TLS 1.1 and 1.2 support in 15.7 SP137 and 16.0 SP02 PL04 SDK for SAP Adaptive Server Enterprise
In the 15.7 SP137 and 16.0 SP02 PL04 SDK for SAP Adaptive Server Enterprise (ASE), there are a few new connection properties to support the SSL protocol versions TLS 1.1 and TLS 1.2 in Open Client, jConnect, and ODBC.
OpenClient
The SDK includes the following updates for OpenClient:
- The semantics for setting the existing CS_PROP_SSL_PROTOVERSION property in the Client-Library, and the corresponding SRV_S_SSL_VERSION property in the Server-Library, are revised to indicate the minimum version of the SSL protocol supported instead of the highest version of SSL protocol available. When the Client-Library CS_PROP_SSL_PROTOVERSION property is retrieved, it indicates the actual protocol that is being negotiated.
- Two new property values, CS_TLSVER_TLS11 and CS_TLSVER_TLS12, indicate the minimum version of the SSL protocol – TLS 1.1 and TLS 1.2, respectively.
- OpenClient no longer supports the less secure SSL protocols CS_SSLVER_20 and CS_SSLVER_30. Existing applications that set the property to any of these values are silently promoted to CS_SSLVER_TLS1 at runtime.
- In the 16.0 SP02 PL04 SDK for SAP ASE, a new attribute SslVersion in the Client-Library connection string properties specifies the SSL protocol version.
jConnect
A new connection property, SSL_MIN_PROTOCOL_VERSION, specifies the minimum SSL protocol version to establish a connection. The SSL_MIN_PROTOCOL_VERSION property, when set, requests the JCE provider to set the TLS protocol to establish a handshake with the SSL -enabled server. During the handshake between JCE and the SSL server, the protocol with the highest version is given priority and the connection between the client and the server is established. If the protocol handshake does not happen with the minimum specified protocol version, the connection fails.
The valid protocol versions from highest to lowest priority are:
- TLSv1.2
- TLSv1.1
- TLSv1
- SSLv3
- SSLv2Hello
To use the SSL_MIN_PROTOCOL_VERSION property, set ENABLE_SSL=TRUE.
The default value of SSL_MIN_PROTOCOL_VERSION is TLSv1.
Example:
SSL_MIN_PROTOCOL_VERSION = TLSv1.1
In this case, the JCE provider first attempts a handshake with the protocol version TLSv1.2 (highest). When this fails, it tries using TLSv1.1. If the handshake with TLSv1.1 also fails, then the provider stops trying to establish a connection. The JCE does not attempt the handshake with the other protocols of lower priorities like TLSv1, SSLv3, and SSLv2Hello, even if they are supported by the JRE.
ODBC
A new connection property, SSLMinVersion, specifies the minimum SSL protocol version to establish a connection. The SSLMinVersion property indicates the minimum version of the SSL protocol supported. During the handshake between the ODBC client and the SSL server, the protocol with the highest version is given priority and the connection between the client and the SSL server is established. If the protocol handshake does not happen with the minimum specified protocol version, the connection fails.
The valid protocol versions, from highest to lowest priority are:
- TLS V1.2
- TLSv1.1
- TLSv1
- SSLv3
- SSLv2
To use the SSLMinVersion property, set Encryption=SSL.
The default value of SSLMinVersion is TLSv1.
Example:
SSLMinVersion = TLSv1.1
In this case the ODBC client first attempts the handshake with the protocol version TLSv1.2 (highest). When this fails, it tries using TLSv1.1. If the handshake with TLSv1.1 also fails then the ODBC client stops trying to establish a connection. The ODBC client does not attempt the handshake with the other protocols of lower priorities like TLSv1, SSLv3, and SSLv2, even if they are supported.