cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

XPI_INSPECTOR- modification of default security protocol SSL v3 -under option 11- Authentication, SSL

Former Member

on ‎05-26-2016 4:41 AM

0 Kudos

Hello PI experts:

We have a requirement to connect external HTTPS url with a secure protocol TLS 1.0 or higher. When we try to test SSL connectivity using XPI_Inspector by using option 11 which is Authentication,SSL, we were told by Network/Basis team by default it is choosing SSL v3 version and it is failing due to that external url expecting TLS 1.0 or higher. we would like to know is there a way to force XPI_Inspector to choose TLS 1.0  or higher instead of SSL v3.

Here is the error that we received in XPI trace:

Begin IAIK Debug:

ssl_debug(9): Starting handshake (iSaSiLk 4.5)...

ssl_debug(9): Sending v3 client_hello message to dev.xxxxxx.local:443, requesting version 3.1...

ssl_debug(9): IOException while handshaking: Connection reset

ssl_debug(9): Sending alert: Alert Fatal: handshake failure

ssl_debug(9): Exception sending message: java.net.SocketException: Broken pipe

ssl_debug(9): Shutting down SSL layer...

ssl_debug(9): Closing transport...

End IAIK Debug.

We were told V3 Client_hello means XPI initiating the message with SSL v3 but we would like to tell inspector to initiate with TLS 1.0 or higher.

Any inputs on this will be appreciated.

Thanks,

Ganesh B

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

mate_moricz
Advisor
Advisor
‎05-26-2016 2:38 PM
0 Kudos

Hello Ganesh,

The XPI Inspector can't be forced to use other security levels like to use TLS 1.0 if your system uses SSLv3. The XPI Inspector tool uses the system's default settings so you can't change that.

The problem in your case is that you still have SSLv3 enabled. SSLv3 has been disabled by default from some SAP JVM levels

8.1.003

7.1.028

6.1.074

5.1.100

4.1.050

For more information refer to SAP Note 2199062 - SSL protocol and algorithm deprecation in SAP JVM.

The property "jdk.tls.disabledAlgorithms" in file <jdk dir>/jre/lib/security/java.security contains SSLv3 from those SAP JVM levels which disable the SSLv3 protocol for SSL connections initiated over the JDK SSL layer. In your case SSLv3 is still enabled.

You can either edit the mentioned security file to disable SSLv3 or to upgrade to at least the mentioned SAP JVM levels and after that restart your AS Java.

Regards,

Mate

Show replies
Show replies
Former Member
‎07-29-2016 9:36 PM
0 Kudos

after updating respective ciphers on target system where HTTPS URL resides then connectivity started working perfectly from XPI_inspector with TLS 1.0 or higher.

Thanks

Ganesh

Ask a Question