Problem with SSL Cipher TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

Dear experts,

our logistic partner recently switched his ssl cipher from TLS_RSA_WITH_AES128_CBC_SHA to TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. I downloaded the according ssl certificate, but our RFC connection is still not working anymore and fails with a SSL handshake error (see log below). I tried to find out if the CommonCryptoLib (our version is 8.4.35) is able to handle this kind of cipher.

Unfortunately I didn't find any kind of information regarding this topic. Is this cypher currently supported by SAP and if yes how can I enable it?

These are my instance parameters:

sec/libsapsecu = $(ssl/ssl_lib)

ssf/ssfapi_lib = $(ssl/ssl_lib)

ssl/client_ciphersuites = 983:HIGH:MEDIUM:+e3DES:!aNULL (way to much enabled, but other combinations aren't working either)

ssl/ssl_lib = $(DIR_EXECUTABLE)$(DIR_SEP)$(FT_DLL_PREFIX)sapcrypto$(FT_DLL)

This is the error log from the ICF-Monitor:

[Thr 2571] IcmConnInitClientSSL: using pse /usr/sap/WED/DVEBMGS11/sec/SAPSSLA.pse, show client certificate if available

[Thr 2571] ->> SapSSLSetTargetHostname(sssl_hdl=187ef1c70, &hostname=181c36d30)

[Thr 2571] <<- SapSSLSetTargetHostname(sssl_hdl=187ef1c70)==SAP_O_K

[Thr 2571]      in: hostname = "cig.dhl.de"

[Thr 2571] ->> SapSSLSessionStart(sssl_hdl=187ef1c70)

[Thr 2571] NiIBlockMode: set blockmode for hdl 93 TRUE

[Thr 2571] NiIBlockMode: set blockmode for hdl 93 FALSE

[Thr 2571] NiIHdlGetStatus: hdl 93/sock 27 ok, no data pending

[Thr 2571] NiIBlockMode: set blockmode for hdl 93 TRUE

[Thr 2571]   SapISSLUseSessionCache(): Creating NEW session (0 cached)

[Thr 2571] *** ERROR during SecuSSL_SessionStart() from SSL_connnect()==SSL_ERROR_SSL

[Thr 2571]    session uses PSE file "/usr/sap/WED/DVEBMGS11/sec/SAPSSLA.pse"

[Thr 2571] SecuSSL_SessionStart: SSL_connnect() failed  (536875072/0x20001040)

[Thr 2571]    => "SSL API error"

[Thr 2571] >>            Begin of Secu-SSL Errorstack            >>

[Thr 2571] 0x20001040   SAPCRYPTOLIB   SSL_connect

[Thr 2571] SSL API error

[Thr 2571] received a fatal SSLv3 handshake failure alert message from the peer

[Thr 2571] 0xa0600266   SSL   ssl23_connect

[Thr 2571] received a fatal SSLv3 handshake failure alert message from the peer

[Thr 2571] 0xa0600266   SSL   ssl23_get_server_hello

[Thr 2571] received a fatal SSLv3 handshake failure alert message from the peer

[Thr 2571] <<            End of Secu-SSL Errorstack

[Thr 2571]   SSL_get_state()==0x2220 "SSLv2/v3 read server hello A"

[Thr 2571]   No certificate request received from Server

[Thr 2571] <<- ERROR: SapSSLSessionStart(sssl_hdl=187ef1c70)==SSSLERR_SSL_CONNECT

[Thr 2571] ->> SapSSLSessionLastError(sssl_hdl=187ef1c70, &rc=181a8a774, &rc_name=181a8a790, &rc_desc=181a8a788, &rc_detail=181a8a78

[Thr 2571] *** ERROR => SSL handshake with cig.dhl.de:443 failed: SSSLERR_SSL_CONNECT (-57)

[Thr 2571] SAPCRYPTO:SSL_connect() failed

[Thr 2571]

[Thr 2571] SapSSLSessionStart()==SSSLERR_SSL_CONNECT

[Thr 2571]   SSL:SSL_connnect() failed  (536875072/0x20001040)

[Thr 2571]   => "SSL API error"

[Thr 2571] >>      SecuSSL ErrStack:

[Thr 2571] 0x20001040   SAPCRYPTOLIB   SSL_connect

[Thr 2571] SSL API error

[Thr 2571] received a fatal SSLv3 handshake failure alert message from the peer

[Thr 2571] 0xa0600266   SSL   ssl23_connect

[Thr 2571] received a fatal SSLv3 handshake failure alert message from the peer

[Thr 2571] 0xa0600266   SSL   ssl23_get_server_hello

[Thr 2571] received a fatal SSLv3 handshake failure alert message from the peer

[Thr 2571] <<

[Thr 2571]   SSL:SSL_get_state()==0x2220 "SSLv2/v3 read server hello A"

[Thr 2571]   SSL NI-hdl 93: local=10.0.1.72:42702  peer=149.239.114.113:443

[Thr 2571]   cli SSL session PSE "/usr/sap/WED/DVEBMGS11/sec/SAPSSLA.pse"

[Thr 2571]   Target Hostname="cig.dhl.de"

[Thr 2571]  {00000070} [icxxconn.c 2159]

[Thr 2571] ->> SapSSLSessionDone(&sssl_hdl=181313560)

[Thr 2571] <<- SapSSLSessionDone()==SAP_O_K

[Thr 2571]      in: sssl_hdl   = 187ef1c70

[Thr 2571]  in/out: ... ni_hdl = 93

[Thr 2571] DpSesGetWorkerType: return workerType DIA for T3_U447

[Thr 2571] RqQQueueGetNumberOfRequests: Queue <T3_U447_M0> in slot 38 contains 0 requests of type DIA

[Thr 2571] DpSesGetTasks: found 1 open tasks for T3_U447_M0

[Thr 2571] DpSesGetWorkerType: return workerType DIA for T3_U447

[Thr 2571] RqQQueueGetNumberOfRequests: Queue <T3_U447_M1> in slot 45 contains 0 requests of type DIA

[Thr 2571] DpSesGetTasks: found 0 open tasks for T3_U447_M1

[Thr 2571] DpSesGetWorkerType: return workerType DIA for T3_U447

[Thr 2571] RqQQueueGetNumberOfRequests: Queue <T3_U447_M3> in slot 35 contains 0 requests of type DIA

[Thr 2571] DpSesGetTasks: found 0 open tasks for T3_U447_M3

[Thr 2571] IcmConnConnect: Connect failed for session GUI T3_U447_M0, 200, KOBLITZ, PC-IT-KOBLITZ1, time=08:35:06, W8, program=RSHTT

[Thr 2571] IcmConnConnect(id=0/112): free MPI request blocks

[Thr 2571] MPI<7a>2#7 GetInbuf -1 1f41e0 295 (1) -> MPI_EOS: End Of Stream

[Thr 2571] MPI<7a>2#8 FreeInbuf#1 0 1f41e0  0 -> MPI_OK

[Thr 2571] MPI<79>1#4 GetOutbuf -1 1f41e0 65536 (0) -> 7000000901f4200 104857600 MPI_OK

[Thr 2571] NiIGetServNo: servicename '8011' = port 8011

Kind regards and thanks in advance for helping!

André Koblitz