11-24-2009 10:15 PM
Hello experts,
as you've probably noticed, there is a desciption on the internet, that TLS/SSL has vulnerable weakness in SSL connection renegotiating. More info on http://www.theregister.co.uk/2009/11/05/serious_ssl_bug/
I've found, thet the bug has been more or less fixed in IAIK newest version (more info here http://jce.iaik.tugraz.at/index.php/sic/News/iSaSiLk-Security-Advisory-TLS-renegotiation-attack).
My question to all of you and to SAP also is : where and when I can download the update of IAIK library for our systems ?!?!!!!
Thank you for any information in advance.
Regards
Tomas
11-25-2009 2:49 AM
Hi,
I guess that the update is not available yet. I looked for recent security note and I didn't find any related note. This issue is more complicated because for now there is only temporary solution. Some systems require SSL renegotiation so you can not apply this workaround for them. We have to wait for real fix.
Cheers
11-25-2009 2:49 AM
Hi,
I guess that the update is not available yet. I looked for recent security note and I didn't find any related note. This issue is more complicated because for now there is only temporary solution. Some systems require SSL renegotiation so you can not apply this workaround for them. We have to wait for real fix.
Cheers
11-25-2009 8:54 AM
Hello Martin,
IMHO SAP should implement the correction ASAP. If there are clients, which require TLS renegotiation, administrator of SAP system (with server role) does not have to implement the correction or has a possibility to enable the renegotiation via the parameter.
In other words it would be very big mistake from SAP to not implement the correction since all major SSL library issuers have done it already. Moreover we don't yet, when IETF TLS working group releases new standard of TLS renegotiation and how big will be the impact to behavior of client side of TLS/SSL communication.
Regards
Tomas
01-07-2010 10:21 PM
Hi,
FYI we have [a real fix|https://datatracker.ietf.org/iesg/ann/3278/] now. So we need to wait for all vendors including SAP to implement it.
Cheers
11-19-2010 1:36 PM
Hello all,
any news regarding implementation of the patch into IAIK library ?
Thanks and regards.
Tomas
11-22-2010 1:10 AM
Hi,
SAP disabled renegotiation in SAPCRYPTOLIB 555pl29. There is also newer version pl30. Do you need renegotiation on your server?
Cheers
02-16-2011 1:49 PM
Hello experts,
Has SAP released a patch that implements RFC 5746 (Transport Layer Security (TLS) Renegotiation Indication Extension) yet or is the workaround (disabling renegotiation) still the only option? Thanks in advance.
04-05-2011 4:12 PM
Hi All,
Note 1507568 contains update SSL libraries regarding this issue.
Kind regards,
Cathal
04-06-2011 1:26 AM
Thanks Cathal and "SAP Engineer"...
Was the ABAP stack not vulnerable to this (webservices, WDA, https calls going outbound again,..)?
Cheers,
Julius
04-18-2011 7:04 AM
Hi Cathal,
Thanks for the update. The SAP engineer in my company installed that on a test server recently and when i scanned it using Nessus, the vulnerability was found still present. While I ask him to talk to SAP help, do you have any ideas or suggestions?