SAP Knowledge Base Article - Preview

3395271 - Failed to enable client certificate validate (sslvalidatecertificate = true) for HANA Studio SSL connection.

Symptom

  • You are able to enable HANA Studio SSL connection with sslvalidatecertificate set to false.
  • When you want to enable mutual authentication, you got following error when you enable client certificate validate (set sslvalidatecertificate to true).
  • The SSL handshake failed. This may be due to a flaw in the SSL implementation, or an infrastructure error (network)
  • Following message can be found in Crypto info level trace.
[27492]{-1}[-1/-1] 2023-10-30 07:14:21.616646 i CommonCrypto     CommonCryptoLib.cpp(00728) : [SSL|ssl_get_encoded_trusted_ca_list] Srv-00076157: Offering 2 trusted CA(s) for client authentication:
    CA  <0>: CN=AAA
    CA  <1>: CN=BBB
[27492]{-1}[-1/-1] 2023-10-30 07:14:21.622800 i Crypto           Engine.cpp(00330) : EXTERNAL: Starting handshake (DN=CN=XXXXX, issuer=XXX, keystore=/usr/sap/XXX/HDBXX/XXXXX/sec/sapsrv.pse)
[27492]{-1}[-1/-1] 2023-10-30 07:14:21.622837 i CommonCrypto     CommonCryptoLib.cpp(00728) : [SSL|ssl3_decode_client_certificate] Srv-00076157: Received message of type "Certificate" containing no certificates.
[27492]{-1}[-1/-1] 2023-10-30 07:14:21.622847 i CommonCrypto     CommonCryptoLib.cpp(00728) : [SSL|ssl3_send_alert] Srv-00076157: Sending alert of level FATAL: handshake failure
[27492]{-1}[-1/-1] 2023-10-30 07:14:21.622861 w CommonCrypto     CommonCryptoLib.cpp(00725) : [SSL|ssl3_accept] Srv-00076157: ########## TLSERROR: SSL3 server handshake failed [0xA060024A: Client authentication failed due to missing client certificate.]
[27492]{-1}[-1/-1] 2023-10-30 07:14:21.622920 i Crypto           Engine.cpp(00337) : EXTERNAL: failed to finish finished handshake (no peer cert, keystore=/usr/sap/XXX/HDBXX/XXXXX/sec/sapsrv.pse)
[27492]{-1}[-1/-1] 2023-10-30 07:14:21.622922 i Crypto           Engine.cpp(00542) : Engine::Acceptor::evaluate EXTERNAL: SSL accept failed - SSL error [536871700]: Unknown error, General error: 0x20000314 | SAPCRYPTOLIB | SSL_accept
SSL API error
Client authentication failed due to missing client certificate 


Read more...

Environment

  • HANA 1.0
  • HANA 2.0

Product

SAP HANA 1.0, platform edition ; SAP HANA, platform edition 2.0

Keywords

sslvalidatecertificate, sslenforceclientcertificate, mutual  , KBA , HAN-DB-SEC , SAP HANA Security & User Management , How To

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.