SAP Knowledge Base Article - Preview

3380974 - Peer certificate rejected by ChainVerifier - Extension error: pathLenConstraint violated!


  • An SSL/TLS connection to an external server from the AS Java fails with "Peer certificate rejected by ChainVerifier".
  • An SSL trace with IAIK debug records (see SAP KBA 2673775) shows the following messages:
    ssl_debug(3): Starting handshake (iSaSiLk 5.106)...
    ssl_debug(3): Sending v3 client_hello message to <hostname of the SSL server>:<port>, requesting version 3.3...
    ssl_debug(3): Sending extensions: renegotiation_info (...), signature_algorithms (..)
    ssl_debug(3): Received v3 server_hello handshake message.
    ssl_debug(3): Received certificate handshake message with server certificate.
    Extension error: pathLenConstraint violated!
    BasicConstraints: CA: yes
    PathLenConstraint: 0
    ssl_debug(3): Shutting down SSL layer...

    ssl_debug(3): SSLException while handshaking: Peer certificate rejected by ChainVerifier
    ssl_debug(3): Closing transport...
    java.lang.RuntimeException: Error while silently connecting: org.w3c.www.protocol.http.HttpExceptionPeer certificate rejected by ChainVerifier



SAP NetWeaver Application Server Java using SSL for outgoing connection


SAP NetWeaver Application Server for Java all versions


SSl trust, certificate, trusted certificate, The default IAIK chain verifier does not trust this chain, The default IAIK chain verifier does not trust this chain! , KBA , BC-JAS-SEC-CPG , Cryptography , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.