Skip to Content
avatar image
Former Member

Weak SSL Cipher

Hi Security Experts,

While running vulnerability scans before deploying new Application servers NW 7.31 ABAP, kernel 401 for windows.  we are getting weak ssl cipher supported error with port

5$$14 SAP MMC listener https port. We have SSL configured with default parameters. \

Can you suggest steps to increase the SSL strength of this port. Worst case, can you suggest steps to disable this port.

the OS is windows 2008 R2 x64,

regards

Yogesh

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Jan 02, 2014 at 05:46 PM

    I'm not sure how you could set the ciphersuite for sapstartsrv. You can disable the HTTPS port by following instructions given in SAP note 1036107.

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Jan 03, 2014 at 06:01 PM

    Yogesh-

    Follow this SAP note:

    510007 - Setting up SSL on Web Application Server ABAP

    and set appropriate values for ssl/ciphersuites and  ssl/client_ciphersuites. While setting these params make sure you check all your certificate based connections and make sure that they support the similar level encryption. Thanks

    Add comment
    10|10000 characters needed characters exceeded

    • Hi,

      I still believe that leaving it as is is a better option than disabling HTTPs connection. I know that it will "resolve" one of your issues but it's not right. It's just dump following of recommendation from audit.

      As Samuli mentioned I would raise a ticket with SAP. I would ask how you can control SSL cipher suites used by sapstartsrv. Before raising a ticket I would double check what cipher suites are offered by standard HTTPS port used for serving various web based services and port 5xx14. Is it possible that your 443 port is actually open on web dispatcher or other reverse proxy and hence it gets config from somewhere else?

      Cheers

  • avatar image
    Former Member
    Jan 03, 2014 at 01:57 PM

    Thank you, I will add the parameter and see if that fixes this problem.

    looking at the details of the parameter, my worry is if this will break something which is working. I believe this parameter change will apply to all communication http/https which is happening over other SAP ports as well. I would do some tests but is there something you suggest I look at.

    Add comment
    10|10000 characters needed characters exceeded