08-29-2021 2:18 PM
Hi Experts,
Our cloud team shared Nessus vulnerabilities issue with us to check disable TLS 1.0 version and enabled the 1.2 Version. mentioned that TLS 1.0/1.1 is used on ports 3201 (enqueue server ) and 3071(Javaexe) which are port opening and listening
Screenshot is attached reference.
As per SAP note:510007 added the below parameters
ssl/ciphersuites = 135:PFS:HIGH::EC_P256:EC_HIGH
ssl/client_ciphersuites = 150:PFS:HIGH::EC_P256:EC_HIGH
Apart from this anything want to check to enable TLS 1.2 version from our end, Please share your inputs on this .
Regards
Karthik.M
09-09-2021 9:15 AM
Hello Francesco,
maybe my blogpost https://blogs.sap.com/2021/05/03/commoncryptolib-tls-protocol-versions-and-cipher-suites/ helps to find the relevant settings.
BR,
Joe
09-26-2021 3:09 PM
Hello Robert,
As per note: 2384290, we need to add these below parameters, apart from this i don't see any other specific steps to disabled TLS 1.0 in this note. Please confirm.
ssl/ciphersuites = 801:PFS:HIGH::EC_P256:EC_HIGH
ssl/client_ciphersuites = 816:PFS:HIGH::EC_P256:EC_HIGH
Regards
Karthik.M
09-26-2021 3:30 PM
Hello bhagavan,
Yes with 801/816 you will disable v1.0.
There are lots of warnings in 2384290 like:
Preferably you should use the TLSv1.2-only configuration instead (nobody is using TLSv1.1 anyway!)
you may also consider the following 2. If not already done.
icm/HTTPS/client_sni_enabled = TRUE
ssl/client_sni_enabled = TRUE
Regards, Robert
11-02-2021 8:01 AM
Hi Robert,
we have added these parameters but still, we are facing the vulnerabilities issue while running the scan report.
ssl/client_ciphersuites = 816:PFS:HIGH::EC_P256:EC_HIGH
ssl/ciphersuites = 801:PFS:HIGH::EC_P256:EC_HIGH
Screenshot also is attached here for your reference.
Regards
Karthik.M
11-02-2021 8:02 AM
11-10-2021 1:08 PM
Hi bhagavan
when you answer your own question I get no clue about it.
From the screenshots I see the requirement it to disable both v1.0 and v1.1 not just v1.0.
The 801/816 will disable only v1.0, which according to the report is also not done. Did you restart the ICM?
For disabling both 1.0 and 1.1 use:
ssl/ciphersuites = 545:PFS:HIGH::EC_P256:EC_HIGH
ssl/client_ciphersuites = 560:PFS:HIGH::EC_P256:EC_HIGH
and again: restart the ICM.
Did you read SNote 2384290? All this is described there:
05-13-2023 12:05 AM
ssl/ciphersuites = 545:PFS:HIGH::EC_P256:EC_HIGH
ssl/client_ciphersuites = 560:PFS:HIGH::EC_P256:EC_HIGH
i just added and restarted SAP, but still same version 1.0.