Solved: TLS/SSL major bug - IAIK library update

former_member185995 · ‎11-24-2009

Hello experts,

as you've probably noticed, there is a desciption on the internet, that TLS/SSL has vulnerable weakness in SSL connection renegotiating. More info on http://www.theregister.co.uk/2009/11/05/serious_ssl_bug/

I've found, thet the bug has been more or less fixed in IAIK newest version (more info here http://jce.iaik.tugraz.at/index.php/sic/News/iSaSiLk-Security-Advisory-TLS-renegotiation-attack).

My question to all of you and to SAP also is : where and when I can download the update of IAIK library for our systems ?!?!!!!

Thank you for any information in advance.

Regards

Tomas

mvoros · ‎11-25-2009

Hi,

I guess that the update is not available yet. I looked for recent security note and I didn't find any related note. This issue is more complicated because for now there is only temporary solution. Some systems require SSL renegotiation so you can not apply this workaround for them. We have to wait for real fix.

Cheers

mvoros · ‎11-25-2009

Hi,

I guess that the update is not available yet. I looked for recent security note and I didn't find any related note. This issue is more complicated because for now there is only temporary solution. Some systems require SSL renegotiation so you can not apply this workaround for them. We have to wait for real fix.

Cheers

former_member185995 · ‎11-25-2009

Hello Martin,

IMHO SAP should implement the correction ASAP. If there are clients, which require TLS renegotiation, administrator of SAP system (with server role) does not have to implement the correction or has a possibility to enable the renegotiation via the parameter.

In other words it would be very big mistake from SAP to not implement the correction since all major SSL library issuers have done it already. Moreover we don't yet, when IETF TLS working group releases new standard of TLS renegotiation and how big will be the impact to behavior of client side of TLS/SSL communication.

Regards

Tomas

mvoros · ‎01-07-2010

Hi,

FYI we have [a real fix|https://datatracker.ietf.org/iesg/ann/3278/] now. So we need to wait for all vendors including SAP to implement it.

Cheers

former_member185995 · ‎11-19-2010

Hello all,

any news regarding implementation of the patch into IAIK library ?

Thanks and regards.

Tomas

mvoros · ‎11-22-2010

Hi,

SAP disabled renegotiation in SAPCRYPTOLIB 555pl29. There is also newer version pl30. Do you need renegotiation on your server?

Cheers

Former Member · ‎02-16-2011

Hello experts,

Has SAP released a patch that implements RFC 5746 (Transport Layer Security (TLS) Renegotiation Indication Extension) yet or is the workaround (disabling renegotiation) still the only option? Thanks in advance.

cathal_ohare · ‎04-05-2011

Hi All,

Note 1507568 contains update SSL libraries regarding this issue.

Kind regards,

Cathal

Former Member · ‎04-06-2011

Thanks Cathal and "SAP Engineer"...

Was the ABAP stack not vulnerable to this (webservices, WDA, https calls going outbound again,..)?

Cheers,

Julius

Former Member · ‎04-18-2011

Hi Cathal,

Thanks for the update. The SAP engineer in my company installed that on a test server recently and when i scanned it using Nessus, the vulnerability was found still present. While I ask him to talk to SAP help, do you have any ideas or suggestions?