Many customers have questions regarding the encryption of data in transit. SAP Cloud Platform uses encrypted communication channels based on HTTPS/TLS.
What is TLS?
TLS stands for “Transport Layer Security.” It is a protocol that provides privacy and data integrity between two communicating applications. It’s the most widely deployed security protocol used today, and is used for web browsers and other applications that require data to be securely exchanged over a network. TLS ensures that a connection to a remote endpoint is the intended endpoint through encryption and endpoint identity verification.The protocol is described by the Internet Engineering Task Force (IETF) in Requests for Comments (RFCs). It evolves over time to support higher standards.
SAP Cloud Platforms` servers support all versions of TLS protocol, which are TLS 1.0, 1.1 and 1.2. At the start of communication (handshaking phase), a web browser and SAP Cloud Platforms’ server exchange their supported TLS versions and choose the highest version they both support to carry out the rest of the communication.
TLS 1.0, in the past years, has been found weak in protection especially when combined with weak ciphers such as RC4. SAP Cloud Platform has started to reduce the support of the weak ciphers.
All platform regions launched before 1 July 2018 support all three version of the TLS protocol: 1.0, 1.1, and 1.2. See Regions.
Following 1 July 2018, future platform regions will support only the more secure TLS version 1.2. Existing regions will continue to support versions 1.0 and 1.1. The timeline for disabling TLS 1.0 and 1.1 on regions provisioned before 1 July 2018 will be announced separately.
We announce the provisioning of new regions using the SAP Cloud Platform release notes. You can use them if you need to check the date when a particular region was provisioned.
How can you adapt to this change?
Inbound HTTP connections relying on TLS 1.0 or 1.1 will not be possible. Make sure that the HTTP clients in use, such as web browsers, support TLS 1.2. In case TLS 1.0 or 1.1 is still needed, especially in integration scenarios with legacy systems, you may use a custom web domain, and enable TLS 1.0 or 1.1 for it. See Using Custom Domains (section Create an SSL Host part of Configuring Custom Domains).
In case you want to use solely the new standard you have the opportunity to choose a region which does not support TLS 1.0, for example.