08-06-2008 1:18 AM
I am trying to post a message using HTTPS in XI. I have defined a RFC connection to an external HTTPs partner and when I test the connection I am getting errors (the full log from dev_icm is below). I am using client certificates and have created a PSE for it. The third party has added my certificate to their trusted store. The third party gets a message about non matching ciphers when I try to do the test connection. Does anyone have any suggestions on things I can try to get this to work? Our SAP SSL library is at the latest level.
Regards,
Jason
[Thr 7] NiICheckPendConnection: connection of hdl 18 to 156.134.6.212:443 established
[Thr 7] NiIConnect: hdl 18 took local address 14.134.160.97:64558
[Thr 7] NiIConnect: state of hdl 18 NI_CONNECTED
[Thr 7] <<- SapSSLSessionInit()==SAP_O_K
[Thr 7] in: args = "role=1 (CLIENT), auth_type=3 (USE_CLIENT_CERT)"
[Thr 7] out: sssl_hdl = 0x600000000097b3a0
[Thr 7] NiIBlockMode: set blockmode for hdl 18 TRUE
[Thr 7] SSL NI-sock: local=14.134.160.97:64558 peer=124.148.6.212:443
[Thr 7] <<- SapSSLSetNiHdl(sssl_hdl=0x600000000097b3a0, ni_hdl=18)==SAP_O_K
[Thr 7] SapISSLComposeFilename(): Filename = "/usr/sap/XID/DVEBMGS55/sec/SAPSSLTESTCL.pse"
[Thr 7] <<- SapSSLSetSessionCredential(sssl_hdl=0x600000000097b3a0)==SAP_O_K
[Thr 7] in: cred_name = "/usr/sap/XID/DVEBMGS55/sec/SAPSSLTESTCL.pse"
[Thr 7] <<- SapSSLSetTargetHostname(sssl_hdl=0x600000000097b3a0)==SAP_O_K
[Thr 7] in: hostname = "esmart.test.com.au"
[Thr 7] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL
[Thr 7] session uses PSE file "/usr/sap/XID/DVEBMGS55/sec/SAPSSLTESTCL.pse"
[Thr 7] SecudeSSL_SessionStart: SSL_connect() failed --
secude_error 536875072 (0x20001040) = "received a fatal SSLv3 handshake failure alert message from the peer"
[Thr 7] >> -
Begin of Secude-SSL Errorstack -
>>
[Thr 7] WARNING in ssl3_read_bytes: (536875072/0x20001040) received a fatal SSLv3 handshake failure alert message from the peer
[Thr 7] << -
End of Secude-SSL Errorstack -
[Thr 7] SSL_get_state() returned 0x00002120 "SSLv3 read server hello A"
[Thr 7] No certificate request received from Server
[Thr 7] <<- ERROR: SapSSLSessionStart(sssl_hdl=0x600000000097b3a0)==SSSLERR_SSL_CONNECT
[Thr 7] <<- SapSSLErrorName()==SSSLERR_SSL_CONNECT
[Thr 7] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT [icxxconn_mt.c 2012]
[Thr 7] <<- SapSSLSessionDone(sssl_hdl=0x600000000097b3a0)==SAP_O_K
[Thr 7] IcmConnConnect(id=1/20625): free MPI request blocks
[Thr 7] MPI<55b>2#7 GetInbuf -1 1a6ca0 306 (1) -> 6
[Thr 7] MPI<55a>3#4 GetOutbuf -1 1c6d20 65536 (0) -> 0xc0000001ac1c6d40 0
[Thr 7] NiIGetServNo: servicename '8055' = port 1F.77/8055
[Thr 7] MPI<55a>3#5 FlushOutbuf l-1 1 1 1c6d20 2168 6 -> 0xc0000001ac1c6d20 0
[Thr 7] NiICloseHandle: shutdown and close hdl 18 / sock 30
[Thr 7] IcmConnFreeContext: context 1 released
[Thr 7] IcmServDecrRefCount: xidsapci.test.local:8056 - serv_ref_count: 1
[Thr 7] IcmWorkerThread: Thread 3: Waiting for event
08-06-2008 3:11 PM
Hello Jason,
I believe the possible issue could be due to incorrect values to the following profile parameter
snc/permit_insecure_start
If SNC is activated (parameter snc/enable = 1 ), by default the
gateway does not start any programs that communicate without
SNC.
This is allowed with snc/permit_insecure_start.
Please check the instance profile parameter for the same.
Cheers
08-07-2008 2:35 PM
Hello Jason,
I could still see this question is not answered. Do you have still have the issue?
Cheers,
Satish.
08-07-2008 10:06 PM
Still not resolved. I had a play around with the parameters you suggested, but it made no difference. I also had a play around with different options in the ssf/ssf_* parameters and that didn't get it to work either.
Regards,
Jason
08-08-2008 8:56 AM
The error trace indicates that the requested encryption cipher is not supported by the server so the server closes the connection. Find out what ciphers your server requires and see if there is a matchhing cipher on the SAP system.
This is likely to be a server side configuration issue trather than a SAP configuration issue. Some admins restrict ciphers and TLS protocols (TLS,SSLv2,SSLv3) to lock down their servers.