Solved: TLS v1.2 with APR Tomcat connector

Former Member · ‎01-11-2016

Hello,

I hope it's the best place to post...

I meet a problem with "BO Live Office" 4.1 SP7: I can't connect in HTTPS with TLS v1.2 to the "Tomcat 7.0.59" + "Java 8" server.

The /!\ bubble says something like "certicate not properly configured or cipher suite mismatch between client & server".

It works if I allow TLS v1.0 and we don't want clients to connect with such an old protocol (released in1999: quite obsolete!).

How can I configure "Tomcat 7", "Axis2"... to make "Live Office" connect with TLS v1.2 ?

Here is the present definition, perhaps partial, of the connector in "server.xml" that 'd like to be OK with "Live Office":

-----

	<Connector
	protocol="org.apache.coyote.http11.Http11AprProtocol"
	port="443"
	maxThreads="200"
	scheme="https"
	secure="true"
	SSLEnabled="true"
	SSLCertificateFile="C:\...\Java\xyz.crt"
	SSLCertificateKeyFile="C:\...\Java\xyz.pem"
	SSLVerifyClient="optional"
	SSLProtocol="TLSv1.2"/>

----

To get "Live Office" work in HTTPS, I have to change :

SSLProtocol="TLSv1.2"

into

SSLProtocol="TLSv1.0"

Thanks.

Regards,

Stephane.

LutzR · ‎01-29-2016

Hi Stephane, do you already have an update on this? I am not deep into BI/BO but I might give a hint for further analysis.

If TLS1.2 is not supported somewhere this is typically caused by some old JAVA runtime involved. Java up to 6.0 does not support TLS1.2. This was added with JDK 7.

So is Live Office client Java based? If yes, which JRE version does it use (on the client)? Is Live Office based on DSCLIENTxyz installer? This installer contains an own SAP JRE 6.0 installation so it will not support TLS 1.2 if used.

Regards,

Lutz

LutzR · ‎01-29-2016

Hi Stephane, do you already have an update on this? I am not deep into BI/BO but I might give a hint for further analysis.

If TLS1.2 is not supported somewhere this is typically caused by some old JAVA runtime involved. Java up to 6.0 does not support TLS1.2. This was added with JDK 7.

So is Live Office client Java based? If yes, which JRE version does it use (on the client)? Is Live Office based on DSCLIENTxyz installer? This installer contains an own SAP JRE 6.0 installation so it will not support TLS 1.2 if used.

Regards,

Lutz

Former Member · ‎01-29-2016

Hi Lutz,

I had a call with SAP yesterday.

There are 2 problems with security in "LiveOffice 4.1 SP7" (LO).

1 - Authentication phase (LO/Options/Enterprise tab/Web services URL): even with JRE8+Tomcat 7, TLSv1.2 can't be used since LO is compiled with .NET 3.5 that offers only old TLSv1 cipher suites. SAP need to recompile LO in .NET 4.5, supporting TLSv1.2, to solve the problem (it should be done perhaps in next SP8).

The best cipher suites supported by LO 4.1SP7 are:

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (C014)

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (C013)

not actually confirmed by SAP (it's rather a question for Microsoft .Net team) but they are the two 1st suites in the HTTPS "Hello" packet sent by LO to Tomcat server.

00000000 16 03 01 00 76 01 00 00 72 03 01 56 A7 C0 59 D5 ....v... r..V..Y.

00000010 DC 74 7A 16 BC 7C 26 FB B4 5B CD C1 DF 5B 33 B6 .tz..|&. .[...[3.

00000020 93 47 1A B0 BE 50 10 24 21 7D 08 00 00 18 C0 14 .G...P.$ !}......

00000030 C0 13 00 35 00 2F C0 0A C0 09 00 38 00 32 00 0A ...5./.. ...8.2..

00000040 00 13 00 05 00 04 01 00 00 31 00 00 00 14 00 12 ........ .1......

They are the best suites available with TLSv1.

Alas, CBC and SHA have known vulnerabilities solved in TLSv1.2.

2 - Connection phase & data exchange (after clicking on [ Connexion ] in LO): as you've guessed, LO communicates with WACS that uses old "Java 6". Unlike with Tomcat, alas, there is no possibility to connect WACS to a JRE7 or JRE8.

A good news is that BO BI 4.2 release will include "Java 8" to replace "Java 6" .

Conclusion:

If you have to handle "secret" or "top secret" data with "Live Office 4.1 SP7", it is urgent to wait for BI 4.2 or BI 4.1 SP8.

Regards,

Stéphane.

mvoros · ‎01-29-2016

Hi,

I think you could also do some workaround like set up IPSEC tunnel between those two systems so the data would be transferred using better cipher suite. Or use some reverse proxy on both systems.But of course this adds additional complexity to your landscape.

Cheers

LutzR · ‎02-02-2016

Hi Stéphane, great to know that we not only have to care about old JAVA runtimes but also about old .NET . Thank you for your detailed elaboration!

Have a nice day,

Lutz

Former Member · ‎02-02-2016

Hi Martin,

Absolutely yes !

By the way a VPN is planned for external users but will be available at least in 6 months.

Regards,

Stéphane.

Former Member · ‎02-02-2016

Hi Lutz,

I forgot to give, for curious persons , the 2 useful links I used to decode HTTPS handshake (caught with the very simple "Smart Sniffer" free tool):

# Packet analyse

https://www.ntu.edu.sg/home/ehchua/programming/webprogramming/HTTP_SSL.html

# Identify cipher suite from it code

tls and ssl cipher suites | research | sprawl

Good discovery !

Stéphane.