SSL Handshake error - SSSLERR_SSL_READ (-58)

[nomssi]

starting today, I cannot connect to abapGit online:
Error: HTTP error 407 occured: SSL handshake with github.com:443 failed: SSSLERR_SSL_READ (-58)

Can anyone help troubleshoot the issue?
Jacques

[larshp]

I have the same issue, github did some changes, see https://githubengineering.com/crypto-removal-notice/

Ethan pointed to SAP note 510007, but I have not tried yet, will start my SAP system in a bit to do some testing

[larshp]

Tested ok, see SAP note 510007, section 7

For my ABAP trial 751 system, I have added

ssl/client_ciphersuites = 150:PFS:HIGH::EC_P256:EC_HIGH
ssl/ciphersuites = 135:PFS:HIGH::EC_P256:EC_HIGH

in /sapmnt/NPL/profile/NPL_D00_vhcalnplci. It did not work for me via RZ10, but thats probably just me being bad at basis stuff

[larshp]

we should add this in the documentation, and move the ssl setup to its own page, http://docs.abapgit.org/guide-install.html

[larshp]

@nomssi did it work out? can we close the issue?

[nomssi]

yes and yes

[gepparta]

I was successful with SAP note 510007 on our 7.5 SP02 machine. But unfortunately it didn't worked on our NW 7.40 SP05. If I find a solution I will post it here.

[gepparta]

Now its working again with my older System NW740 SP05.
Steps needed to be done (I am not an Admin!):

1. Step 7 from SAP note 510007
2. Download SAP Cryptographic Library for your OS here
3. uncar its files on the server and move them to \usr\sap<SID>\SYS\exe\run
4. stop SAP
5. restart machine
6. start SAP

[larshp]

thanks for sharing

[pokrakam]

For what it's worth, on my NW750 SP02 system I just added the two lines from Lars's comment (thanks!) to the profile, restarted via stopsap / startsap and it worked again.
In RZ10, use advanced edit, the parameters did not exist, so I created them.
Pasted here again for quicker reference:

ssl/client_ciphersuites = 150:PFS:HIGH::EC_P256:EC_HIGH
ssl/ciphersuites = 135:PFS:HIGH::EC_P256:EC_HIGH

[Keller-Michael]

On Netweaver 7.51 Trial I maintained profile "NPL_D00_VHCALNPLCI" by RZ10 with parameters Lars mentioned. Had to save and activate the profile. After restart, SSL test was ok.

[lucodealethea]

Nice Michael, to say that it is NPL_D00_VHCALNPLCI profile not NPL_ASCS01_VHCALNPLCS that has to be maintained adding 2 parameters:
ssl/client_ciphersuites = 150:PFS:HIGH::EC_P256:EC_HIGH
ssl/ciphersuites = 135:PFS:HIGH::EC_P256:EC_HIGH
and saved + activated. Cheers.

[gregorwolf]

To make this solution be easier found I add the plain text of the ICM tracefile:

*** ERROR => SSL handshake with github.com:443 failed: SSSLERR_SSL_READ (-58)
SAPCRYPTO:SSL_read() failed

SapSSLSessionStartNB()==SSSLERR_SSL_READ
  SSL:SSL_read() failed  (536875120/0x20001070)
  => "received a fatal TLS1.0 protocol version alert message from the peer"
>>      SecuSSL ErrStack:
0x20001070   SAPCRYPTOLIB   SSL_read
SSL API error
received a fatal TLS1.0 protocol version alert message from the peer
0xa0600278   SSL   ssl3_read_bytes
received a fatal TLS1.0 protocol version alert message from the peer
0xa0600278   SSL   ssl3_read_bytes
received a fatal TLS1.0 protocol version alert message from the peer
<<
  SSL:SSL_get_state()==0x2120 "SSLv3 read server hello A"
  SSL NI-hdl 99: local=192.168.255.32:45542  peer=192.30.253.112:443
  cli SSL session PSE "/usr/sap/NPL/D00/sec/SAPSSLA.pse"
  Target Hostname="github.com"

 {00024d21} [icxxconn.c 2261]
IcmConnConnect: Connect failed for session GUI T15_U18206_M0, 001, DEVELOPER, DESKTOP-BBFOV0R, time=07:27:01,
Tue Apr 10 07:29:41 2018
IcmHandleAdmMsg: set param icm/OP_PSE_CHANGED -> SAPSSLC.pse
IcmSSLPseChanged: SSL Certificate SAPSSLC.pse was changed - refresh
  Reload OK for SSL cred "/usr/sap/NPL/D00/sec/SAPSSLC.pse"
Tue Apr 10 07:29:46 2018
*** ERROR during secussl_read() from SSL_read()==SSL_ERROR_SSL
   session uses PSE file "/usr/sap/NPL/D00/sec/SAPSSLA.pse"
secussl_read: SSL_read() failed  (536875120/0x20001070)
   => "received a fatal TLS1.0 protocol version alert message from the peer"
>>            Begin of Secu-SSL Errorstack            >>
0x20001070   SAPCRYPTOLIB   SSL_read
SSL API error
received a fatal TLS1.0 protocol version alert message from the peer
0xa0600278   SSL   ssl3_read_bytes
received a fatal TLS1.0 protocol version alert message from the peer
0xa0600278   SSL   ssl3_read_bytes
received a fatal TLS1.0 protocol version alert message from the peer
<<            End of Secu-SSL Errorstack
  SSL_get_state()==0x2120 "SSLv3 read server hello A"
  SSL NI-hdl 94: local=192.168.255.32:46224  peer=192.30.253.112:443
<<- ERROR: SapSSLSessionStartNB(sssl_hdl=7f2984001570)==SSSLERR_SSL_READ

[gregorwolf]

I solved this issue by setting the profile parameter ssl/client_ciphersuites to 918:PFS:HIGH::EC_P256:EC_HIGH according to SAP Note 2359837 - Troubleshooting for "Support Hub Connectivity" in Solution Manager 7.2 up to SP04

[nimble-123]

for me the fix with adding these two parameters are not working with latest trial edition (nw 751 sp02).

i've tried different solutions mentioned here.

• added parameters to DEFAULT.PFL at OS level -> system is not starting
• added parameters to NPL_D00_vhcalnplci at OS level -> system is not starting
• added parameters to DEFAULT.PFL through RZ10 -> restart ICM -> SSL is working temporary till next stopsap/startsap
• added parameters to NPL_D00_vhcalnplci through RZ10 -> restart ICM -> SSL is working temporary till next stopsap/startsap

i tried with these parameters

ssl/client_ciphersuites = 918:PFS:HIGH::EC_P256:EC_HIGH
ssl/ciphersuites = 135:PFS:HIGH::EC_P256:EC_HIGH

ssl/client_ciphersuites = 150:PFS:HIGH::EC_P256:EC_HIGH
ssl/ciphersuites = 135:PFS:HIGH::EC_P256:EC_HIGH

could anybody please help me what i'm doing wrong?😅

EDIT: 🤔 i reinstalled nw751 trial and did a last try with adding the parameters direct to the profile at OS level. Now the system ist starting as expected, SSL is working with abapGit. Only thing i noticed is that the parameters are not displayed in profile viewed through tx RZ10 but who cares as long as it works 🤷‍♂️😇

[Keller-Michael]

Sorry, I'm a little bit late ;-) Good to hear that your problem is solved. I think there is a function to import the profile from OS level in transaction RZ10. But I could be wrong. Anyway, have fun :-)

[TejasGandhi1]

Dear Team

Same error facing in our sap development system (s4hana 1610 abap system)
SSL handshake with uatsky.yesbank.in:444 failed:
SSSLERR_SSL_READ (-58)#SAPCRYPTO:SSL_read()
failed##SapSSLSessionStartNB()==SSSLERR_SSL_READ#
SSL:SSL_read() failed (536875074/0x20001042)#
=> "received a fatal TLS bad certificate alert
message from the peer"#
SSL:SSL_get_state()==0x21d0 "TLS rea

already maintained adding 2 parameters in RZ10:
ssl/client_ciphersuites = 150:PFS:HIGH::EC_P256:EC_HIGH
ssl/ciphersuites = 135:PFS:HIGH::EC_P256:EC_HIGH

[Keller-Michael]

I checked connection with report "ZABAPGIT_TEST_SSL" and it worked. abapGit is working, too. Why is handshake failing with "uatsky.yesbank.in" and not "github.com"?

[gregorwolf]

Have you tried to reach uatsky.yesbank.in in your browser? At least from the public internet I can't reach anything there on https and http. Also a ping does not work.

[peterlangner]

Now its working again with my older System NW740 SP05.
Steps needed to be done (I am not an Admin!):

1. Step 7 from SAP note 510007

2. Download SAP Cryptographic Library for your OS [here ](https://launchpad.support.sap.com/#/softwarecenter/search/SAPCRYPTOLIB)

3. uncar its files on the server and move them to \usr\sap<SID>\SYS\exe\run

4. stop SAP

5. restart machine

6. start SAP

On my NW 740 SP 0004 it worked just by adding the two parameters to the instance profile.

[himanshush13]

@TejasGandhi1 Have your problem solved, because now I am facing the issue,
certificates are done, parameters are done, also icm is restarted, but SSL issue is still there. Any help

[himanshush13]

The issue related to the SSL now is solved but now we are getting, authentication problem

Error Number 1

Connection closed
Also check transaction SMICM -> Goto -> Trace File -> Display End
Error 403

So, we are confused whether the problem is from certificates because these issues tracing to them, or the issue is related to Github side.
Any leads ?

[ghost]

Hello, I don't know if they have already solved it, but I had the same problem and for me what it solved was the following:

The icm/HTTPS/client_sni_enabled parameter was set to FALSE in ICM

We had to change ICM and transaction RZ10 to TRUE

We follow the guidance of Sap Note https://launchpad.support.sap.com/#/notes/2124480

[sbcgua]

Does anyone occasionally know how to import a SSL certificate from the command line, instead of STRUST in SAP GUI ?
From what I understand it should be some command like sapgenpse import_own_cert -p SAPSSLA.pse ...??? but I cannot find any good example :(

SSL certificate, I mean e.g. for connecting to github and similar ...

P.S. Sry for offtop ... just looks like the audience is familiar with the subject :))

[fabianlupa]

@sbcgua I tend to take a look at @jfilak 's projects for stuff like this ;) I'd probably just install sapcli and use that instead (you can also install the abapGit report using it...)

https://github.com/jfilak/sapcli/blob/master/doc/commands/strust.md
(https://github.com/filak-sap/sap-nw-abap-docker#extra-content)

[sbcgua]

@flaiker yeah, I know about sapcli. Actually I even have own script to do the similar thing - https://github.com/sbcgua/sap-nw-abap-vagrant/blob/master/certinst.js/certinst.js - but I'm going to use sapcli in further iterations as it looks more and more mature :) Yet this is still an external tool and I'd like to know if there was a standard way. Not critical but could be nice to have independent installation flow.

[fabianlupa]

Well for sapgenpse specifically there seem to be some results on GitHub. This one looks quite promising (the whole markdown file actually): https://github.com/sap-tutorials/Tutorials/blob/4d4dd42daf812f3b1c58295b52ea67f0f8125560/tutorials/hana-python-secure-connection/hana-python-secure-connection.md?plain=1#L290

[sbcgua]

Indeed, thanks for the link. This is a step forward. For the history sapgenpse maintain_pk -p SAPSSLA.pse -a <certfile> does add a certificate. (sapgenpse maintain_pk -p SAPSSLA.pse -l - to list the existing ones). But ... not the final stage yet :(
After the command SAP goes out of sync with the files, claim that "Local PSE does not match database original" (TRUST028). On restart the system overwrites the PSE files. And I didn't find the way out of SAP to import them so far (e.g. note 1473710 suggest a solution inside SAP GUI).
So the question is still open ... :(