828] SSL API error
[Thr 2828] received a fatal SSLv3 handshake failure alert message from the peer
[Thr 2828] 0xa0600266 | SSL | ssl3_connect
[Thr 2828] received a fatal SSLv3 handshake failure alert message from the peer
[Thr 2828] 0xa0600266 | SSL | ssl3_read_bytes
[Thr 2828] received a fatal SSLv3 handshake failure alert message from the peer
[Thr 2828] << ---------- End of Secu-SSL Errorstack ----------
[Thr 2828] No certificate request received from Server
[Thr 2828] SSL NI-hdl 112: local=xxx.xxx.xxx.xxx:xxx peer=xxx.xxx.xxx.xxx:443
[Thr 2828] <<- ERROR: SapSSLSessionStart(sssl_hdl=111d9d550)==SSSLERR_SSL_CONNECT
[Thr 2828] *** ERROR => SSL handshake with xxxxxxxxxx.execute-api.us-east-1.amazonaws.com:443 failed: SSSLERR_SSL_CONNECT (-57)
[Thr 2828] SAPCRYPTO:SSL_connect() failed
[Thr 2828]
[Thr 2828] SapSSLSessionStart()==SSSLERR_SSL_CONNECT
[Thr 2828] SSL:SSL_connect() failed (536875072/0x20001040)
[Thr 2828] => "received a fatal SSLv3 handshake failure alert message from the peer"
[Thr 2828] >> ---- SecuSSL ErrStack: ----
[Thr 2828] 0x20001040 | SAPCRYPTOLIB | SSL_connect
[Thr 2828] SSL API error
[Thr 2828] received a fatal SSLv3 handshake failure alert message from the peer
[Thr 2828] 0xa0600266 | SSL | ssl3_connect
[Thr 2828] received a fatal SSLv3 handshake failure alert message from the peer
[Thr 2828] 0xa0600266 | SSL | ssl3_read_bytes
[Thr 2828] received a fatal SSLv3 handshake failure alert message from the peer
[Thr 2828] << ---------------------------
[Thr 2828] SSL:SSL_get_state()==0x2120 "SSLv3 read server hello A"
[Thr 2828] SSL NI-hdl 112: local=xxx.xxx.xxx.xxx:xxx peer=xxx.xxx.xxx.xxx:443
[Thr 2828] cli SSL session PSE "/usr/sap/XXX/DVEBMGS02/sec/SAPSSLA.pse"
[Thr 2828] Target Hostname="xxxxxxxxxx.execute-api.us-east-1.amazonaws.com"
[Thr 2828]
[Thr 2828] {00047d02} [icxxconn.c 2198]
[Thr 2828] IcmConnConnect: Connect failed for session GUI T6_U6848_M0, 300, XXXXXX, XXXXXXXXXXXXXX, time=13:57:48, W5, program=RSHTT
Regards,
Fabio
Hello Fabio,
I am not sure, but it seems that the issue is related to the SSL ciphers that the server has "versus" the SAP (as client) is configured to use.
Regards,
Isaías
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Isaías,
Based on your answer I made some research on ciphers topic. I ended up changing the parameter ssl/client_ciphersuites to 982:HIGH:MEDIUM:+e3DES in order to assure that all possible SSL protocols (TLS v1.2, v1.1, v1.0 and SSLv3) are active in client side.
However, the error persists.
Best regards,
Fábio
Hi Amerjit,
No good with both 914 and 790.
I have set just the ssl/client_ciphersuites parameter. I have not messed with ssl/ciphersuites as I'm affraid of affecting incoming connections. Do I need to change both?
Kernel version is 742 with patch level 401.
[Thr 3856] Thu Aug 25 11:07:25 2016
[Thr 3856] = disabled FIPS 140-2 crypto kernel
[Thr 3856] = found CommonCryptoLib 8.4.49 (Mar 4 2016)
[Thr 3856] = current UserID: "xxxadm", env-var USER="xxxadm"
[Thr 3856] = using SECUDIR=/usr/sap/XXX/DVEBMGS02/sec
[Thr 3856] = [ctc] ssl/ciphersuites="HIGH:MEDIUM:+e3DES:!aNULL"
[Thr 3856] = [dpf] ssl/client_ciphersuites="790:HIGH:MEDIUM:+e3DES"
[Thr 3856] = Success SapCryptoLib SSL ready!
[Thr 3856] =================================================
[Thr 3856]
[Thr 3856] Started service PORT=99999,PROT=HTTPS,TIMEOUT=60,PROCTIMEOUT=300,VCLIENT=1
[Thr 3856] SSL settings: verify_client: 1, cache_size: -1, cache_lifetime: -1, credfile: SAPSSLS.pse, ciphers: default
[Thr 772] HttpExtractArchive: files from archive /usr/sap/XXX/DVEBMGS02/exe/ITS.SAR in directory /usr/sap/XXX/DVEBMGS02/data/icmandi
[Thr 3856] IcmNetCheck: network check passed without detecting problems
[Thr 01] Thu Aug 25 11:07:34 2016
[Thr 01] IcmSSLPseChanged: Refresh SSL Certificates (PSE files)
[Thr 01] Reload OK for SSL cred "/usr/sap/XXX/DVEBMGS02/sec/SAPSSLS.pse"
[Thr 01] Reload OK for SSL cred "/usr/sap/XXX/DVEBMGS02/sec/SAPSSLC.pse"
[Thr 01] Reload OK for SSL cred "/usr/sap/XXX/DVEBMGS02/sec/SAPSSLA.pse"
[Thr 3085] Thu Aug 25 11:10:29 2016
[Thr 3085] SSL_get_state()==0x2120 "SSLv3 read server hello A"
[Thr 3085] *** ERROR during SecuSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL
[Thr 3085] session uses PSE file "/usr/sap/XXX/DVEBMGS02/sec/SAPSSLA.pse"
[Thr 3085] SecuSSL_SessionStart: SSL_connect() failed (536875072/0x20001040)
[Thr 3085] => "received a fatal SSLv3 handshake failure alert message from the peer"
[Thr 3085] >> Begin of Secu-SSL Errorstack >>
[Thr 3085] 0x20001040 SAPCRYPTOLIB SSL_connect
[Thr 3085] SSL API error
Best regards,
Fábio
User | Count |
---|---|
90 | |
10 | |
10 | |
10 | |
7 | |
7 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.