Supported TLS versions for outbound connections on Java stack
Update 15 June 2017: If you have arrived here in search for a solution for TLS 1.2 on PI, I suggest that you also check out my latest blog on the issue – Chronicles of a PI TLS 1.2 upgrade
Update 16 May 2016: Hot off the press! The solution is finally out in SAP Note 2284059 – Update of SSL library within NW Java server. Refer further comment by Markus Schalk in the comments section.
One of the most interesting discussion threads in this space over the past few months has been iaik.security.ssl.SSLException: Peer sent alert: Alert Fatal: handshake by Wilbert Karremans.
So why do I find it interesting, you might ask? Is it because it has garnered 50+ replies in a space of three months and continues to be an active thread? Is it because many other similar threads have come up as well? Yes, and yes, but more importantly, it is about a functionality which IMHO is increasingly becoming an important one, and yet there is no publicly available support from SAP (at the time of writing) for that functionality.
The functionality in question is the support for TLS versions above 1.0 when the AS Java is behaving as a client component. Another way to rephrase this with respect to PI is that there is no support on Java-based adapters for outbound connections to a web server on versions of HTTP TLS above 1.0.
The reason why this is important is apparent from the various threads on the same topic. Providers are dropping support for older versions of TLS which is likely due to the serious SSL/TLS security flaws that were discovered in recent years like POODLE and Heartbleed.
It is important to note that this applies only for the case when AS Java acts as a client component. As shown in the following diagram (courtesy of SAP Help), in such scenario the SAP Java Cryptographic Toolkit (a.k.a. IAIK) is used, and as mentioned by Peter Tari in the thread, it currently only supports TLS 1.0.
In light of this, the reason for this blog post is to raise awareness to the wider community (because not everyone reads every thread) as this can be a potential issue during integration projects. Additionally, following are a couple of key learnings from the above mentioned thread that can prove useful to anyone who might potentially face this issue.
How to check SSL/TLS versions supported by web servers
In order to confirm if this is a potential integration issue, it is crucial to confirm the versions of SSL/TLS that are supported by a web server. This is not something that is readily available unless the web server owner provides it or explicitly mentions it. Fortunately, hidden in the following SAP note (mentioned in the above thread) is a handy Perl script that can do just this.
Do take note though that although the SAP Note contains this utility, the note is actually relevant for AS ABAP/Java as a server component.
In order to use this utility, download the attachment from the SAP Note and copy it to a system capable of running Perl scripts. This can be performed on your PI system if it is a Unix-based system. Otherwise, I personally have a copy of Cygwin handy for whenever I need to run some Unix related commands.
Once the script is in place, execute the script providing the server hostname and port, i.e. example using SCN’s site below:-
perl ssl-hellotest.pl scn.sap.com 443
Below is the output from the above execution, confirming that SSL 3.0 is not supported whilst TLS 1.0, 1.1 and 1.2 are supported.
For an example case that shows only TLS 1.2 is supported, check the output.
OK, I know I need TLS > 1.0, now what?
As of time of writing, AFAIK there is no publicly available release of the SAP Java Cryptographic Toolkit that supports TLS > 1.0. According to Peter Tari’s responses, development is in progress to support TLS 1.2. However, a hunt down the forum threads reveals that this has been in the pipeline since late last year, so it is anyone’s guess when this would finally be publicly released.
So the best bet is to open a call/incident with SAP. This will both help raise the importance of this functionality, as well as provide access to a preliminary patch as an interim measure.