/support/notes/service/sap_logo.png){kind=logo}
SAP Knowledge Base Article - PreviewSymptom
There is an outgoing HTTPS connection from the local ABAP system (let it be via SM59 destinations or the application itself) where it fails with SSSLERR related errors.
Common errors are:
Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.
SSSLERR_SERVER_CERT_MISMATCH:
- The error can be seen as below in the ICM trace file:
- [Thr 140484128118528] Target Hostname="<target HTTPS server FQDN>"
[Thr 140484128118528] SSL NI-hdl 2662: local=<local ICM IP address>:<port> peer=<incorrect target HTTPS server IP address>:<target HTTPS server HTTPS port>
[Thr 140484128118528] <<- ERROR: SapSSLSessionStartNB(sssl_hdl=7fc4e0001870)==SSSLERR_SERVER_CERT_MISMATCH
[Thr 140484128118528] *** ERROR => SSL handshake with <target HTTPS server FQDN>:<target HTTPS server HTTPS port> failed: SSSLERR_SERVER_CERT_MISMATCH (-30)
[Thr 140484128118528] Server certificate does not match supplied TargetHostname (rfc2818 section 3.1)
[Thr 140484128118528]
[Thr 140484128118528] SapSSLSessionStartNB()==SSSLERR_SERVER_CERT_MISMATCH
[Thr 140484128118528] TargetHostname = "<target HTTPS server FQDN>"
[Thr 140484128118528] ServerCert.subject = <CN=<mismatched hostname with the target HTTPS server FQDN>, (...)> - SNI is already configured per SAP Note 2124480.
SSSLERR_PEER_CERT_EXPIRED:
- The error can be seen as below in the ICM trace file (along with related entries around it):
- [Thr 140125905209088] Target Hostname="<target HTTPS FQDN>"
[Thr 140125905209088] SSL NI-hdl 132: local=<local ICM IP address>:<port> peer=<incorrect target HTTPS server IP address>:<target HTTPS server HTTPS port>
[Thr 140125905209088] <<- ERROR: SapSSLSessionStartNB(sssl_hdl=7f7168019c90)==SSSLERR_PEER_CERT_EXPIRED
[Thr 140125905209088] *** ERROR => SSL handshake with <target HTTPS server FQDN>:<target HTTPS server HTTPS port> failed: SSSLERR_PEER_CERT_EXPIRED (-101)
[Thr 140125905209088] Peer's X.509 certificate (chain) is expired (or not yet valid)
It is perceived on the ICM trace file that the target HTTPS server FQDN is not being resolved to the expected IP address.
Read more...
Environment
SAP Kernel 721 or higher for SSSLERR_SERVER_CERT_MISMATCH.
SAP Kernel all versions for other errors.
Product
Keywords
icm, ssl, handshake, x.509, x509, certificate, authentication, https, http, destination, external server, sni, server name indication, network, dns, mismatch, expired, correct certificate, import, export , KBA , BC-CST-IC , Internet Communication Manager , BC-SEC-SSL , Secure Sockets Layer Protocol , Problem
About this page
This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).Search for additional results
Visit SAP Support Portal's SAP Notes and KBA Search.
/support/notes/service/facebook.svg)
/support/notes/service/twitter.svg)
/support/notes/service/youtube.svg)
/support/notes/service/linkedin.svg)
/support/notes/service/instagram2.svg)