on 06-01-2020 10:04 AM
Currently our server is running TLS v1.0
Due to security reasons, we want to update it to use TLS v1.2 or TLS v1.3
What steps are needed to do this upgrade ?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
As Cris has correctly pointed you to the above, this should provide you with the details you need. TLS 1.3 is not supported currently for ABAP last time I checked...I am presuming you are talking about your ABAP Stack and not the JAVA stack?
The below is from note 51007...
Over the course of year 2016, a growing number of TLS servers were
reconfigured to abort/reject TLSv1.0 handshakes, or they are requring
forward secrecy (PFS) cipher suites for access. The currently recommended settings for TLSv1.2 interoperability are (requiring at least CommonCryptoLib 8.4.38, recommending at least 8.4.49):
ssl/ciphersuites = 135:PFS:HIGH::EC_P256:EC_HIGH
ssl/client_ciphersuites = 150:PFS:HIGH::EC_P256:EC_HIGH
icm/HTTPS/client_sni_enabled = TRUE
ssl/client_sni_enabled = TRUE
SETENV_26 = SECUDIR=$(DIR_INSTANCE)$(DIR_SEP)sec
SETENV_27 = SAPSSL_CLIENT_CIPHERSUITES=150:PFS:HIGH::EC_P256:EC_HIGH
SETENV_28 = SAPSSL_CLIENT_SNI_ENABLED=TRUE
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks for the response, I am getting this error wile trying to set above parametrs:
You can put the parameters in any profile and they will apply, only an ICM restart is needed.
Keep in mind that the above values (which are taken from note 510007) enable TLS 1.2 with 1.1. and 1.0 fallback.
If you want to ensure TLS 1.2 without fallback see configuration from note 2384290 (this is also shown in 510007 in the section with the table that contains the cipher string options).
Also for the client cipher suites you should apply the settings on your icm/ssl_config_X using the CIPHERS option to configure.
Finally you can disable specific ciphers by prefixing them with the ! character, execute command sapgenpse.exe tlsinfo -H to see a list of ciphers and elliptic curves you can configure.
User | Count |
---|---|
80 | |
24 | |
11 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.