Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Problem using HTTPS

Former Member

‎08-06-2008 1:18 AM

0 Kudos

I am trying to post a message using HTTPS in XI. I have defined a RFC connection to an external HTTPs partner and when I test the connection I am getting errors (the full log from dev_icm is below). I am using client certificates and have created a PSE for it. The third party has added my certificate to their trusted store. The third party gets a message about non matching ciphers when I try to do the test connection. Does anyone have any suggestions on things I can try to get this to work? Our SAP SSL library is at the latest level.

Regards,

Jason

[Thr 7] NiICheckPendConnection: connection of hdl 18 to 156.134.6.212:443 established

[Thr 7] NiIConnect: hdl 18 took local address 14.134.160.97:64558

[Thr 7] NiIConnect: state of hdl 18 NI_CONNECTED

[Thr 7] <<- SapSSLSessionInit()==SAP_O_K

[Thr 7] in: args = "role=1 (CLIENT), auth_type=3 (USE_CLIENT_CERT)"

[Thr 7] out: sssl_hdl = 0x600000000097b3a0

[Thr 7] NiIBlockMode: set blockmode for hdl 18 TRUE

[Thr 7] SSL NI-sock: local=14.134.160.97:64558 peer=124.148.6.212:443

[Thr 7] <<- SapSSLSetNiHdl(sssl_hdl=0x600000000097b3a0, ni_hdl=18)==SAP_O_K

[Thr 7] SapISSLComposeFilename(): Filename = "/usr/sap/XID/DVEBMGS55/sec/SAPSSLTESTCL.pse"

[Thr 7] <<- SapSSLSetSessionCredential(sssl_hdl=0x600000000097b3a0)==SAP_O_K

[Thr 7] in: cred_name = "/usr/sap/XID/DVEBMGS55/sec/SAPSSLTESTCL.pse"

[Thr 7] <<- SapSSLSetTargetHostname(sssl_hdl=0x600000000097b3a0)==SAP_O_K

[Thr 7] in: hostname = "esmart.test.com.au"

[Thr 7] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL

[Thr 7] session uses PSE file "/usr/sap/XID/DVEBMGS55/sec/SAPSSLTESTCL.pse"

[Thr 7] SecudeSSL_SessionStart: SSL_connect() failed --

secude_error 536875072 (0x20001040) = "received a fatal SSLv3 handshake failure alert message from the peer"

[Thr 7] >> -

Begin of Secude-SSL Errorstack -

>>

[Thr 7] WARNING in ssl3_read_bytes: (536875072/0x20001040) received a fatal SSLv3 handshake failure alert message from the peer

[Thr 7] << -

End of Secude-SSL Errorstack -

[Thr 7] SSL_get_state() returned 0x00002120 "SSLv3 read server hello A"

[Thr 7] No certificate request received from Server

[Thr 7] <<- ERROR: SapSSLSessionStart(sssl_hdl=0x600000000097b3a0)==SSSLERR_SSL_CONNECT

[Thr 7] <<- SapSSLErrorName()==SSSLERR_SSL_CONNECT

[Thr 7] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT [icxxconn_mt.c 2012]

[Thr 7] <<- SapSSLSessionDone(sssl_hdl=0x600000000097b3a0)==SAP_O_K

[Thr 7] IcmConnConnect(id=1/20625): free MPI request blocks

[Thr 7] MPI<55b>2#7 GetInbuf -1 1a6ca0 306 (1) -> 6

[Thr 7] MPI<55a>3#4 GetOutbuf -1 1c6d20 65536 (0) -> 0xc0000001ac1c6d40 0

[Thr 7] NiIGetServNo: servicename '8055' = port 1F.77/8055

[Thr 7] MPI<55a>3#5 FlushOutbuf l-1 1 1 1c6d20 2168 6 -> 0xc0000001ac1c6d20 0

[Thr 7] NiICloseHandle: shutdown and close hdl 18 / sock 30

[Thr 7] IcmConnFreeContext: context 1 released

[Thr 7] IcmServDecrRefCount: xidsapci.test.local:8056 - serv_ref_count: 1

[Thr 7] IcmWorkerThread: Thread 3: Waiting for event

4 REPLIES 4

Former Member

‎08-06-2008 3:11 PM

0 Kudos

Hello Jason,

I believe the possible issue could be due to incorrect values to the following profile parameter

snc/permit_insecure_start

If SNC is activated (parameter snc/enable = 1 ), by default the

gateway does not start any programs that communicate without

SNC.

This is allowed with snc/permit_insecure_start.

Please check the instance profile parameter for the same.

Cheers

Former Member

‎08-07-2008 2:35 PM

0 Kudos

Hello Jason,

I could still see this question is not answered. Do you have still have the issue?

Cheers,

Satish.

Former Member
In response to Former Member

‎08-07-2008 10:06 PM

0 Kudos

Still not resolved. I had a play around with the parameters you suggested, but it made no difference. I also had a play around with different options in the ssf/ssf_* parameters and that didn't get it to work either.

Regards,

Jason

Former Member

‎08-08-2008 8:56 AM

0 Kudos

The error trace indicates that the requested encryption cipher is not supported by the server so the server closes the connection. Find out what ciphers your server requires and see if there is a matchhing cipher on the SAP system.

This is likely to be a server side configuration issue trather than a SAP configuration issue. Some admins restrict ciphers and TLS protocols (TLS,SSLv2,SSLv3) to lock down their servers.