SAP Knowledge Base Article - Preview

3395271 - Failed to enable client certificate validate (sslvalidatecertificate = true) for HANA Studio SSL connection.

Symptom

You are able to enable HANA Studio SSL connection with sslvalidatecertificate set to false.
When you want to enable mutual authentification, you got following error when you enable client certificate validate (set sslvalidatecertificate to true).

The SSL handshake failed. This may be due to a flaw in the SSL implementation, or an infrastructure error (network)

Following message can be found in Crypto info level trace.

[27492]{-1}[-1/-1] 2023-10-30 07:14:21.616646 i CommonCrypto     CommonCryptoLib.cpp(00728) : [SSL|ssl_get_encoded_trusted_ca_list] Srv-00076157: Offering 2 trusted CA(s) for client authentication:
    CA  <0>: CN=AAA
    CA  <1>: CN=BBB
[27492]{-1}[-1/-1] 2023-10-30 07:14:21.622800 i Crypto           Engine.cpp(00330) : EXTERNAL: Starting handshake (DN=CN=XXXXX, issuer=XXX, keystore=/usr/sap/XXX/HDBXX/XXXXX/sec/sapsrv.pse)
[27492]{-1}[-1/-1] 2023-10-30 07:14:21.622837 i CommonCrypto     CommonCryptoLib.cpp(00728) : [SSL|ssl3_decode_client_certificate] Srv-00076157: Received message of type "Certificate" containing no certificates.
[27492]{-1}[-1/-1] 2023-10-30 07:14:21.622847 i CommonCrypto     CommonCryptoLib.cpp(00728) : [SSL|ssl3_send_alert] Srv-00076157: Sending alert of level FATAL: handshake failure
[27492]{-1}[-1/-1] 2023-10-30 07:14:21.622861 w CommonCrypto     CommonCryptoLib.cpp(00725) : [SSL|ssl3_accept] Srv-00076157: ########## TLSERROR: SSL3 server handshake failed [0xA060024A: Client authentication failed due to missing client certificate.]
[27492]{-1}[-1/-1] 2023-10-30 07:14:21.622920 i Crypto           Engine.cpp(00337) : EXTERNAL: failed to finish finished handshake (no peer cert, keystore=/usr/sap/XXX/HDBXX/XXXXX/sec/sapsrv.pse)
[27492]{-1}[-1/-1] 2023-10-30 07:14:21.622922 i Crypto           Engine.cpp(00542) : Engine::Acceptor::evaluate EXTERNAL: SSL accept failed - SSL error [536871700]: Unknown error, General error: 0x20000314 | SAPCRYPTOLIB | SSL_accept
SSL API error
Client authentication failed due to missing client certificate 


Read more...

Environment

  • HANA 1.0
  • HANA 2.0

Product

SAP HANA 1.0, platform edition ; SAP HANA, platform edition 2.0

Keywords

sslvalidatecertificate, sslenforceclientcertificate, mutual  , KBA , HAN-DB-SEC , SAP HANA Security & User Management , How To

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.