remote host supports the use of SSL ciphers that o...

former_member192181 · ‎03-28-2014

Dear All,

Our Internal security audit suggests to avoid the use of Week SSL ciphers for our SAP PI 7.0 servers.

We have followed the SAP note 510007 - Setting up SSL on Web Application Server ABAP

as mentioned in the point 6 we have added below parameter in the instance profile of application server and restarted our server but still the issue is not resoved.

ssl/ciphersuites=MEDIUM:HIGH:EXPORT:!LOW:!eNULL

Clients are accessing our PI server through SAP Web dispatcher.

Kindly suggest the action to be taken to resolve the issue.

Please find the below comment from Audit.

-----------------------------------------------------------------------------------------------------------------------

The remote host supports the use of SSL ciphers that offer weak encryption.

Note: This is considerably easier to exploit if the attacker is on the same physical network
-----------------------------------------------------------------------------------------------------------------------

Regards,

Lalitha.

Former Member · ‎03-28-2014

Hi Lalitha,

as suggested in the note, one proposal could be to configure SSL like this:

ssl/ciphersuites=HIGH:MEDIUM:!mMD5

If this does not fit your needs, you need to be more specific about your requirements.

Regards,

Patrick

former_member192181 · ‎03-28-2014

Hi Patrick,

Thanks for the reply.

Do we need to keep the parameter in SAP web dispatcher profile or in the Application server profile.

Currently we are keeping this parameter in SAP PI Application server.

Regards,

Lalitha.

martin_voros · ‎03-28-2014

Hi,

it depends on how is your web dispatcher configured. If it drops SSL connections and creates new one to application server then client connects to web dispatcher only. IF web dispatcher just routes SSL connection to application server then only application server is involved in SSL. Anyway. it's probably good idea to avoid weak cipher suits on all systems including web dispatcher and application servers.

Cheers

former_member192181 · ‎04-03-2014

Dear Martin,

As advised we have maintained the parameter in both the servers (Web dispatcher and SAP application server) still the issue is not resolved.

Kindly help us in resolving this issue.

Regards,

Lalitha

Former Member · ‎04-03-2014

Hi Lalitha,

Did you check, that the parameters are active (RZ11)?

What are the current active ciphers?

Do you use icm/ssl_config_<xx> to specify port specific ssl parameters?

martin_voros · ‎04-03-2014

Hi,

so it seems like restricting cipher suites in category LOW is not enough. I did a quick search and I found note 510007. According to this note the category MEDIUM contains

MEDIUM 1. SSL_RSA_WITH_RC4_128_SHA
MEDIUM 2. SSL_RSA_WITH_RC4_128_MD5

Nowadays anything using MD5 will be classified as weak. Hence I would suggest to use some tool that gives you a list of cipher suits that are offered by your systems (e.g. script from this thread). When you have that list you can go back to your security vendor and ask them which cipher suits need to be disabled. I am pretty sure that anything with MD5 will be on blacklist but there might some other cipher suites. That OSS note actually mentions how to disable MD5. It's by adding !mMD5

ssl/ciphersuites=HIGH:MEDIUM:!mMD5.

Cheers

Former Member · ‎04-03-2014

Hi Martin,

this is exactly the ciphersuite I initially did suggest 😉

There are some more tools available to check the active cyphersuites of a server. For details you may for instance have a look at the OWASP pages on SSL/TLS testing.

regards,

Patrick

martin_voros · ‎04-03-2014

HI Patrick,

you are right. I completely missed that you suggested excluding MD5. Sorry about that. I guess we agree that Lalitha needs to get an actual list of cipher suites and compare it with list of "allowed" ciphers from their security vendor.

Cheers

former_member192181 · ‎04-10-2014

Hi Patrick and Martin,

Thanks for the reply.

As per your suggestion we have maintained the parameter

ssl/ciphersuites=HIGH:MEDIUM:!mMD5.

in the profile parameters of both SAP application server and web dispatcher and asked the security team to check the result.but still the issue persists.

Please find the attached for list of "allowed" ciphers from their security team.

Regards,

Lalitha

martin_voros · ‎04-10-2014

Hi,

based on that screen shot it looks like anything that is using DES or RC4 for encryption is classified as weak. That makes sense because both ciphers are quite old with some problems. So you really need to allow only ciphersuites from class HIGH ssl/ciphersuites=HIGH. This class contains 3DES which they might not like. Hence you might actually need to use ssl/ciphersuites=HIGH:-e3DES.

Cheers

Former Member · ‎04-10-2014

Hi,

according to the note, the following ciphers are related to the different levels:


   Category  Position        Name of SSL
ciphersuite
  -----------------------------------------------------------
  HIGH          1.      TLS_RSA_WITH_AES128_CBC_SHA
  HIGH          2.      TLS_RSA_WITH_AES256_CBC_SHA
  MEDIUM    3.      SSL_RSA_WITH_RC4_128_SHA
  MEDIUM    4.      SSL_RSA_WITH_RC4_128_MD5
  HIGH          5.      SSL_RSA_WITH_3DES_EDE_CBC_SHA
  LOW           6.      SSL_RSA_WITH_DES_CBC_SHA
  EXPORT    7.      SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
  EXPORT    8.      SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
  EXPORT    9.      SSL_RSA_EXPORT_WITH_RC4_40_MD5

Using

ssl/ciphersuites=HIGH:MEDIUM:!mMD5.

only ciphers 1,2,5 and 3 (in that order) should be active.

For instance based on the configuration, all usage of MD5 should be disabled. According to the screenshot, MD5 is still active. This is more than weird.

There is either something wrong with the connectivity (are you sure, they do test the right system and not some proxy?) or the configuration of the system. What is the patchlevel of the sapcryptolib?

As stated above, please check, that the parameters are active (RZ11).

Do you use icm/ssl_config_<xx> to specify port specific ssl parameters? if yes, what did you specify.

Regards,

Patrick

former_member192181 · ‎04-11-2014

Dear Patrick,

We are sure the testing in happening on the right system.

we are not using the parameter icm/ssl_config_* parameter in our system

Please find the below out put of the report SSF01 in SE38.

SSF Test Program

Version (on application server)

Result: SSF_API_OK

Version information: 255

SSFLIBSO Version 1.555.18 ; SECUDE(tm) Version 5.4.28M-5 Copyright (c) SECUDE GmbH 1990-2007\nSAPSECULIB - digital signature / without encryption#installed with sapseculib relea

Regards,

Lalitha

Former Member · ‎04-11-2014

Hi Lalitha,

to determine the patchlevel of SAPCryptolib, please use the program SSF02 (not SSF01):

SE38 -> SSF02 -> Determine Version

You then should see somthing like:

SSFLIB Version 1.840.40 ; CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.15 (+MT) #Copyright (c) SAP AG, 2011-2014#compiled for linux-gcc-4.3-x86-64#

The version you did determine was the version of the SAPSECULIB, which is used for signature processing.

The patchlevel in this case is the last two digits after SSFLIB, in this case it is 40.

If you have anything below 38, I would recommend to check whether you can go to a later release first.

Regards,

Patrick

former_member192181 · ‎04-15-2014

Dear Patrick,

As suggested we have executed the report SSF02 in SE38 and received the same out put as SSF01.

Please suggest how to update the SAPSECULIB.

Regards,

Lalitha

Former Member · ‎04-15-2014

Dear Lalitha,

SAP software can be downloaded from the SAP service market place. The SAP Cryptolib for instance can be downloaded at:

-> Support Packages and Patches

-> Browse Download Catalog

-> SAP Cryptographic Software

-> SAPCRYPTOLIB

For your convinience, SAP also provides this software at the SAP Trust Center Services website under
-> Download Area

-> SAP Cryptographic Software

This information is also documented on the help portal and in varios notes, like note 455033.

Please check note 1375378 in case you have questions which library to use.

The installation itself is documented in the help portal as well.

Regards,

Patrick

former_member192181 · ‎04-28-2014

Dear Patrick,

Sorry for late reply

We have upgrade the entire kernel and executed the report and received the below output.

SE38 -> SSF02 -> Determine Version

Result: SSF_API_OK

Version information: 145

SSFLIB Version 1.840.40 ; CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.15 (+MT) #Copyright (c) SAP AG, 2011-2014#compiled for linux-gcc-4.1-x86-64#

Still the issue is not resolved.

Regards

Lalitha.

Former Member · ‎04-28-2014

Hi Lalitha,

in this case I would suggest to open a message with support.

Kinde regards,

Patrick

jimguo · ‎04-28-2014

Hi,

About the following comment:

-----------------------------------------------------------------------------------------------------------------------

The remote host supports the use of SSL ciphers that offer weak encryption.

Note: This is considerably easier to exploit if the attacker is on the same physical network
-----------------------------------------------------------------------------------------------------------------------

What is the remote host? SAP Web dispatcher or PI Servers?

Please also attach profiles of SAP web dispatcher or PI Servers for analysis.

Thanks.

Jim

former_member192181 · ‎04-28-2014

Hi Jim,

The remote host is the PI(7.0) server.

PI server profile

-------------------------------------------------------------------------------------------------------------------------------------

FN_JSTART = jcontrol$(FT_EXE)

ssl/ciphersuites = HIGH:MEDIUM:!mMD5

jstartup/recorder = java -classpath ../j2ee/cluster/bootstrap/launcher.jar com.sap.engine.offline.OfflineToolStart com.sap.engine.flightrecorder.core.Collector ../j2ee/

cluster/bootstrap -node %nodeID% %startTime% -bz $(DIR_GLOBAL) âexitcode %exitcode%

login/accept_sso2_ticket = 1

SAPSYSTEMNAME = APQ

SAPSYSTEM = 00

INSTANCE_NAME = DVEBMGS00

DIR_CT_RUN = $(DIR_EXE_ROOT)/run

DIR_EXECUTABLE = $(DIR_INSTANCE)/exe

jstartup/trimming_properties = off

jstartup/protocol = on

jstartup/vm/home = /opt/IBMJava2-amd64-142

jstartup/max_caches = 500

jstartup/release = 700

jstartup/instance_properties = $(jstartup/j2ee_properties):$(jstartup/sdm_properties)

j2ee/dbdriver = /oracle/client/10x_64/instantclient/ojdbc14.jar

PHYS_MEMSIZE = 512

exe/saposcol = $(DIR_CT_RUN)/saposcol

rdisp/wp_no_dia = 10

rdisp/wp_no_btc = 3

exe/icmbnd = $(DIR_CT_RUN)/icmbnd

rdisp/j2ee_start_control = 1

rdisp/j2ee_start = 1

rdisp/j2ee_libpath = $(DIR_EXECUTABLE)

exe/j2ee = $(DIR_EXECUTABLE)/jcontrol$(FT_EXE)

rdisp/j2ee_timeout = 1800

rdisp/frfc_fallback = on

icm/HTTP/j2ee_0 = PREFIX=/,HOST=localhost,CONN=0-500,PORT=5$$00

icm/server_port_0 = PROT=HTTP,PORT=80$$

#-----------------------------------------------------------------------

# SAP Messaging Service parameters are set in the DEFAULT.PFL

#-----------------------------------------------------------------------

ms/server_port_0 = PROT=HTTP,PORT=81$$

rdisp/wp_no_enq = 1

rdisp/wp_no_vb = 1

rdisp/wp_no_vb2 = 1

rdisp/wp_no_spo = 1

#------------------------------------------------------------

# Jcontrol: Migrated Profile Parameter

# create at Wed Mar 25 20:20:02 2009

#------------------------------------------------------------

j2ee/instance_id = ID0079698

#------------------------------------------------------------

--------------------------------------------------------------------------------------------------------------------------------------

Web dispatcher profile

SAPSYSTEMNAME = WD0

SAPSYSTEM = 00

INSTANCE_NAME = W00

DIR_CT_RUN = $(DIR_EXE_ROOT)/run

DIR_EXECUTABLE = $(DIR_CT_RUN)

wdisp/shm_attach_mode = 6

#-----------------------------------------------------------------------

# Accesssability of Message Server

#-----------------------------------------------------------------------

#rdisp/mshost = asapq00.b.com

#ms/http_port = 8100

#ms/https_port = 8101

wdisp/system_0 = MSHOST=asapq00.b.com, MSPORT=8100, SID=APQ

#-----------------------------------------------------------------------

# Configuration for medium scenario

#-----------------------------------------------------------------------

icm/max_conn = 16350

icm/max_sockets = 32768

wdisp/HTTPS/max_pooled_con = 16350

icm/req_queue_len = 8000

icm/min_threads = 100

icm/max_threads = 500

mpi/total_size_MB = 700

mpi/buffer_size = 32768

mpi/max_pipes = 21000

wdisp/HTTP/max_pooled_con = 8192

wdisp/HTTPS/max_pooled_con = 8192

#-----------------------------------------------------------------------

# SAP Web Dispatcher Ports

#-----------------------------------------------------------------------

icm/server_port_0 = PROT=HTTP,PORT=80,EXTBIND=1

icm/server_port_1 = PROT=ROUTER,PORT=443,EXTBIND=1

#icm/host_name_full= asapq00.b.com

icm/host_name_full= qtyh2h.k.co.in

icm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin,DOCROOT=./admin,AUTHFILE=/sapmnt/WD0/global/security/data/icmauth.txt

ssl/ssl_lib=/usr/sap/WD0/W00/sec/libsapcrypto.so

wdisp/HTTPS/dest_logon_group = PUBLIC

wdisp/HTTPS/max_client_ip_entries = 100000

wdisp/HTTPS/sticky_mask = 255.255.255.0

#-----------------------------------------------------------------------

#Additional Parameters

#-----------------------------------------------------------------------

wdisp/add_client_protocol_header = true

wdisp/auto_refresh = 120

wdisp/max_servers = 100

wdisp/handle_webdisp_ap_header = 1

#-----------------------------------------------------------------------

#Registering SAP Web Dispatcher in the SLD

#----------------------------------------------------------------------

#wdisp/system_0 = HOST=asapq00.b.com, PORT=8100, SID=APQ, NR=00

#----------------------------------------------------------------

#Parameter to avoid week SSL ciphers

#--------------------------------------------------------------

ssl/ciphersuites=HIGH:MEDIUM:!mMD5

Regards,

Lalitha

jimguo · ‎04-29-2014

Hi,

In profile of the PI Server, you don't have parameters as described in note 510007:

ssf/name = SAPSECULIB

ssf/ssfapi_lib = <Path and file name of the SAPCRYPTOLIB>

sec/libsapsecu = <Path and file name of the SAPCRYPTOLIB>

ssl/ssl_lib = <Path and file name of the SAPCRYPTOLIB>

icm/server_port_X = PROT=HTTPS,PORT=<TCP port number for HTTPS>

Have you maintained them in default profile?

Thanks.

Jim