Symptom
- You are able to enable HANA Studio SSL connection with sslvalidatecertificate set to false.
- When you want to enable mutual authentication, you got following error when you enable client certificate validate (set sslvalidatecertificate to true).
- The SSL handshake failed. This may be due to a flaw in the SSL implementation, or an infrastructure error (network)
- Following message can be found in Crypto info level trace.
[27492]{-1}[-1/-1] 2023-10-30 07:14:21.616646 i CommonCrypto CommonCryptoLib.cpp(00728) : [SSL|ssl_get_encoded_trusted_ca_list] Srv-00076157: Offering 2 trusted CA(s) for client authentication:
CA <0>: CN=AAA
CA <1>: CN=BBB
[27492]{-1}[-1/-1] 2023-10-30 07:14:21.622800 i Crypto Engine.cpp(00330) : EXTERNAL: Starting handshake (DN=CN=XXXXX, issuer=XXX, keystore=/usr/sap/XXX/HDBXX/XXXXX/sec/sapsrv.pse)
[27492]{-1}[-1/-1] 2023-10-30 07:14:21.622837 i CommonCrypto CommonCryptoLib.cpp(00728) : [SSL|ssl3_decode_client_certificate] Srv-00076157: Received message of type "Certificate" containing no certificates.
[27492]{-1}[-1/-1] 2023-10-30 07:14:21.622847 i CommonCrypto CommonCryptoLib.cpp(00728) : [SSL|ssl3_send_alert] Srv-00076157: Sending alert of level FATAL: handshake failure
[27492]{-1}[-1/-1] 2023-10-30 07:14:21.622861 w CommonCrypto CommonCryptoLib.cpp(00725) : [SSL|ssl3_accept] Srv-00076157: ########## TLSERROR: SSL3 server handshake failed [0xA060024A: Client authentication failed due to missing client certificate.]
[27492]{-1}[-1/-1] 2023-10-30 07:14:21.622920 i Crypto Engine.cpp(00337) : EXTERNAL: failed to finish finished handshake (no peer cert, keystore=/usr/sap/XXX/HDBXX/XXXXX/sec/sapsrv.pse)
[27492]{-1}[-1/-1] 2023-10-30 07:14:21.622922 i Crypto Engine.cpp(00542) : Engine::Acceptor::evaluate EXTERNAL: SSL accept failed - SSL error [536871700]: Unknown error, General error: 0x20000314 | SAPCRYPTOLIB | SSL_accept
SSL API error
Client authentication failed due to missing client certificate
Read more...
Environment
- HANA 1.0
- HANA 2.0
Product
SAP HANA 1.0, platform edition ; SAP HANA, platform edition 2.0
Keywords
sslvalidatecertificate, sslenforceclientcertificate, mutual , KBA , HAN-DB-SEC , SAP HANA Security & User Management , How To
About this page
This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).Search for additional results
Visit SAP Support Portal's SAP Notes and KBA Search.