on 09-22-2015 5:39 AM
I've been testing my Netweaver 7.40 system with common crypto 8.4.37 / 742 kernel, to try and disable TLS1.0.
But for some reason, I can't seemed to do it.
I am able to disable SSLV3, but TLS1.0 seems to be enabled even if i set parameter to only TLS 1.2.
ssl/ciphersuites = 512:HIGH:MEDIUM:+e3DES
ssl/client_ciphersuties =512:HIGH:MEDIUM:+e3DES
Am I reading it right that based on note 510007, somewhere in the long note, there's a section that say if TLS1.1 or TLS1.2 is used, CommonCrypto will for TLS1.0 to be enabled too?
Basically CommonCrypto forces me to use TLS1.0 even if I do not want it? Or am I reading it wrong and my settings are incorrect?
Hello Laurence,
You can not (currently) disable TLSv1.0 on SAP Netweaver with SAPCRYPTOLIB. This is on purpose, because it will very often result in interoperability problems, while providing _no_ actual benefit. The TLS protocol handshake is cryptographically protected, and the security of the protocol is almost exclusively determined by the available cipher suites, rather than the TLS protocol versions that a server has enabled.
Please, notice that having TLSv1.0 enable for interoperability, as long as TLSv1.2 is available and prefered, is perfectly OK with NIST SP 800-52. rev.1.
Similar to NIST SP 800-52 rev. 1, the PCI DSS 3.1 requirements allow the availability of TLSv1.0 for interoperability, as long as TLSv1.2 is available and preferred. PCI DSS 3.1 defines a transition period to TLSv1.2 until June 2016, *AND* it allows the use of POS equipment with TLSv1.0 even *beyond* June 2016 (e.g. Windows POSReady 2009) when a risk assessment is performed.
Disabling TLSv1.0 on the server would immediately and unconditionally kill all interop with perfectly PCI DSS 3.1 compliant implementation that are still limited to TLSv1.0 (and achieved their PCI compliance with a risk assessment).
I hope this clarifies.
Best Regards,
Guilherme de Oliveira
SAP Active Global Support
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Laurence,
This is currently being discussed (whether to disable TLSv1.0 will be possible or not) and we're trying to find out based on what customers are planning to disable TLSv1.0...
Anyhow, unfortunately there is no date I can provide you on when this will be implemented if so.
Best Regards,
Guilherme de Oliveira
Hello Laurence,
Please try with the value set to 534 (512 + 16 + 4 + 2).
The above will try to negotiate the highest level of TLS where available.
Kind Regards,
Amerjit
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Laurence,
The way I read the note is that v1.0 is enabled by default when you configure 1.1 or 1.2. so if you are "forcing it" to use v1.0 then it will reply with v1.0.
I understand your question that you want to completely disable v1.0 but the note does seem to state it's there for compatibility reasons.
Maybe someone in the more specialised SSO/SSL forum might be able to answer your question or quite simply open a OSS message.
Have you tried without "forcing" to see what traffic you get, I would hazard a guess at it being V1.2.
Cheers,
Amerjit
I've tried various combination and unable to disable TLS1.0 .
Also tried forcing it to only to TLS 1.2 + NOGAP
and yet I can still access it via TLS 1.1 . I might have to open an OSS message.
ssf/name = SAPSECULIB
ssf/ssfapi_lib = $(SAPCRYPTOLIB)
sec/libsapsecu = $(SAPCRYPTOLIB)
ssl/ssl_lib = $(SAPCRYPTOLIB)
ssl/ciphersuites = 516:HIGH:MEDIUM:+e3DES
ssl/client_ciphersuites = 516:HIGH:MEDIUM:+e3D
User | Count |
---|---|
84 | |
23 | |
11 | |
9 | |
8 | |
5 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.