TLS support on SAP ASE 15.7
Can anyone confirm that ASE 15.7 supports TLS 1.2?
We can get all cipher suites enabled but does it support TLS 1.2?
This cipher is found within ASE and even it is used it does not mean it is using TLS1.2 protocol since we are not negotiating from WebSphere application server and we are forcing only TLSv1.2 to be used.
When I tried to retrieve the signer certificate from WebSphere console it gave me that the database server is not supporting TLS and it failed until I changed the security level for WebSphere to accept TLS1.0 or SSL which is not acceptable since both protocols are vulnerable (ASE should support TLS1.2).
And it is used for all secure communications of the application servers since it is a general configuration over the cell, when it is forced to TLS1.2 the error appear and when we decrease it to accept TLS1.0 or SSLv3 the application server is accepting the connection with the database server.
I have attached RFC that covers TLS/SSL... Please check the Appendix A.5 at page 75, you will find that TLS_RSA_WITH_AES_256_CBC_SHA is listed as a cipher suite for TLS 1.2
Jeff Tallman replied
A bit of explanation - TLS replaced SSL as a superset some time back....e.g. the progression went SSL 1.0 -> SSL 2.0 (1995) -> SSL 3.0 (1996) -> TLS 1.0 (1999) -> TLS 1.1 (2006) -> TLS 1.2 (2008). So saying ASE was using SSL was often more accurate at saying ASE was using TLS 1.0. There are recent attacks showing how TLS 1.0 could be vulnerable. At issue is the fact that TLS (and SSL) protocols automatically negotiated down the most commonly supported level until recently - e.g. if you attempted to connect at TLS 1.1, it would silently downgrade to TLS 1.0 which was vulnerable. As a result, later TLS 1.x versions prohibited downgrades. In June of this year (2016), browsers are required to stop supporting TLS 1.0 - and PCI compliance will dictate this - not only for browsers, but POS terminals as well that might be vulnerable.
Engineering is aware of this and trying to find resources to provide support for later revs of TLS. As with anything, the more customers impacted that engineering is aware of, the higher the priority. So, as Ryan states, if you need TLS 1.1 or TLS 1.2 support, please open an incident on BC-SYB-ASE and request TLS 1.1 or 1.2 support as needed and dates needed by.