Skip to Content
Author's profile photo Markus Schalk

How to check supported outbound cipher suites

This blog shows an easy way to determine supported outbound (client) cipher suites in PI / PO.

The key element to determine the supported cipher suites in an easy way is to use the internet tool “How’s my SSL?” (https://www.howsmyssl.com/)

The trick is, to setup a dummy ICO / IFlow using a receiver channel pointing to the api version of How’s my SSL. It’s easy to test it using the send test message

feature within PI / PO, but you can also use a synchronous sender channel (E. g. To call the interface with SOAP UI).

Attached you can find screenshot showing a dummy IFlow:

DummyIFlow.PNG

Logging.PNG

SOAP Receiver Channel:

SOAP-Receiver.PNG

Empty test message:

EmptyTest.PNG

Result showing supported client cipher suites:

Result.PNG

Attention: In PO Version (7.31 SP17) the HTTP_AAE adapter does not seem to use the IAIK library. We implemented SAP note 2284059

and get this result.


{“given_cipher_suites”:[“TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA”

“TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA”

“TLS_RSA_WITH_AES_256_CBC_SHA”

“TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA”

“TLS_ECDH_RSA_WITH_AES_256_CBC_SHA”

“TLS_DHE_RSA_WITH_AES_256_CBC_SHA”

“TLS_DHE_DSS_WITH_AES_256_CBC_SHA”

“TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA”

“TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA”

“TLS_RSA_WITH_AES_128_CBC_SHA”

“TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA”

“TLS_ECDH_RSA_WITH_AES_128_CBC_SHA”

“TLS_DHE_RSA_WITH_AES_128_CBC_SHA”

“TLS_DHE_DSS_WITH_AES_128_CBC_SHA”

“TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA”

“TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA”

“TLS_RSA_WITH_3DES_EDE_CBC_SHA”

“TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA”

“TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA”

“TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA”

“TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA”

“TLS_EMPTY_RENEGOTIATION_INFO_SCSV”]

“ephemeral_keys_supported”:true

“session_ticket_supported”:false

“tls_compression_supported”:false

“unknown_cipher_suite_supported”:false

“beast_vuln”:true

“able_to_detect_n_minus_one_splitting”:true

“insecure_cipher_suites”:{}

“tls_version”:”TLS 1.0″

“rating”:”Bad”}

Further details about IAIK and TLS 1.2 can be found in this previous blog post: Outbound support for TLS 1.1/1.2

Assigned Tags

      4 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Wilson Xavier
      Wilson Xavier

      Hi Markus,

      Congrats by blog.

      Recently SAP told me a cipher TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA aren't supported by Java Stack in PI 7.4. Is it working in your test?

      I can't apply noteĀ 2284059 in my PI.

       

      Author's profile photo Markus Schalk
      Markus Schalk
      Blog Post Author

      Hi Wilson,

      true answer above :-). Not possible by now.

      Regards

      Markus

       

      Author's profile photo Rami Bleibel
      Rami Bleibel

      Hi,

      I am new to PI and would like to know how to create a sender for this scenario.

       

      Thanks

      Author's profile photo T. van Rooijen
      T. van Rooijen

      Thanks Markus, works like a charm.

      Very handy if you don't have SAP Basis around.

       

      regards

      Tom