cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Trying to disable TLS1.0

Go to solution
Former Member

on ‎09-22-2015 5:39 AM

0 Kudos

I've been testing my Netweaver 7.40 system with common crypto 8.4.37 / 742 kernel, to try and disable TLS1.0.

But for some reason, I can't seemed to do it.

I am able to disable SSLV3, but TLS1.0 seems to be enabled even if i set parameter to only TLS 1.2.

ssl/ciphersuites = 512:HIGH:MEDIUM:+e3DES

ssl/client_ciphersuties =512:HIGH:MEDIUM:+e3DES

Am I reading it right that based on note 510007, somewhere in the long note, there's a section that say if TLS1.1 or TLS1.2 is used, CommonCrypto will for TLS1.0 to be enabled too?

Basically CommonCrypto forces me to use TLS1.0 even if I do not want it? Or am I reading it wrong and my settings are incorrect?

Show replies
Show replies
Answer
View Entire Topic
guilherme_deoliveira
Employee
Employee
‎09-22-2015 7:38 PM
0 Kudos

Hello Laurence,

You can not (currently) disable TLSv1.0 on SAP Netweaver with SAPCRYPTOLIB. This is on purpose, because it will very often result in interoperability problems, while providing _no_ actual benefit. The TLS protocol handshake is cryptographically protected, and the security of the protocol is almost exclusively determined by the available cipher suites, rather than the TLS protocol versions that a server has enabled.

Please, notice that having TLSv1.0 enable for interoperability, as long as TLSv1.2 is available and prefered, is perfectly OK with NIST SP 800-52. rev.1.

Similar to NIST SP 800-52 rev. 1, the PCI DSS 3.1 requirements allow the availability of TLSv1.0 for interoperability, as long as TLSv1.2 is available and preferred. PCI DSS 3.1 defines a transition period to TLSv1.2 until June 2016, *AND* it allows the use of POS equipment with TLSv1.0 even *beyond* June 2016 (e.g. Windows POSReady 2009) when a risk assessment  is performed.

Disabling TLSv1.0 on the server would immediately and unconditionally kill all interop with perfectly PCI DSS 3.1 compliant implementation that are still limited to TLSv1.0 (and achieved their PCI compliance with a risk assessment).

I hope this clarifies.


Best Regards,
Guilherme de Oliveira
SAP Active Global Support

Show replies
Show replies
Former Member
‎09-22-2015 9:12 PM
0 Kudos

Hi Oliveira,

           Yes that explained a lot. I was pulling my hair wondering why it's not working.


Thank you for the detail information. This will help me a lot.

regards,

Laurence...

Former Member
‎09-28-2015 4:01 PM
0 Kudos

Hi Oliveira,

     Do you know when SAP plan to allow option to disable TLSv1.0? Based on what I am reading, some other vendors are already planning to disable TLSv1.0 in 2016. What if we need to disable server TLSv1.0?

regards,

Laurence...

guilherme_deoliveira
Employee
Employee
‎09-28-2015 5:52 PM
0 Kudos

Hello Laurence,

This is currently being discussed (whether to disable TLSv1.0 will be possible or not) and we're trying to find out based on what customers are planning to disable TLSv1.0...

Anyhow, unfortunately there is no date I can provide you on when this will be implemented if so.

Best Regards,
Guilherme de Oliveira

ian_black
Explorer
‎03-17-2016 9:01 AM
0 Kudos

Hi All,

I too am being pushed by my security team to disable TLS1.0 access to our netweaver 7.4 system vai https, and only to allow for TLS1.2.

Has anybody managed to achieve this or will this facility be available soon does anybody know?

Regards

Ian.

Sunslayer86
Explorer
‎07-14-2016 5:39 PM
0 Kudos

The security team just asked me the same thing today. Did you ever figure out how to disable TLS 1.0?

manoharjakkula2
Newcomer
‎08-31-2016 9:56 PM
0 Kudos

Guilherme/Ian/Chris

Do you have a solution for this . We are also asked to disable TLS 1.0 and could not find any thing from SAP.

guilherme_deoliveira
Employee
Employee
‎09-01-2016 8:09 AM
0 Kudos

Hello Chris and Manohar,

It is already possible to disable TLS1.0 (since a while). Please check the SAP Note 510007 (it was updated) which explains how to disable TLS1.0.

Best Regards,
Guilherme

Ask a Question