Solved: SSL handshake failure

Former Member · ‎08-15-2008

Hi,

I have to establish the connection from SAP WebAS to an Apache server via HTTPS. The Apache authentication is based on client certificates. But I'm still unable to establish a connection. Everything runs fine via HTTPS if client certificate authentication is disabled on Apache (anonymous access). But as soon as client authentication is enabled, the icm log displays the following failure:


[Thr 1800] *** ERROR during SecudeSSL_Read() from SSL_read()==SSL_ERROR_SSL                                                     
[Thr 1800]    session uses PSE file "/usr/sap/E3T/DVEBMGS00/sec/SAPSSLC.pse";;                                                    
[Thr 1800] SecudeSSL_Read: SSL_read() failed --                                                                                
secude_error 536872195 (0x20000503) = "handshake failure"                                                                     
[Thr 1800] >> ---------- Begin of Secude-SSL Errorstack ---------- >>                                                           
[Thr 1800] ERROR in ssl3_read_bytes: (536872195/0x20000503) handshake failure                                                   
WARNING in ssl3_read_bytes: (536875072/0x20001040) received a fatal SSLv3 handshake failure alert message from the peer         
[Thr 1800] << ---------- End of Secude-SSL Errorstack ----------                                                                
[Thr 1800] <<- ERROR: SapSSLRead(sssl_hdl=0x115f8a310)==SSSLERR_SSL_READ                                                        
[Thr 1800] ->> SapSSLErrorName(rc=-58)                                                                                
[Thr 1800] <<- SapSSLErrorName()==SSSLERR_SSL_READ                                                                              
[Thr 1800] *** ERROR => IcmReadFromConn(id=3/1967): SapSSLRead returned (-58): SSSLERR_SSL_READ [icxxthrio_mt 2539]             
[Thr 1800] *** ERROR => IcmReadFromConn(id=3/1967): read failed (rc = -1) [icxxthrio_mt 2611]                                   
[Thr 1800] *** ERROR => IcmHandleNetRead(id=3/1967): IcmReadFromConn failed (rc = -1) [icxxthrio_mt 1304]

In the Apache logs, it seems that SAP is not sending a client certificate. So Apache closes the connection. Do you have an idea how I can make SAP WebAS send the certificate ?

Thanks in advance

Christan

Former Member · ‎08-21-2008

Hi,

I've checked the certificates together with our Apache expert:

1. the "issuer" of the SSL client certificate in SAPSSLC.pse is a self-signed class 3 certificate.

I was told that the only difference between class 1 and class 3 is that class 1 certificates are older and less secure.

2. the "issuer" certificate is in the list of trusted CA at the ssl server side

3. the "issuer" of the ssl server certificate is the ca of TrustCenter

4. the "issuer" certificate of the ssl server is present in the certificate list of the ssl client

As I mentioned before. The ssl connection is first established without client certificate authorization (e.g.. for the index page). To this step everything works fine. SAP WebAS have to access a directory which requires client certificate authorization. Apache sends a re-negotiation request to SAP WebAS to get the client certificate. But SAP WebAS doesn't seem to response on this request. The client certificate isn't sent so Apache close the connection.

Is it possible that SAP WebAS only sends the certificate if the connection is secured by client certificate authorization right from the beginning?

Best regards,

Christian

Former Member · ‎08-18-2008

Hi,

I guess you are using an HTTP connection from SM59 ?

If yes, you have to create an entry in STRUST for "SSL Client (Standard)". You have to get this certificate signed by a Certification Authority (CA).

Then in SM59 on the "Logon&Security" Tab, You select "No Logon", "SSL" active and you choose

"SSL Client (Standard)" for SSL Client Certificate.

That's the ABAP ICM part. You have, of course, to configure Apache to accept this client certificate.

Hope this helps.

Olivier

Former Member · ‎08-19-2008

Hi Oliver,

thanks for your advice. I've checked the settings. But could not find any errors.

In STRUST a certificate is present in standard ssl client PSE and singed. In SE59 ssl is active and uses standard ssl client PSE.

I also checked the Apache logs.

Apache sent a re-negotiation Request to SAP WebAS after a ssl connection without client certificate authorisation was established. After that Apache waited for the client certificate. But SAP WebAS didn't deliver it. So Apache closed the connection.

Former Member · ‎08-19-2008

Hi Christian,

Your configuration seems fine.

Did you increase the trace levels both for Apache and for the ICM ?

What is strange is that you should see the Apache certificate request in the ICM log.

Regards,

Olivier

Former Member · ‎08-19-2008

You are sure you created the SSL Client PSE? Because the third line in your log says that no PSE could be found?

Former Member · ‎08-19-2008

Hi,

>Because the third line in your log says that no PSE could be found?

I'm not sure of that.

Here is an extract of the log of an ICM starting without a client certificate in STRUST

[Thr 4392] = secudessl_Create_SSL_CTX(): PSE "D:\usr\sap\PPI\DVEBMGS74\sec\SAPSSLC.pse" not found,

[Thr 4392] = using PSE "D:\usr\sap\PPI\DVEBMGS74\sec\SAPSSLS.pse" as fallback

[Thr 4392] ******** Warning ********

[Thr 4392] *** No SSL-client PSE "SAPSSLC.pse" available

[Thr 4392] *** this will probably limit SSL-client side connectivity

[Thr 4392] ********

[Thr 4392] = Success SapCryptoLib SSL ready!

Here is an extract of the log of an ICM starting with a client certificate in STRUST.

[Thr 9208] =================================================

[Thr 9208] = SSL Initialization on PC with Windows NT

[Thr 9208] = (700_REL,Mar 19 2007,mt,ascii,SAP_UC/size_t/void* = 16/64/64)

[Thr 9208] SapISSLComposeFilename(): profile param "ssl/ssl_lib" = "I:\usr\sap\DXI\DVEBMGS68\exe\sapcrypto.dll"

resulting Filename = "I:\usr\sap\DXI\DVEBMGS68\exe\sapcrypto.dll"

[Thr 9208] = found SAPCRYPTOLIB 5.5.5C pl17 (Aug 18 2005) MT-safe

[Thr 9208] = current UserID: BT0D0000\SAPServiceDXI

[Thr 9208] = found SECUDIR environment variable

[Thr 9208] = using SECUDIR=I:\usr\sap\DXI\DVEBMGS68\sec

[Thr 9208] = Success SapCryptoLib SSL ready!

Christian,

Could you restart the ICM and check the trace file to find out if you get the message about a missing SAPSSLC.pse ?

Regards,

Olivier

[Thr 9208] =================================================

Former Member · ‎08-19-2008

A screenshot of STRUST might help as well. We can then also see if the SAP Crypto Lib has been installed correctly.

former_member402999 · ‎08-20-2008

Hi Christian,

In the Apache logs, it seems that SAP is not sending a client certificate.

In a SSL handshake, the client sends its certificate only if it's trusted by the server.

session uses PSE file "/usr/sap/E3T/DVEBMGS00/sec/SAPSSLC.pse";;

Please call transaction STRUST and check, if the own certificate of the PSE "SSL Client (Default)" is issued from a trusted CA (doubleclick certificate name). If this is not the case, you need to request a certificate from a trusted CA, see [Creating the Standard SSL Client PSE|http://help.sap.com/saphelp_nw70/helpdata/EN/e1/b6b13bd0ac933ae10000000a11402f/frameset.htm].

Best regards,

Klaus

Former Member · ‎08-20-2008

Hi,

thanks for your advices. I restarted icm and here is the trace:



[Thr 3599] =================================================
[Thr 3599] = SSL Initialization  on  IBM RS/6000 with AIX
[Thr 3599] =   (700_REL,Sep 14 2007,mt,ascii-uc,SAP_UC/size_t/void* = 16/64/64)
[Thr 3599]   profile param "ssl/ssl_lib" = "/usr/sap/E3T/SYS/exe/run/libsapcrypto.o";
           resulting Filename = "/usr/sap/E3T/SYS/exe/run/libsapcrypto.o";
[Thr 3599] =   found SAPCRYPTOLIB  5.5.5C pl21  (May  7 2007) MT-safe
[Thr 3599] =   current UserID: "e3tadm",  env-var USER="e3tadm"
[Thr 3599] =   found SECUDIR environment variable
[Thr 3599] =   using SECUDIR=/usr/sap/E3T/DVEBMGS00/sec
[Thr 3599] = Success    SapCryptoLib SSL ready!
[Thr 3599] =================================================

It looks like the client certificate is present.

After I have created the PSE the certificate request was signed by an own CA certificate. Before I was able to import the certificate response I had to import the CA certificate into the sap database.

After that I imported the server certificate and the root certificate of the server into the certificate list of the default ssl client.

Is there anything else I have to do?

Regards,

Christian

Former Member · ‎08-20-2008

Make sure that the client certificate and server certificate are ultimately signed by the same CA (although different sub CA's in between don't hurt).

WolfgangJanzen · ‎08-21-2008

>


> Make sure that the client certificate and server certificate are ultimately signed by the same CA (although different sub CA's in between don't hurt).

That's too strict - and actually not required.

But please check:

1. who is the "issuer" of the SSL client certificate (SAPSSLC.pse) - is it a CA or a self-signed certificate?!

(notice: if it is a self-signed class 3 certificate, it will not work)

2. is the "issuer" certificate (see point 1) contained in the list of "trusted CAs" at the SSL server side?

3. who is the "issuer" of the SSL server certficate - is it a CA or a self-signed certificate?

4. is the "issuer" certificate (see point 3) present in the "certificate list" of the SSL client certificate PSE (SAPSSLC.pse)?

(this seems to be the case, otherwise the WebAS (acting as SSL client) would have terminated the SSL connection).

Former Member · ‎08-21-2008