Product Information
Disabling TLSv1.1 protocol for Inbound Communication Scenarios
As a part of our commitment to continuous improvement and to follow industries best practices, we plan to configure our servers to support the latest protocol versions to ensure we are using only the strongest algorithms and ciphers, but equally as important is to disable the older versions. Continuing to support old versions of the protocols can leave our systems vulnerable to downgrade attacks, where hackers force connections to our servers to use older versions of the protocols that have known exploits. This can leave the encrypted connections (whether between a site visitor and your web server, machine to machine, etc.) open to man-in-the-middle and other types of attacks.
SCOPE
Disabling TLSv1.1 protocol for Inbound Communication Scenarios from internet to your SAP Business ByDesign system
Why are we disabling TLSv1.1 protocol?
The following is a quick summary of reasons to eliminate the use of TLS 1.0 / 1.1.
- Cloud providers across the market are deprecating the use of TLS 1.0 / 1.1
- Support of crypto-libraries offering TLS 1.0 and 1.1 is being ended
- PCI DSS requires TLS 1.1 or higher since 30.06.2018, TLS 1.2 is recommended even longer https://blog.pcisecuritystandards.org/migrating-from-ssl-and-early-tls
- SSL Labs testing decreased the rating from A+ to B in January 2020 for servers supporting TLS 1.0 or 1.1
- Browsers started in 2019 / Q1 2020 deprecating TLS 1.0 and 1.1 marking servers that still support them as insecure (e.g. Chrome: https://blog.chromium.org/2019/10/chrome-ui-for-deprecating-legacy-tls.html)
SCENARIOS TO CHECK
- Browser Settings – Check if TLSv1.2 are enabled.
- Connectivity between SAP CPI to Business ByDesign– No action to be taken as SAP CPI already supports TLSv1.2.
- Connectivity between SAP PI/ERP to Business ByDesign – Please follow the details mentioned in FAQ section below to know how to enable TLSv1.2 in your system in case it is not done already.
FAQ’s
a) What is TLS?
Transport Layer Security (TLS) is a standard protocol that is used to provide secure web communications on the Internet or intranets. It enables clients to authenticate servers or, optionally, servers to authenticate clients. It also provides a secure channel by encrypting communications.
b) Which protocols are supported currently when BYD is in Server role?
TLSv1.1, TLSv1.2
c) After disabling TLSv1.1 which protocols are supported by BYD in server role?
TLSv1.2
d) Which Cipher Suites will be supported by BYD in server role?
TLS_ECDHE_RSA_WITH_AES128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES256_CBC_SHA
TLS_RSA_WITH_AES128_GCM_SHA256
TLS_RSA_WITH_AES256_GCM_SHA384
TLS_RSA_WITH_AES128_CBC_SHA
TLS_RSA_WITH_AES256_CBC_SHA
Before and After the ciphers supported will remain same and will not be changed
e) Settings to enable/check if TLSv1.2 are enabled in your SAP system which communicates with your BYD tenant
Check the parameter ssl/client_ciphersuites in your SAP system and see if the value defined for it supports one of these protocols TLSv1.2. If YES – then the connection will work even after disabling TLSv1.0 at BYD. In case your system supports only TLSv1.0 and TLSv1.1, you need to enable TLSv1.2 protocol by following SAP Note 510007
f) How to check the Supported Protocol and cipher suites of your SAP system which is communication to BYD (in Inbound Scenarios to BYD)?
Run the following command in your sap web dispatcher or application server whichever is talking to BYD system, by switching to SID<adm>user → sapgenpse tlsinfo -c <parameter value defined in ssl/client_ciphersuites>
g) How to check the supported protocol and cipher suites of your Non-SAP systems?
There are external sites where you can check which protocols and cipher suites are supported by your system/URL.
h) If you have any BYD plugin (example: Outlook add-in, Cloud Application studio) or application that is running on the. NET Framework which connects to BYD URL
Please ensure you have below settings enabled in your windows machine to avoid connectivity issues from BYD application add-ons (example: Outlook add-in, Cloud Application Studio built/running on .NET Framework.) to your BYD application.
• In your Windows PC
• Go to windows search and type “Regedit”
• Click on yes
• It opens a Registry editor.
• Open below path based on the version of. NET Framework installed in your machine, in this case it is 4.0.30319:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v 4.0.30319
• If you find the value defined as 0 instead of 1, follow below steps to change “data” from 0 to 1 and further test the result.
Key: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
Value: SchUseStrongCrypto
Type: REG_DWORD
Data: 1
Key:Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319
Value: SchUseStrongCrypto
Type: REG_DWORD
Data: 1
Note – If you still find an issue with BYD add-on/plugin connecting to BYD application then reinstall the .NET Framework to 4.6.2 or higher versions and recheck the steps as mentioned in SAP KBA 2806482
i) Examples of third-party components that have issues with TLSv1.2
In case if the SSL termination is happening in your BigIP F5 Load Balancer there is a known issue with digital signatures other than (sha1, RSA) in TLSv1.2, a patch is available for fixing digital signatures other than (sha1, RSA) with TLS client certificates – https://api-u.f5.com/support/kb-articles/K76313281?pdf
Hello, I received an email notification pointing about a new blog post on Outbound Communication that points to URL https://blogs.sap.com/?p=1150209 but the page is not found.
Is there another blog post for “Disabling TLSv1.1 protocol for Outbound Communication Scenarios”?
Thank you,
Rami
For Business By Design there is no communication for outbound scenarios.
Its not planned yet for BYD.
Regards,
Manpreet Kaur
Do not use the following the TLS ciphers:
TLS_RSA_WITH_AES128_GCM_SHA256
TLS_RSA_WITH_AES256_GCM_SHA384
TLS_RSA_WITH_AES128_CBC_SHA
TLS_RSA_WITH_AES256_CBC_SHA
The above ciphers aren’t recommended for best practices. The reason is they use RSA for both authentication and key exchange so they use a static public key in a X.509 certificate for key exchange; thus, they do not provide perfect forward secrecy. The robot attack applies to the above ciphers. You want to use DHE with ephemeral keys:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_ SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_ SHA256
Note: The above DHE ciphers are safe to use only if dh group 14 (2048 bit) key sizes are being used for key exchange. If a lower dh group size is used with DHE ciphers then your server will be susceptible to the logjam attack. This setting may have to be set in the openssl code. There is not a configurable option external to the openssl module. Apache allows for configuring the dh parameters via their management interface.