on 09-22-2015 5:39 AM
I've been testing my Netweaver 7.40 system with common crypto 8.4.37 / 742 kernel, to try and disable TLS1.0.
But for some reason, I can't seemed to do it.
I am able to disable SSLV3, but TLS1.0 seems to be enabled even if i set parameter to only TLS 1.2.
ssl/ciphersuites = 512:HIGH:MEDIUM:+e3DES
ssl/client_ciphersuties =512:HIGH:MEDIUM:+e3DES
Am I reading it right that based on note 510007, somewhere in the long note, there's a section that say if TLS1.1 or TLS1.2 is used, CommonCrypto will for TLS1.0 to be enabled too?
Basically CommonCrypto forces me to use TLS1.0 even if I do not want it? Or am I reading it wrong and my settings are incorrect?
Hello Laurence,
You can not (currently) disable TLSv1.0 on SAP Netweaver with SAPCRYPTOLIB. This is on purpose, because it will very often result in interoperability problems, while providing _no_ actual benefit. The TLS protocol handshake is cryptographically protected, and the security of the protocol is almost exclusively determined by the available cipher suites, rather than the TLS protocol versions that a server has enabled.
Please, notice that having TLSv1.0 enable for interoperability, as long as TLSv1.2 is available and prefered, is perfectly OK with NIST SP 800-52. rev.1.
Similar to NIST SP 800-52 rev. 1, the PCI DSS 3.1 requirements allow the availability of TLSv1.0 for interoperability, as long as TLSv1.2 is available and preferred. PCI DSS 3.1 defines a transition period to TLSv1.2 until June 2016, *AND* it allows the use of POS equipment with TLSv1.0 even *beyond* June 2016 (e.g. Windows POSReady 2009) when a risk assessment is performed.
Disabling TLSv1.0 on the server would immediately and unconditionally kill all interop with perfectly PCI DSS 3.1 compliant implementation that are still limited to TLSv1.0 (and achieved their PCI compliance with a risk assessment).
I hope this clarifies.
Best Regards,
Guilherme de Oliveira
SAP Active Global Support
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Laurence,
This is currently being discussed (whether to disable TLSv1.0 will be possible or not) and we're trying to find out based on what customers are planning to disable TLSv1.0...
Anyhow, unfortunately there is no date I can provide you on when this will be implemented if so.
Best Regards,
Guilherme de Oliveira
User | Count |
---|---|
75 | |
9 | |
8 | |
7 | |
6 | |
5 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.