SSSLERR_PEER_CERT_UNTRUSTED

Hi,
We recently upgraded the kernel and sap cyrptolib on one of our PI sysems (7.11 SP6 Dual Stack. CommonCryptoLib 8 Version 8.4.34.
We have three vendors, all with untrusted certificates, who we cannot communicate with any more. When we test the RFC connection we receive the following error.
[Thr 3085] SSL API error
[Thr 3085] Failed to verify peer certificate. Peer not trusted.
[Thr 3085] 0xa0600203   SSL   ssl_verify_peer_certificates
[Thr 3085] Peer not trusted
[Thr 3085] 0xa0600297   SSL   ssl_cert_checker_verify_certificates
[Thr 3085] peer certificate (chain) is not trusted
[Thr 3085] <<- ERROR: SapSSLSessionStart(sssl_hdl=1184803f0)==SSSLERR_PEER_CERT_UNTRUSTED
[Thr 3085] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-102): SSSLERR_PEER_CERT_UNTRUSTED {0002e2b6} [icxxconn_mt.
The connections were working prior to the upgrade. The vendors certificates are stored in the NWA Certificate store (we don't use STRUST) and have not changes.
There is nothing wrong with the certificate OR the RFC destination. I have searched SCN without a relevant hit. Can anyone help?

Hello Robert,
Assuming that nothing changed on your vendor side, maybe the vendor uses an older encryption algorithm which was supported by SAP Cryptolib and is by default not supported anymore.
Check the SAP Note
510007 - Setting up SSL on Application Server ABAP
Section 6 especially speaks about the following:
Outgoing SSL connection (SSL client) will all offer the cipher suites configured by (ssl/client_ciphersuites).  Netweaver Kernels predating the Kernel patch from SAP Note 1433874 use the "ssl/ciphersuites" setting also for outgoing SSL connections.  For backwards compatibility, Kernel patch 1433874 does not have a built-in default setting for "ssl/client_ciphersuites", and will use the "ssl/ciphersuites" setting as fallback unless a custom setting is configured.
Incoming SSL connections (SSL server/services) can optionally be configured to use service-specific cipher suite settings in the SSL configuration part icm/ssl_config_<xx> for an icm server port definitionicm/server_port_<xx> via the string parameter CIPHERS:
icm/server_port_<xx>
=
..., SSLCONFIG=ssl_config_<yy>
icm/ssl_config_<yy>
=
..., CIPHERS=...
It might be the case that if you don't set these parameters, the system runs with some assumptions.
Regards,
Siddhesh

Similar Messages

  • SOAP:1.023 SRT: Processing error in Internet Communication Framework: ("ICF Error when receiving the response: ICM_HTTP_SSL_ERROR")

    Hello all,
    can you pls suggest me smth for this:
    I am running solman_setup and at phase 5.1 (Configure Web dispatcher) and I have errors:
    SOAP:1.023 SRT: Processing error in Internet Communication Framework: ("ICF Error when receiving the response: ICM_HTTP_SSL_ERROR")
    L3 - Failed to reach test WS through System Settings (ICM/HTTPURLLOC)
    L2 - Failed to reach test WS through ICM
    I choosed: No SAP Web Dispatcher used
    What I did:
    1. re-created users SM_EXTERN_WS and SM_INTERN_WS
    2. added table HTTPURLLOC with the full hostname and the port
    3. created SSL server standard certificate in STRUST and its green
    4. instance profile>>add login/accept_sso2_ticket=1 and login/create_sso2_ticket=2
    Thx for any suggestion
    Chris

    Hello,
    I read note 1094342 - ICM trace contains verification of the server's certificate
    and I installed in the IE browser the PSE saved from /strust
    Thx for any idea
    [Thr 140736729089792] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL[Thr 140736729089792]    session uses PSE file "/usr/sap/SID/DVEBMGS00/sec/SAPSSLA.pse"[Thr 140736729089792] SecudeSSL_SessionStart: SSL_connect() failed[Thr 140736729089792]   secude_error 536872221 (0x2000051d) = "SSLAPI error"[Thr 140736731203328] NiIBlockMode: set blockmode for hdl 92 FALSE[Thr 140736729089792] >> Begin of Secude-SSL Errorstack >>[Thr 140736729089792] 0x2000051dSAPCRYPTOLIB SSL_connect[Thr 140736729089792] SSL API error[Thr 140736729089792] Failed to verify peer certificate. Peer not trusted.
    ][Thr 140736729089792] << End of Secude-SSL Errorstack[Thr 140736731203328] NiIBlockMode: set blockmode for hdl 92 TRUE[Thr 140736729089792]   SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"[Thr 140736731203328]   SSL_get_state() returned 0x00001180 "SSLv3 read client certificate A"[Thr 140736731203328] *** ERROR during SecudeSSL_SessionStart() from SSL_accept()==SSL_ERROR_SSL[Thr 140736731203328]    session uses PSE file "/usr/sap/SID/DVEBMGS00/sec/SAPSSLS.pse"[Thr 140736731203328] SecudeSSL_SessionStart: SSL_accept() failed[Thr 140736731203328]   secude_error 536875078 (0x20001046) = "SSL API error"[Thr 140736729089792] No certificate request received from Server[Thr 140736731203328] >> Begin of Secude-SSL Errorstack >>[Thr 140736731203328] 0x20001046SAPCRYPTOLIB SSL_accept[Thr 140736731203328] SSL API error[Thr 140736731203328] received a fatal SSLv3 certificate unknown alert message from the peer[Thr 140736731203328] 0xa0600263 SSL ssl23_accept[Thr 140736731203328] received a fatal SSLv3 certificate unknown alert message from the peer[Thr 140736731203328] 0xa0600263 SSL ssl3_read_bytes[Thr 140736731203328] received a fatal SSLv3 certificate unknown alert message from the peer[Thr 140736731203328] << End of Secude-SSL Errorstack[Thr 140736731203328] <<- ERROR: SapSSLSessionStart(sssl_hdl=1315bf0)==SSSLERR_SSL_ACCEPT[Thr 140736731203328] <<- SapSSLErrorName()==SSSLERR_SSL_ACCEPT[Thr 140736729089792] <<- ERROR: SapSSLSessionStart(sssl_hdl=7fffcc023860)==SSSLERR_PEER_CERT_UNTRUSTED[Thr 140736729089792] <<- SapSSLErrorName()==SSSLERR_PEER_CERT_UNTRUSTED[Thr 140736731203328] *** ERROR => IcmConnInitServerSSL: SapSSLSessionStart returned (-56): SSSLERR_SSL_ACCEPT [icxxconn_mt. 1713][Thr 140736729089792] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-102): SSSLERR_PEER_CERT_UNTRUSTED {000f3a6b} [icxxconn_mt.c 1989][Thr 140736731203328] <<- SapSSLSessionDone()==SAP_O_K[Thr 140736731203328]      in: sssl_hdl   = 1315bf0[Thr 140736731203328]          ... ni_hdl = 92[Thr 140736731203328] NiICloseHandle: shutdown and close hdl 92/sock 41[Thr 140736729089792] <<- SapSSLSessionDone()==SAP_O_K[Thr 140736729089792]      in: sssl_hdl   = 7fffcc023860[Thr 140736729089792]          ... ni_hdl = 223[Thr 140736729089792] IcmConnConnect(id=15/14955): free MPI request blocks[Thr 140736729089792] MPI<5909c>85#7 GetInbuf -1 21d220 1757 (1) -> MPI_EOS: End Of Stream

Maybe you are looking for

  • Apple ID removed on device but still linked

    hello I bought iPhone 4 from my university guy. It was fuly erased and there was no Apple ID. now I am using my apple ID on it but when I connect my iP4 to iTunes, it is still unlocked Previous Owner's ID. I asked his Apple ID from him, but he doesn'

  • Incoming MIDI data from unassociated devices still gets sent out in 2.1.3

    The problem I have reported numerous times for previous versions of MainStage is still present in 2.1.3. An incoming MIDI CC value that is NOT associated with a device is being sent to other channel strips. Last night before rehearsal, I added a Mini

  • Trouble in sending and recieving message using pic18f

    hi .... im trying to connect between two PIC 18f4580 using CAN protocol ... im trying to send message and receive it in the second chip .... i have problem using "can_getd" function ... im using PIC C compiler .  thank you

  • Can I install ios5?

    Can I reinstall ios5? The maps on ios6 is rubbish and I would rather have the old software. I've never before been disappointed with a software upgrade until. This is very disappointing. Apple maps needs a lot of work before it can be considered an u

  • Attaching a portable usb drive to copy pictures/music etc

    Is this possible? as its a micro usb and my hard drive has a normal USB connection. Post relates to: HP TouchPad (WiFi) This question was solved. View Solution.