cancel
Showing results for 
Search instead for 
Did you mean: 

Trying to disable TLS1.0

Former Member
0 Kudos

I've been testing my Netweaver 7.40 system with common crypto 8.4.37 / 742 kernel, to try and disable TLS1.0.

But for some reason, I can't seemed to do it.

I am able to disable SSLV3, but TLS1.0 seems to be enabled even if i set parameter to only TLS 1.2.

ssl/ciphersuites = 512:HIGH:MEDIUM:+e3DES

ssl/client_ciphersuties =512:HIGH:MEDIUM:+e3DES

Am I reading it right that based on note 510007, somewhere in the long note, there's a section that say if TLS1.1 or TLS1.2 is used, CommonCrypto will for TLS1.0 to be enabled too?

Basically CommonCrypto forces me to use TLS1.0 even if I do not want it? Or am I reading it wrong and my settings are incorrect?

Accepted Solutions (1)

Accepted Solutions (1)

guilherme_deoliveira
Participant
0 Kudos

Hello Laurence,

You can not (currently) disable TLSv1.0 on SAP Netweaver with SAPCRYPTOLIB. This is on purpose, because it will very often result in interoperability problems, while providing _no_ actual benefit. The TLS protocol handshake is cryptographically protected, and the security of the protocol is almost exclusively determined by the available cipher suites, rather than the TLS protocol versions that a server has enabled.

Please, notice that having TLSv1.0 enable for interoperability, as long as TLSv1.2 is available and prefered, is perfectly OK with NIST SP 800-52. rev.1.

Similar to NIST SP 800-52 rev. 1, the PCI DSS 3.1 requirements allow the availability
of TLSv1.0 for interoperability, as long as TLSv1.2 is available and preferred. PCI DSS 3.1 defines a transition period to TLSv1.2 until June 2016, *AND* it allows the use of POS equipment with TLSv1.0 even *beyond* June 2016 (e.g. Windows POSReady 2009) when a risk assessment  is performed.

Disabling TLSv1.0 on the server would immediately and unconditionally kill all interop with perfectly PCI DSS 3.1 compliant implementation that are still limited to TLSv1.0 (and achieved their PCI compliance with a risk assessment).

I hope this clarifies.


Best Regards,
Guilherme de Oliveira
SAP Active Global Support

Former Member
0 Kudos

Hi Oliveira,

           Yes that explained a lot. I was pulling my hair wondering why it's not working.


Thank you for the detail information. This will help me a lot.

regards,

Laurence...

Former Member
0 Kudos

Hi Oliveira,

     Do you know when SAP plan to allow option to disable TLSv1.0? Based on what I am reading, some other vendors are already planning to disable TLSv1.0 in 2016. What if we need to disable server TLSv1.0?

regards,

Laurence...

guilherme_deoliveira
Participant
0 Kudos

Hello Laurence,

This is currently being discussed (whether to disable TLSv1.0 will be possible or not) and we're trying to find out based on what customers are planning to disable TLSv1.0...

Anyhow, unfortunately there is no date I can provide you on when this will be implemented if so.

Best Regards,
Guilherme de Oliveira

ian_black
Explorer
0 Kudos

Hi All,

I too am being pushed by my security team to disable TLS1.0 access to our netweaver 7.4 system vai https, and only to allow for TLS1.2.

Has anybody managed to achieve this or will this facility be available soon does anybody know?

Regards

Ian.

Sunslayer86
Explorer
0 Kudos

The security team just asked me the same thing today. Did you ever figure out how to disable TLS 1.0?

0 Kudos

Guilherme/Ian/Chris

Do you have a solution for this . We are also asked to disable TLS 1.0 and could not find any thing from SAP.

guilherme_deoliveira
Participant
0 Kudos

Hello Chris and Manohar,

It is already possible to disable TLS1.0 (since a while). Please check the SAP Note 510007 (it was updated) which explains how to disable TLS1.0.

Best Regards,
Guilherme

Answers (1)

Answers (1)

Former Member
0 Kudos

Hello Laurence,

Please try with the value set to 534 (512 + 16 + 4 + 2).

The above will try to negotiate the highest level of TLS where available.

Kind Regards,

Amerjit

Former Member
0 Kudos

Unfortunately it doesn't work. If I force it to TLS 1.0 it still does not reject it. I still see TLS 1.0 traffic.

Former Member
0 Kudos

Hi Laurence,

The way I read the note is that v1.0 is enabled by default when you configure 1.1 or 1.2. so if you are "forcing it" to use v1.0 then it will reply with v1.0.

I understand your question that you want to completely disable v1.0 but the note does seem to state it's there for compatibility reasons.

Maybe someone in the more specialised SSO/SSL forum might be able to answer your question or quite simply open a OSS message.

Have you tried without "forcing" to see what traffic you get, I would hazard a guess at it being V1.2.

Cheers,

Amerjit

Former Member
0 Kudos

I've tried various combination and unable to disable TLS1.0 .

Also tried forcing it to only to TLS 1.2 + NOGAP

and yet I can still access it via TLS 1.1 . I might have to open an OSS message.

ssf/name = SAPSECULIB

ssf/ssfapi_lib = $(SAPCRYPTOLIB)

sec/libsapsecu = $(SAPCRYPTOLIB)

ssl/ssl_lib = $(SAPCRYPTOLIB)

ssl/ciphersuites = 516:HIGH:MEDIUM:+e3DES

ssl/client_ciphersuites = 516:HIGH:MEDIUM:+e3D

Former Member
0 Kudos

Hey,

I'd ask the mod to move the message to the SSO forum and give it a go with a OSS message in parallel.

Good luck.

Cheers,

A.