Skip to Content
Product Information
Author's profile photo Manpreet Kaur

Disabling TLSv1.0 protocol and 3DES cipher suite for Inbound communication to ByD

As part of our commitment to continuous improvement and to follow the industry’s best practices, we plan to configure our servers to support the latest protocol versions to ensure that we use only the strongest algorithms and ciphers. It is equally important to disable the older versions as continuing to support old versions of protocols can leave our systems vulnerable to downgrade attacks, where hackers force connections to our servers to use older versions of the protocols that have known exploits. This can leave encrypted connections (whether between a site visitor and your web server, machine to machine, etc.) open to man-in-the-middle and other types of attacks.


Disabling TLSv1.1 protocol for Outbound Communication Scenarios from your Business By Design system.

As you already know, we had planned for disabling TLSv1.1 protocol and Weak ciphers for outbound communication scenarios to your SAP Business By Design instance(s).
However, we received several customer requests not to disable RSA ciphers as some of their systems don’t support ECDHE/ECDSA ciphers yet. We here at SAP, believe in always putting customer first. 
Thus, we have decided to postpone the disablement of RSA ciphers for outbound communication scenarios. Only TLSv1.1 protocol for Outbound communication scenarios will be disabled through this activity.

Why are we disabling TLSv1.0?

The following is a quick summary of reasons to eliminate the use of TLS 1.0 / 1.1.



1. Browser Settings – Check if TLSv1.1 and TLSv1.2 are enabled.


2. Connectivity between SAP CPI to Business ByDesign – No action to be taken as SAP CPI already supports TLSv1.1 and TLSv1.2.
3. Connectivity between SAP PI/ERP to Business ByDesign – Please follow the details mentioned in FAQ section below to know how to enable TLSv1.1 and TLSv1.2 in your system in case it is not done already.



a) What is TLSv1.0?
Transport Layer Security (TLS) is a standard protocol that is used to provide secure web communications on the Internet or intranets. It enables clients to authenticate servers or, optionally, servers to authenticate clients. It also provides a secure channel by encrypting communications.

b) Which protocols are supported currently when BYD is in Server role?
TLSv1.0, TLSv1.1, TLSv1.2

c) After disabling TLSv1.0 which protocols are supported by BYD in server role?
TLSv1.1 and TLSv1.2

d) Which Cipher Suites will be supported by BYD in server role?

e) Settings to enable/check if TLSv1.1 and TLSv1.2 are enabled in your SAP system which communicates with your BYD tenant
Check the parameter ssl/client_ciphersuites in your SAP system and see if the value defined for it supports one of these protocols TLSv1.1 or TLSv1.2. If YES – then the connection will work even after disabling TLSv1.0 at BYD. In case your system supports only TLSv1.0, you need to enable TLSv1.1 and TLSv1.2 protocol by following SAP Note 510007 


f) How to check the Supported Protocol and cipher suites of your SAP system which is communication to BYD (in Inbound Scenarios to BYD)?
Run the following command in your sap web dispatcher or application server (whichever is talking to BYD) → sapgenpse tlsinfo -c

g) How to check the supported protocol and cipher suites of your Non-SAP systems?
There are external sites where you can check which protocols and cipher suites are supported by your system/URL.

h) If you have any BYD plugin (example: Outlook add-in, Cloud Application studio) or application that is running on the. NET Framework which connects to BYD URL
Please ensure you have below settings enabled in your windows machine to avoid connectivity issues from BYD application add-ons (example: Outlook add-in, Cloud Application Studio built/running on .NET Framework.) to your BYD application.
• In your Windows PC
• Go to windows search and type “Regedit”
• Click on yes
• It opens a Registry editor.
• Open below path based on the version of. NET Framework installed in your machine, in this case it is 4.0.30319:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v 4.0.30319

• If you find the value defined as 0 instead of 1, follow below steps to change “data” from 0 to 1 and further test the result.

Key: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
Value: SchUseStrongCrypto
Data: 1

Value: SchUseStrongCrypto
Data: 1

Note – If you still find an issue with BYD add-on/plugin connecting to BYD application then reinstall the .NET Framework to 4.6.2 or higher versions and recheck the steps as mentioned in SAP KBA 2806482

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Ashish Sharma
      Ashish Sharma

      Hi Manpreet,


      Good information , thanks for sharing.

      I have following question regarding this , requesting your help on this.


      1. Exact date on which Test and Production system is going in these changes ?
      2. Place in ByD where we can see the active protocols ?
      3. How we can test the protocols for integration systems ?
      4. Share document specific to ByDesign for testing the same within ByD and using integration system.


      Ashish Sharma

      Author's profile photo Diego Kremer
      Diego Kremer

      There are some cases where the SchUseStrongCrypto can’t be found in both or any of the .NET registry paths.

      On that situation you can create a new registry key of type DWORD with the same name and set its hexadecimal value to 1 as displayed on the screenshots.

      Author's profile photo Ben Casey
      Ben Casey

      Hi, can someone confirm what the latest version of the Excel Add-In is?

      The version no. is not showing within the Download page within my SAP C4C system.

      Is it 135.0.3792.1429 ?

      Author's profile photo Tim Ngyou
      Tim Ngyou

      When I look in my 1905 ByDesign system, the latest version for download is 135.0.3576.454

      Author's profile photo Tim Ngyou
      Tim Ngyou

      Hello Manpreet

      I don't have access to the SAP Note 510007 ( Please could you mail it to me directly if possible?


      I'd also be grateful if you could send me details of KBA 2806482 (, as again I do not have sufficient permissions to view this internal document.

      Many thanks


      Author's profile photo Manpreet Kaur
      Manpreet Kaur
      Blog Post Author

      Hi Tim,


      Can you please check within your organization if someone have access as this comes with SAP Product License. I don't have authorization to download and send it over mail.

      Sorry for inconvenience.



      Manpreet Kaur

      Author's profile photo Ed Govett
      Ed Govett

      Can this be solved by downloading the latest version of Excel Add-In?

      The idea of every user that uses Excel Add-In going into their laptops and adjusting registry values is not very practical and dangerous as most users will not have the skill nor experience in this area.



      Author's profile photo Tim Ngyou
      Tim Ngyou

      Would probably be best to offer a registry .reg file with the appropriate entries pre-populated. So long as those users have admin rights, it ought to be fairly fool-proof!

      (or just get the IT dept to roll it out remotely and universally)

      Author's profile photo Ben Casey
      Ben Casey

      I totally agree Ed.

      Author's profile photo Manfred Maier
      Manfred Maier

      I have installed Excel Add-in Version 135.0.3877.902 and the connection to a test envirement works without changes in the registry. Is that a coincidence or was the add-in adjusted accordingly?

      Author's profile photo Thomas Wuttke
      Thomas Wuttke

      The change to Windows registry solved the problem.

      Key: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
      Value: SchUseStrongCrypto
      Type: REG_DWORD
      Data: 1

      Value: SchUseStrongCrypto
      Type: REG_DWORD
      Data: 1