cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Error SSSLERR_SSL_CONNECT when trying to access AWS API Gateway

fabio_venturiniscaravelli
Explorer

on ‎08-22-2016 7:22 PM

0 Kudos

Hi,

I'm trying to consume a web service hosted by AWS from ABAP. I can run it normally from my web browser, it's a public service with no authentication. However, when I try to create a connection in SM59 or even call it directly from ABAP using the class CL_HTTP_CLIENT, I get the error SSSLERR_SSL_CONNECT.

I have already added the AWS certificate to my anonymous PSE in STRUST, so I don't get trust error anymore. However, for the error I'm getting now I could not find any clue in the log, that I'm pasting below.

[Thr 2828] Mon Aug 22 13:57:48 2016

[Thr 2828]   SSL_get_state()==0x2120 "SSLv3 read server hello A"

[Thr 2828] *** ERROR during SecuSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL

[Thr 2828]    session uses PSE file "/usr/sap/XXX/DVEBMGS02/sec/SAPSSLA.pse"

[Thr 2828] SecuSSL_SessionStart: SSL_connect() failed  (536875072/0x20001040)

[Thr 2828]    => "received a fatal SSLv3 handshake failure alert message from the peer"

[Thr 2828] >> ---------- Begin of Secu-SSL Errorstack ---------- >>

[Thr 2828] 0x20001040 | SAPCRYPTOLIB | SSL_connect

[Thr 2828] SSL API error

[Thr 2828] received a fatal SSLv3 handshake failure alert message from the peer

[Thr 2828] 0xa0600266 | SSL | ssl3_connect

[Thr 2828] received a fatal SSLv3 handshake failure alert message from the peer

[Thr 2828] 0xa0600266 | SSL | ssl3_read_bytes

[Thr 2828] received a fatal SSLv3 handshake failure alert message from the peer

[Thr 2828] << ---------- End of Secu-SSL Errorstack ----------

[Thr 2828]   No certificate request received from Server

[Thr 2828]   SSL NI-hdl 112: local=xxx.xxx.xxx.xxx:xxx  peer=xxx.xxx.xxx.xxx:443

[Thr 2828] <<- ERROR: SapSSLSessionStart(sssl_hdl=111d9d550)==SSSLERR_SSL_CONNECT

[Thr 2828] *** ERROR => SSL handshake with xxxxxxxxxx.execute-api.us-east-1.amazonaws.com:443 failed: SSSLERR_SSL_CONNECT (-57)

[Thr 2828] SAPCRYPTO:SSL_connect() failed

[Thr 2828]

[Thr 2828] SapSSLSessionStart()==SSSLERR_SSL_CONNECT

[Thr 2828]   SSL:SSL_connect() failed  (536875072/0x20001040)

[Thr 2828]   => "received a fatal SSLv3 handshake failure alert message from the peer"

[Thr 2828] >> ---- SecuSSL ErrStack: ----

[Thr 2828] 0x20001040 | SAPCRYPTOLIB | SSL_connect

[Thr 2828] SSL API error

[Thr 2828] received a fatal SSLv3 handshake failure alert message from the peer

[Thr 2828] 0xa0600266 | SSL | ssl3_connect

[Thr 2828] received a fatal SSLv3 handshake failure alert message from the peer

[Thr 2828] 0xa0600266 | SSL | ssl3_read_bytes

[Thr 2828] received a fatal SSLv3 handshake failure alert message from the peer

[Thr 2828] << ---------------------------

[Thr 2828]   SSL:SSL_get_state()==0x2120 "SSLv3 read server hello A"

[Thr 2828]   SSL NI-hdl 112: local=xxx.xxx.xxx.xxx:xxx  peer=xxx.xxx.xxx.xxx:443

[Thr 2828]   cli SSL session PSE "/usr/sap/XXX/DVEBMGS02/sec/SAPSSLA.pse"

[Thr 2828]   Target Hostname="xxxxxxxxxx.execute-api.us-east-1.amazonaws.com"

[Thr 2828]

[Thr 2828]  {00047d02} [icxxconn.c 2198]

[Thr 2828] IcmConnConnect: Connect failed for session GUI T6_U6848_M0, 300, XXXXXX, XXXXXXXXXXXXXX, time=13:57:48, W5, program=RSHTT

Regards,

Fabio

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

isaias_freitas
Advisor
Advisor
‎08-23-2016 12:33 AM
0 Kudos

Hello Fabio,

I am not sure, but it seems that the issue is related to the SSL ciphers that the server has "versus" the SAP (as client) is configured to use.

Regards,

Isaías

Show replies
Show replies
fabio_venturiniscaravelli
Explorer
‎08-24-2016 8:32 PM
0 Kudos

Hi Isaías,

Based on your answer I made some research on ciphers topic. I ended up changing the parameter ssl/client_ciphersuites to 982:HIGH:MEDIUM:+e3DES in order to assure that all possible SSL protocols (TLS v1.2, v1.1, v1.0 and SSLv3) are active in client side.

However, the error persists.

Best regards,

Fábio

Former Member
‎08-24-2016 10:31 PM
0 Kudos

Hello Fabio,

Couple of things

1. What version is your cryptolib ?

2. Please try with 914.

3. Did you restart the ICM after you made the parameter changes ?

KR,

Amerjit

fabio_venturiniscaravelli
Explorer
‎08-25-2016 12:54 PM
0 Kudos

Hi Amerjit,

Cryptolib version is "CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.49".

I restarted the application server after changing the parameter.

Best regards,

Fábio

Former Member
‎08-25-2016 2:39 PM
0 Kudos

Hi Fabio,

As you're connecting to Amazon let's just stick with TLS.

Reference: 510007 - Setting up SSL on AS ABAP

Following section 7 please  try the following value: 790 (512+256+16+4+2) and restart.

Just as a side note, could you also confirm your kernel version and patch level.

KR,

Amerjit

fabio_venturiniscaravelli
Explorer
‎08-25-2016 3:24 PM
0 Kudos

Hi Amerjit,

No good with both 914 and 790.

I have set just the ssl/client_ciphersuites parameter. I have not messed with ssl/ciphersuites as I'm affraid of affecting incoming connections. Do I need to change both?

Kernel version is 742 with patch level 401.

[Thr 3856] Thu Aug 25 11:07:25 2016

[Thr 3856] =   disabled FIPS 140-2 crypto kernel

[Thr 3856] =   found CommonCryptoLib 8.4.49 (Mar  4 2016)

[Thr 3856] =   current UserID: "xxxadm",  env-var USER="xxxadm"

[Thr 3856] =   using SECUDIR=/usr/sap/XXX/DVEBMGS02/sec

[Thr 3856] = [ctc] ssl/ciphersuites="HIGH:MEDIUM:+e3DES:!aNULL"

[Thr 3856] = [dpf] ssl/client_ciphersuites="790:HIGH:MEDIUM:+e3DES"

[Thr 3856] = Success    SapCryptoLib SSL ready!

[Thr 3856] =================================================

[Thr 3856]

[Thr 3856] Started service PORT=99999,PROT=HTTPS,TIMEOUT=60,PROCTIMEOUT=300,VCLIENT=1

[Thr 3856] SSL settings: verify_client: 1, cache_size: -1, cache_lifetime: -1, credfile: SAPSSLS.pse, ciphers: default

[Thr 772] HttpExtractArchive: files from archive /usr/sap/XXX/DVEBMGS02/exe/ITS.SAR in directory /usr/sap/XXX/DVEBMGS02/data/icmandi

[Thr 3856] IcmNetCheck: network check passed without detecting problems

[Thr 01] Thu Aug 25 11:07:34 2016

[Thr 01] IcmSSLPseChanged: Refresh SSL Certificates (PSE files)

[Thr 01]   Reload OK for SSL cred "/usr/sap/XXX/DVEBMGS02/sec/SAPSSLS.pse"

[Thr 01]   Reload OK for SSL cred "/usr/sap/XXX/DVEBMGS02/sec/SAPSSLC.pse"

[Thr 01]   Reload OK for SSL cred "/usr/sap/XXX/DVEBMGS02/sec/SAPSSLA.pse"

[Thr 3085] Thu Aug 25 11:10:29 2016

[Thr 3085]   SSL_get_state()==0x2120 "SSLv3 read server hello A"

[Thr 3085] *** ERROR during SecuSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL

[Thr 3085]    session uses PSE file "/usr/sap/XXX/DVEBMGS02/sec/SAPSSLA.pse"

[Thr 3085] SecuSSL_SessionStart: SSL_connect() failed  (536875072/0x20001040)

[Thr 3085]    => "received a fatal SSLv3 handshake failure alert message from the peer"

[Thr 3085] >>            Begin of Secu-SSL Errorstack            >>

[Thr 3085] 0x20001040   SAPCRYPTOLIB   SSL_connect

[Thr 3085] SSL API error

Best regards,

Fábio

Ask a Question