starting today, I cannot connect to abapGit online:
Error: HTTP error 407 occured: SSL handshake with github.com:443 failed: SSSLERR_SSL_READ (-58)

Can anyone help troubleshoot the issue?
Jacques

I have the same issue, github did some changes, see https://githubengineering.com/crypto-removal-notice/

Ethan pointed to SAP note 510007, but I have not tried yet, will start my SAP system in a bit to do some testing

Tested ok, see SAP note 510007, section 7

For my ABAP trial 751 system, I have added

ssl/client_ciphersuites = 150:PFS:HIGH::EC_P256:EC_HIGH
ssl/ciphersuites = 135:PFS:HIGH::EC_P256:EC_HIGH

in /sapmnt/NPL/profile/NPL_D00_vhcalnplci. It did not work for me via RZ10, but thats probably just me being bad at basis stuff

we should add this in the documentation, and move the ssl setup to its own page, http://docs.abapgit.org/guide-install.html

@nomssi did it work out? can we close the issue?

yes and yes

I was successful with SAP note 510007 on our 7.5 SP02 machine. But unfortunately it didn't worked on our NW 7.40 SP05. If I find a solution I will post it here.

Now its working again with my older System NW740 SP05.
Steps needed to be done (I am not an Admin!):

1. Step 7 from SAP note 510007
2. Download SAP Cryptographic Library for your OS here
3. uncar its files on the server and move them to \usr\sap<SID>\SYS\exe\run
4. stop SAP
5. restart machine
6. start SAP

thanks for sharing

For what it's worth, on my NW750 SP02 system I just added the two lines from Lars's comment (thanks!) to the profile, restarted via stopsap / startsap and it worked again.
In RZ10, use advanced edit, the parameters did not exist, so I created them.
Pasted here again for quicker reference:

ssl/client_ciphersuites = 150:PFS:HIGH::EC_P256:EC_HIGH
ssl/ciphersuites = 135:PFS:HIGH::EC_P256:EC_HIGH

On Netweaver 7.51 Trial I maintained profile "NPL_D00_VHCALNPLCI" by RZ10 with parameters Lars mentioned. Had to save and activate the profile. After restart, SSL test was ok.

Nice Michael, to say that it is NPL_D00_VHCALNPLCI profile not NPL_ASCS01_VHCALNPLCS that has to be maintained adding 2 parameters:
ssl/client_ciphersuites = 150:PFS:HIGH::EC_P256:EC_HIGH
ssl/ciphersuites = 135:PFS:HIGH::EC_P256:EC_HIGH
and saved + activated. Cheers.

To make this solution be easier found I add the plain text of the ICM tracefile:

*** ERROR => SSL handshake with github.com:443 failed: SSSLERR_SSL_READ (-58)
SAPCRYPTO:SSL_read() failed

SapSSLSessionStartNB()==SSSLERR_SSL_READ
  SSL:SSL_read() failed  (536875120/0x20001070)
  => "received a fatal TLS1.0 protocol version alert message from the peer"
>>      SecuSSL ErrStack:
0x20001070   SAPCRYPTOLIB   SSL_read
SSL API error
received a fatal TLS1.0 protocol version alert message from the peer
0xa0600278   SSL   ssl3_read_bytes
received a fatal TLS1.0 protocol version alert message from the peer
0xa0600278   SSL   ssl3_read_bytes
received a fatal TLS1.0 protocol version alert message from the peer
<<
  SSL:SSL_get_state()==0x2120 "SSLv3 read server hello A"
  SSL NI-hdl 99: local=192.168.255.32:45542  peer=192.30.253.112:443
  cli SSL session PSE "/usr/sap/NPL/D00/sec/SAPSSLA.pse"
  Target Hostname="github.com"

 {00024d21} [icxxconn.c 2261]
IcmConnConnect: Connect failed for session GUI T15_U18206_M0, 001, DEVELOPER, DESKTOP-BBFOV0R, time=07:27:01,
Tue Apr 10 07:29:41 2018
IcmHandleAdmMsg: set param icm/OP_PSE_CHANGED -> SAPSSLC.pse
IcmSSLPseChanged: SSL Certificate SAPSSLC.pse was changed - refresh
  Reload OK for SSL cred "/usr/sap/NPL/D00/sec/SAPSSLC.pse"
Tue Apr 10 07:29:46 2018
*** ERROR during secussl_read() from SSL_read()==SSL_ERROR_SSL
   session uses PSE file "/usr/sap/NPL/D00/sec/SAPSSLA.pse"
secussl_read: SSL_read() failed  (536875120/0x20001070)
   => "received a fatal TLS1.0 protocol version alert message from the peer"
>>            Begin of Secu-SSL Errorstack            >>
0x20001070   SAPCRYPTOLIB   SSL_read
SSL API error
received a fatal TLS1.0 protocol version alert message from the peer
0xa0600278   SSL   ssl3_read_bytes
received a fatal TLS1.0 protocol version alert message from the peer
0xa0600278   SSL   ssl3_read_bytes
received a fatal TLS1.0 protocol version alert message from the peer
<<            End of Secu-SSL Errorstack
  SSL_get_state()==0x2120 "SSLv3 read server hello A"
  SSL NI-hdl 94: local=192.168.255.32:46224  peer=192.30.253.112:443
<<- ERROR: SapSSLSessionStartNB(sssl_hdl=7f2984001570)==SSSLERR_SSL_READ

I solved this issue by setting the profile parameter ssl/client_ciphersuites to 918:PFS:HIGH::EC_P256:EC_HIGH according to SAP Note 2359837 - Troubleshooting for "Support Hub Connectivity" in Solution Manager 7.2 up to SP04

for me the fix with adding these two parameters are not working with latest trial edition (nw 751 sp02).

i've tried different solutions mentioned here.

• added parameters to DEFAULT.PFL at OS level -> system is not starting
• added parameters to NPL_D00_vhcalnplci at OS level -> system is not starting
• added parameters to DEFAULT.PFL through RZ10 -> restart ICM -> SSL is working temporary till next stopsap/startsap
• added parameters to NPL_D00_vhcalnplci through RZ10 -> restart ICM -> SSL is working temporary till next stopsap/startsap

i tried with these parameters

ssl/client_ciphersuites = 918:PFS:HIGH::EC_P256:EC_HIGH
ssl/ciphersuites = 135:PFS:HIGH::EC_P256:EC_HIGH

ssl/client_ciphersuites = 150:PFS:HIGH::EC_P256:EC_HIGH
ssl/ciphersuites = 135:PFS:HIGH::EC_P256:EC_HIGH

could anybody please help me what i'm doing wrong?😅

EDIT: 🤔 i reinstalled nw751 trial and did a last try with adding the parameters direct to the profile at OS level. Now the system ist starting as expected, SSL is working with abapGit. Only thing i noticed is that the parameters are not displayed in profile viewed through tx RZ10 but who cares as long as it works 🤷‍♂️😇

Sorry, I'm a little bit late ;-) Good to hear that your problem is solved. I think there is a function to import the profile from OS level in transaction RZ10. But I could be wrong. Anyway, have fun :-)

Dear Team

Same error facing in our sap development system (s4hana 1610 abap system)
SSL handshake with uatsky.yesbank.in:444 failed:
SSSLERR_SSL_READ (-58)#SAPCRYPTO:SSL_read()
failed##SapSSLSessionStartNB()==SSSLERR_SSL_READ#
SSL:SSL_read() failed (536875074/0x20001042)#
=> "received a fatal TLS bad certificate alert
message from the peer"#
SSL:SSL_get_state()==0x21d0 "TLS rea

already maintained adding 2 parameters in RZ10:
ssl/client_ciphersuites = 150:PFS:HIGH::EC_P256:EC_HIGH
ssl/ciphersuites = 135:PFS:HIGH::EC_P256:EC_HIGH

I checked connection with report "ZABAPGIT_TEST_SSL" and it worked. abapGit is working, too. Why is handshake failing with "uatsky.yesbank.in" and not "github.com"?

Have you tried to reach uatsky.yesbank.in in your browser? At least from the public internet I can't reach anything there on https and http. Also a ping does not work.

Now its working again with my older System NW740 SP05.
Steps needed to be done (I am not an Admin!):

1. Step 7 from SAP note 510007

2. Download SAP Cryptographic Library for your OS [here ](https://launchpad.support.sap.com/#/softwarecenter/search/SAPCRYPTOLIB)

3. uncar its files on the server and move them to \usr\sap<SID>\SYS\exe\run

4. stop SAP

5. restart machine

6. start SAP

On my NW 740 SP 0004 it worked just by adding the two parameters to the instance profile.

@TejasGandhi1 Have your problem solved, because now I am facing the issue,
certificates are done, parameters are done, also icm is restarted, but SSL issue is still there. Any help

The issue related to the SSL now is solved but now we are getting, authentication problem

Error Number 1

Connection closed
Also check transaction SMICM -> Goto -> Trace File -> Display End
Error 403

So, we are confused whether the problem is from certificates because these issues tracing to them, or the issue is related to Github side.
Any leads ?