cancel
Showing results for 
Search instead for 
Did you mean: 

SSL handshake with Equifax connection

Former Member
0 Kudos

Experts!

My versions:

SAP CRM 7.0 EHP3 SP05

KERNEL 741_REL v46

OS: AIX 6.1

DB: Oracle 11.2.0.3.0

CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.30 pl40 (Sep 25 2014) MT-safe

My issue:

We have a Connection type "G" in SM59 HTTP Connection to External Serv.

We use this connection to contact EQUIFAX to check all customers for credit worthiness.

The connection has not been touched in a very long time.  But today we started getting errors

Here are the details of the RFC.

As you can see, type G calling a 443 URL

We have a defined ID/pass.

plus we use anonymous SSL for authentication

STRUSTSSO2 shows the details of that

We have a THAWTE cert

Like I said, this was working, but not anymore,  We get:

SSL handshake with transport5.ec.equifax.com:443 f

I bumped up the fill ICM trace.  See attached TEXT file, but the important stuff is directly below:

[Thr 11309] IcmConnConnect: context 1 assigned to tid: 12, uid: 77, mode: 0

[Thr 11309]     keep_alive_timeout: 10, proc_timeout: 0, wp_timeout: 500

[Thr 11309] IcmGetServicePtr: MYFQDNHOST:8010, bind_to_host(0) - new serv_ref_count: 1

[Thr 11309] IcmIConnConnect: direct connect to transport5.ec.equifax.com:443

[Thr 11309] NiHLGetNodeAddr: found hostname 'transport5.ec.equifax.com' in cache

[Thr 11309] NiIGetNodeAddr: hostname 'transport5.ec.equifax.com' = addr 216.46.96.180

[Thr 11309] NiIGetServNo: servicename '443' = port 443

[Thr 11309] NiICreateHandle: hdl 273 state NI_INITIAL_CON

[Thr 11309] NiIInitSocket: set default settings for new hdl 273/sock 53 (I4; ST)

[Thr 11309] NiIBlockMode: set blockmode for hdl 273 FALSE

[Thr 11309] NiICheckPendConnection: connection of hdl 273 to 216.46.96.180:443 established

[Thr 11309] NiIConnect: hdl 273 took local address MYHOSTIP:59320

[Thr 11309] NiIConnect: state of hdl 273 NI_CONNECTED

[Thr 11309] IcmIConnConnect: Connect to host: transport5.ec.equifax.com, service: 443, SAP_O_K(0)

[Thr 11309] <<- SapSSLSessionInit()==SAP_O_K

[Thr 11309]      in: args = "role=1 (CLIENT), auth_type=3 (USE_CLIENT_CERT)"

[Thr 11309]     out: sssl_hdl = 1137c07f0

[Thr 11309]   SSL NI-hdl 273: local=MYHOSTIP:59320  peer=216.46.96.180:443

[Thr 11309] <<- SapSSLSetNiHdl(sssl_hdl=1137c07f0, ni_hdl=273)==SAP_O_K

[Thr 11309]   SapISSLComposeFilename(): Filename = "/usr/sap/CQM/DVEBMGS00/sec/SAPSSLA.pse"

[Thr 11309] <<- SapSSLSetSessionCredential(sssl_hdl=1137c07f0)==SAP_O_K

[Thr 11309]      in: cred_name = "/usr/sap/CQM/DVEBMGS00/sec/SAPSSLA.pse"

[Thr 11309] IcmConnInitClientSSL: using pse /usr/sap/CQM/DVEBMGS00/sec/SAPSSLA.pse, show client certificate if available

[Thr 11309] <<- SapSSLSetTargetHostname(sssl_hdl=1137c07f0)==SAP_O_K

[Thr 11309]      in: hostname = "transport5.ec.equifax.com"

[Thr 11309] NiIBlockMode: set blockmode for hdl 273 TRUE

[Thr 11309] NiIBlockMode: set blockmode for hdl 273 FALSE

[Thr 11309] NiIBlockMode: set blockmode for hdl 273 TRUE

[Thr 11309] *** ERROR during SecuSSL_SessionStart() from SSL_connnect()==SSL_ERROR_CONNECTION_LOST

[Thr 11309]    session uses PSE file "/usr/sap/CQM/DVEBMGS00/sec/SAPSSLA.pse"

[Thr 11309] No LastError / ErrorStack available!

[Thr 11309]   SSL_get_state()==0x2120 "SSLv3 read server hello A"

[Thr 11309]   No certificate request received from Server

[Thr 11309] <<- ERROR: SapSSLSessionStart(sssl_hdl=1137c07f0)==SSSLERR_SSL_CONNECT

[Thr 11309] *** ERROR => SSL handshake with transport5.ec.equifax.com:443 failed: SSSLERR_SSL_CONNECT (-57)

[Thr 11309] SAPCRYPTO:SSL_connect() failed

[Thr 11309]

[Thr 11309] SapSSLSessionStart()==SSSLERR_SSL_CONNECT

[Thr 11309] SSL_connnect() failed  (0/0x00) Huh??

[Thr 11309]   SSL:SSL_get_state()==0x2120 "SSLv3 read server hello A"

[Thr 11309]   SSL NI-hdl 273: local=MYHOST-IP:59320  peer=216.46.96.180:443

[Thr 11309]   cli SSL session PSE "/usr/sap/CQM/DVEBMGS00/sec/SAPSSLA.pse"

[Thr 11309]   Target Hostname="transport5.ec.equifax.com"

So at any rate, that's what I get.  Equifax says their side hasn't changed.

I know my side hasn't changed.  I know none of my certs have expired.

I know I can directly reach https://transport5.ec.equifax.com//ists/stspost and authenticate straight from my PC or the AIX server using the user/pass they provided.  Which is also in the SM59 G RFC.

So I can't blame my firewall/network team.

I have attempted to apply the latest cryptolib after getting this error.

I was at:

CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.22 pl40 (Jul 23 2014) MT-safe

I am now at

CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.30 pl40 (Sep 25 2014) MT-safe

Still, I'm getting the same error that I attached, and have shown above.

I've done all the easy stuff.  I've also search all of the OSS marketplace...SCN, google.

I just need to know...is this me or Equifax???  I've reached out to that company's tech support but they've been less than helpful.

Anything I can provide to them to prove either way would be great.

Anyone got ideas???

Thanks!!!!

NICK

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

The problem ended up being totally on our end!  Our Firewall team had decided to block all SSLv3 communication.  I asked them to un-do that change, and then we were working!


Answers (0)