Hi,
In SM59 I've configured a HTTPS connection to a web service with a client certifiate authentication.
These are some key facts:
- I created Individual SSL Client PSE
- I imported the certifiate using sapgenpse import_p12 and then the generated PSE imported into STRUST.
- All root/intermediate CA certificates are stored in CA database.
- WS certificate is listed on Certificate list in STRUST
- ICM service restarted
I tested the certificate using openssl s_client and just with a browser.
This is truncated output of s_client command which shows that the SSL handshake has been completed:
SSL handshake has read 3902 bytes and written 4356 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-SHA
Session-ID: 32B3D5F44DAA95D2674E0D630F6292AC81600E67CCFC38952C8C861C97F29555
Session-ID-ctx:
Master-Key: 84660C1FF3CF84483E3F21B6EE48F35C42F9D61B791000D495AE99979CBD468BE8571873C8CA07488B44311007D3AAA1
Key-Arg : None
Start Time: 1392321170
Timeout : 300 (sec)
Verify return code: 0 (ok)
.. but when I run connection test in SM59 I get this (dev_icm):
[Thr 140413440345856] Thu Feb 13 20:25:22 2014
[Thr 140413440345856] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL
[Thr 140413440345856] session uses PSE file "/usr/sap/P60/DVEBMGS60/sec/SAPSSLPKO2.pse"
[Thr 140413440345856] SecudeSSL_SessionStart: SSL_connect() failed --
[Thr 140413440345856] secude_error 536875072 (0x20001040) = "received a fatal SSLv3 handshake failure alert message from the peer"
[Thr 140413440345856] >> ---------- Begin of Secude-SSL Errorstack ---------- >>
[Thr 140413440345856] WARNING in ssl3_read_bytes: (536875072/0x20001040) received a fatal SSLv3 handshake failure alert message from the peer
[Thr 140413440345856] WARNING in ssl3_get_certificate_request: (536871681/0x20000301) CertRequest with empty certificate_autorities list received (violation of SSLv3/TLSv1.0 spec) -- declining request
[Thr 140413440345856] << ---------- End of Secude-SSL Errorstack ----------
[Thr 140413440345856] SSL_get_state() returned 0x000021d0 "SSLv3 read finished A"
[Thr 140413440345856] No certificate request received from Server
[Thr 140413440345856] SSL NI-sock: local=10.105.18.244:53167 peer=192.168.7.62:9000
[Thr 140413440345856] <<- ERROR: SapSSLSessionStart(sssl_hdl=11ff3e0)==SSSLERR_SSL_CONNECT
[Thr 140413440345856] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT {00000046} [icxxconn_mt.c 1957]
I can't seem to find any information on scn or in any sap note. Let me know if you need any additional details.
Best regards,
wojtek