cancel
Showing results for 
Search instead for 
Did you mean: 

Version of HTTPS certificates v3

Former Member
0 Kudos

Hi all, could you please tell me how to enable v3 of https?

Could ou please tell me how to check which version of https is enable?

SAP Nw 7.3 is the version

Thank you very much

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
0 Kudos

With SAP the SSL version is determined by the SAPCRYPTOLIB in use. SSLv3/TLSv1.0 has been supported since SAPCRYPTOLIB pl28 which was released in 2010. Notice that your SAP kernel needs to be at least as new as the SAPCRYPTOLIB in use. This is because the list of supported ciphers is defined by the kernel.

Former Member
0 Kudos

Hi and thank you very much for your answer.

Ok that from pl28 SSLv3 is supported, but in default setting, SAP communicates on SSLv1 or SSLV3?

I ask you this becase in my CRM SAP NW 7.01 I enabled HTTPS services, and if I try to connect with browser I receive a certificates that in the description has got Version1. I don't know if this Version1 is SSLv1 meaning... but I need to understand if SAP communication on SSLv3 or SSlv1 in default setting and if I need to modify some parameter...

Former Member
0 Kudos

What version of SSL will be used depends on the cipher suite. The cipher is something that the client and server have to agree on. If you force a cipher which requires TLSv1.0, SSLv3 will be used. See SAP note 510007 for details.

https://service.sap.com/sap/support/notes/510007

Former Member
0 Kudos

In the notes I read that

  1. A configuration option for the supported TLS protocol version was added to the kernel correction described in SAP Note 1433874.  A single number must be placed before the configuration parameter for the SSL cipher suites, which is added from the following bit value:
  2.     Value    Meaning
  3.   -----------------------------------------------------------
  4.       1      "BC" option (allow version 2.0 CLIENT-HELLO)
  5.       64      SSLv3
  6.     128       TLSv1.0
  7. Both protocol versions and the BC option are active in the default setting, which results in a value of (128+64+1) = 193 for the protocol version flags (pvflags).
  8. If you want an FIPS-compliant SSL configuration, that is, only TLSv1.0 (128+1)=129 and only SSL cipher suites with 3DES or AES encryption (HIGH), you can achieve this with the following setting:
  9.     ssl/ciphersuites=129:HIGH

but for example if I want to disable the BC option CLIENT.HELLO, is it possibile?

Former Member
0 Kudos

The Client Hello is part of the SSL handshaking process, it does not determine what version of SSL you will end up using. You could have an older implementation of Client Hello and still end up using SSLv3, or the vice versa.

Former Member
0 Kudos

Dear Samuli, you have a very great skill thank you.

But if I need to integrate my SAP with a third party software (reverse proxy IBM webseal) that  doesn't accept the CLIENT-HELO,  Can I disable it? Or it is a part of handshaking that I can't remove from the ssl session?

Thank you very much..

Former Member
0 Kudos

Can you share a link to the IBM WebSeal documentation which says that Client Hello is not supported? As far as I know, some version of Client Hello is required since it's part of the SSL handshake. See the attached link for an explanation of Client Hello.

Can you please provide details on how you plan to use IBM WebSeal together with SAP? If you are using it as a reverse proxy for SAP, it will act as an client to SAP meaning IBM WebSeal will send the Client Hello and SAP will be happy to accept it.

http://technet.microsoft.com/en-us/library/cc785811(v=ws.10).aspx