Why use it?
The Payment Card Industry (PCI) announced SSL and TLS 1.0 as no longer secure. (
Date Change for Migrating from SSL and Early TLS)
Vendors like Salesforce.com adopt PCI standards and disable SSL and TLS 1.0, so in near future we are forced to use TLS 1.1 or 1.2.
What's the problem
Activating
TLSv1.1 or
TLSv1.2 on the client side unfortunately results in handshake failures with a certain non-marginal number of older servers.
They implement the negotiation of the
SSL/TLS protocol version incorrectly (TLS protocol version intolerance).
Beside version intolerance, TLS extensions in the
ClientHello handshake message can cause handshake failures with older servers not supporting that(TLS extension intolerance).
Because of that, all TLS communication has to be tested before using TLSv1.1 or TLSv1.2.
See note
510007 - Setting up SSL on Application Server ABAP for further details.
Outbound communication using IAIK library
Note
2284059 - Update of SSL library within NW Java server introduced new TLS versions for outbound communication using the IAIK library.
Default configuration is stored in iaik_ssl.jar in folder /usr/sap/<SID>/J21/j2ee/cluster/bin/ext/mail-activation.
iaik_ssl.jar contains a SSLContext.properties in folder iaik\security\ssl, listing the default config parameters.
SSLContext.properties
#########################################
# SSLContext properties
# supported since ISASILK 4.4
# Location of configuration file is iaik/security/ssl/SSLContext.properties within CLASSPATH
# It can be redefined with system property iaik.security.ssl.configFile
# e.g.java -Diaik.security.ssl.configFile=file:c:/java/SSLContext.properties
#
#########################################
# allowLegacyRenegotiation is set to true otherwise we cann't communicate with unpatched peers
allowLegacyRenegotiation= true
# unsecure renegotiation is disabled for SSL server but remains allowed for client SSL
server.disableRenegotiation= true
#deactivated to avoid regressions after ISASIK5. 102
chainVerifier.checkExtensions= false
#avoid issues with IIS server
extension=signature_algorithms
|
Manual configuration is possible using custom config file
To enable custom configuration, one has to set the property "iaik.security.ssl.configFile". This is possible using the ConfigTool.
Afterwards you have to create a file having your custom properties e.g. ssl.config.
Recommendation: Copy the values known from SSLContext.properties to avoid problems.
Important custom parameters are listed below:
Parameter |
Example values |
Description |
---|
client.minProtocolVersion |
TLS12 |
Requires TLS 1.2 as minimum version for communication. Lower versions are disabled. |
client.maxProtocolVersion |
TLS11 |
Limits usage of TLS to version 1.1 |
protocolVersions |
nfe.fazenda.sp.gov.br(TLS11,TLS11) |
Limits communication to TLS 1.1 using domain names. First value is min and second max value. If ports other than 443 are used,
they have to be added using a colon. example.com:5443(SSL20,TLS12) |
More options can be found in SAP Note
2284059 - Update of SSL library within NW Java server.
Testing outbound communication
To test communication you can use XPIInspector. Use Example 11 (Authentication, SSL & PP) or Example 50 (XI Channel) if Example 11 does not deliver any results. (Seems to happen for FTPS channels)
SSL Debug Error
Begin IAIK Debug:
ssl_debug( 21 😞 Starting handshake (iSaSiLk 5.104 )...
ssl_debug( 21 😞 Sending v3 client_hello message to preprod.connect.elemica.com: 5443 , requesting version 3.3 ...
ssl_debug( 21 😞 Sending extensions: renegotiation_info ( 65281 ), signature_algorithms ( 13 )
ssl_debug( 21 😞 Received alert message: Alert Fatal: unexpected message
ssl_debug( 21 😞 SSLException while handshaking: Peer sent alert: Alert Fatal: unexpected message
ssl_debug( 21 😞 Shutting down SSL layer...
ssl_debug( 21 😞 Closing transport...
|
SSL Debug Success
Begin IAIK Debug:
ssl_debug( 1 😞 Starting handshake (iSaSiLk 4.5 )...
ssl_debug( 1 😞 Sending v3 client_hello message to connect.elemica.com: 5443 , requesting version 3.1 ...
ssl_debug( 1 😞 Received v3 server_hello handshake message.
ssl_debug( 1 😞 Server selected SSL version 3.1 .
ssl_debug( 1 😞 Server created new session EA: 05 :A1:1E:C5: 04 :C5:2F...
ssl_debug( 1 😞 CipherSuite selected by server: SSL_RSA_WITH_3DES_EDE_CBC_SHA
|
Solving problems
Facing any intolerance errors, try to reduce TLS Versions allowed for domain using parameter protocolVersions. To prevent that the server uses signature extensions, only possible way is to set min version to SSL20 at the moment.
Find channels using TLS/SSL
There is no standard way how to find all channels using TLS/SSL. Some channels can be found with the extended search of the Integration Builder using the attribute "Adapter Type".
This does not work for SOAP channels, therefore we used a SQL-statement to find out all SOAP channels and filtered for https in Excel.
SQL statement
select a.CONTEXTID, a.OBJECTID, b.channel,
xmlparse(a.ATTRBTS)
from ppo.sapj2ee. "XI_DIRSYNCCHANNEL" a,
ppo.sapj2ee. "XI_DIRKEYCHANNEL" b
where a.objectid = b.objectid
and a.msgPROT = 'SOAP'
with ur;
|
Note: We are using DB2, xmlparse is a special function there