Skip to Content

Archived discussions are read-only. Learn more about SAP Q&A

TLS support on SAP ASE 15.7


Hi,

Can anyone confirm that ASE 15.7 supports TLS 1.2?

We can get all cipher suites enabled but does it support TLS 1.2?

               
sp_ssladmin lscipher
             
go

Cipher Suite
Name                                             
Preference

----------------------------------------------------------------
-----------

TLS_RSA_WITH_AES_256_CBC_SHA                                             
1

TLS_RSA_WITH_AES_128_CBC_SHA                                             
2

TLS_RSA_WITH_3DES_EDE_CBC_SHA     
                                      3

TLS_RSA_WITH_RC4_128_SHA                                                 
4

TLS_RSA_WITH_RC4_128_MD5                                                 
5

TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA                       
                6

TLS_DHE_DSS_WITH_RC4_128_SHA                                             
7

TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA                                       
8

TLS_RSA_WITH_DES_CBC_SHA                                                 
9

TLS_DHE_DSS_WITH_DES_CBC_SHA                                           
10

TLS_DHE_RSA_WITH_DES_CBC_SHA                                           
11

This cipher is found within ASE and even it is used it does not mean it is using TLS1.2 protocol since we are not negotiating from WebSphere application server and we are forcing only TLSv1.2 to be used.

When I tried to retrieve the signer certificate from WebSphere console it gave me that the database server is not supporting TLS and it failed until I changed the security level for WebSphere to accept TLS1.0 or SSL which is not acceptable since both protocols are vulnerable (ASE should support TLS1.2).

And it is used for all secure communications of the application servers since it is a general configuration over the cell, when it is forced to TLS1.2 the error appear and when we decrease it to accept TLS1.0 or SSLv3 the application server is accepting the connection with the database server.

I have attached RFC that covers TLS/SSL... Please check the Appendix A.5 at page 75, you will find that TLS_RSA_WITH_AES_256_CBC_SHA is listed as a cipher suite for TLS 1.2

Regards,

Marc

Former Member
replied

A bit of explanation - TLS replaced SSL as a superset some time back....e.g. the progression went SSL 1.0 -> SSL 2.0 (1995)  -> SSL 3.0 (1996) -> TLS 1.0 (1999) -> TLS 1.1 (2006) -> TLS 1.2 (2008).   So saying ASE was using SSL was often more accurate at saying ASE was using TLS 1.0.   There  are recent attacks showing how TLS 1.0 could be vulnerable.    At issue is the fact that TLS (and SSL) protocols automatically negotiated down the most commonly supported level until recently - e.g. if you attempted to connect at TLS 1.1, it would silently downgrade to TLS 1.0 which was vulnerable.   As a result, later TLS 1.x versions prohibited downgrades.   In June of this year (2016), browsers are required to stop supporting TLS 1.0 - and PCI compliance will dictate this - not only for browsers, but POS terminals as well that might be vulnerable.

What it means for ASE depends.   If your browser connects to a middle tier web server/app server using TLS 1.1 or 1.2 and then the app server connect to ASE - they you are fine providing you are not concerned about the ability to attack the connection between app server and ASE - e.g. the app will work, however, you may have issues with certifications such as PCI.   However, if your browser runs javascript or other logic that attempts a direct  SSL connection to ASE, then there will be problems until ASE supports TLS 1.1 or 1.2.

Engineering is aware of this and trying to find resources to provide support for later revs of TLS.  As with anything, the more customers impacted that engineering is aware of, the higher the priority.   So, as Ryan states, if you need TLS 1.1 or TLS 1.2 support, please open an incident on BC-SYB-ASE and request TLS 1.1 or 1.2 support as needed and dates needed by. 

3 View this answer in context
Not what you were looking for? View more on this topic or Ask a question