cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

TLS 1.2, but fail on cipher suits

Go to solution
Dimitri
Active Contributor

on ‎11-26-2018 12:02 PM

All,

We need to integrate with UPS and they recently changed their policy.
When I test with a REST adapter, I get this error: Client: Peer sent alert: Alert Fatal: handshake failure.
When I check XPI inspector traces, I see this

Seems like TLS 1.2 support is OK (we are on SAP PO 7.5, SP11), but the cipher suits seems to be the problem.

What can we do to get over this problem?

Thanks a lot!
Dimitri

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

mate_moricz
Advisor
Advisor
‎11-29-2018 9:27 AM
0 Kudos

Hi Dimitri,

You can overwrite the default SSL settings by using a custom SSLContext.properties file and include the DHE based cipher suites (ECDHE is not supported by the current version of the IAIK library used). One important thing to mention: you need to add all the default cipher suites to this custom file and the additional DHE based too because only those cipher suites will be available that are in this file (meaning you can basicly exclude the default ones if they are not added to the file). So the SSLContext.properties can look like this:


#default suites

cipherSuite=TLS_RSA_WITH_AES_256_GCM_SHA384
cipherSuite=TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384
cipherSuite=TLS_RSA_WITH_AES_256_CBC_SHA256
cipherSuite=TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
cipherSuite=TLS_RSA_WITH_AES_128_GCM_SHA256
cipherSuite=TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256
cipherSuite=TLS_RSA_WITH_AES_128_CBC_SHA256
cipherSuite=TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
cipherSuite=TLS_RSA_WITH_AES_256_CBC_SHA
cipherSuite=TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
cipherSuite=TLS_RSA_WITH_AES_128_CBC_SHA
cipherSuite=TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
cipherSuite=SSL_RSA_WITH_3DES_EDE_CBC_SHA
cipherSuite=SSL_RSA_WITH_RC4_128_SHA

#the required DHE base suites
cipherSuite=TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
cipherSuite=TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
cipherSuite=TLS_DHE_RSA_WITH_AES_256_CBC_SHA
cipherSuite=TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
cipherSuite=TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
cipherSuite=TLS_DHE_RSA_WITH_AES_128_CBC_SHA


The SSLContext.properties file can be found in the jar file at "usr/sap/<SID>/SYS/global/security/lib/tools/" and choose iaik_ssl.jar file. In this file go to ../iaik_ssl/iaik/security/ssl/".

Best regards,
Mate

Show replies
Show replies
Dimitri
Active Contributor
‎11-30-2018 9:42 AM
0 Kudos

Hi Mate,

To support ECDHE base suites, I guess we need to update the IAIK library, and thus the SAP PO system, right?

EDIT: OSS note 2538934 indicates this is not possible.

I will add the DHE based cipher suites and test. If the problem persists, we need to be very creative 🙂

Thanks.
Dimitri

Answers (10)

Answers (10)

marksmyth
Product and Topic Expert
Product and Topic Expert
‎05-28-2019 9:22 AM

Hello all,

From April 2019:
Support for ECDHE or ECDSA is now possible if you meet the requirements outlined in SAP Note 2708581 ECC Support for Outbound Connections in SAP NW AS Java.

Regards
Mark

Show replies
Show replies
Dimitri
Active Contributor
‎05-28-2019 9:31 AM
0 Kudos

Hi Mark,

Thanks for the update! That is great news…

Kind regards,
Dimitri

former_member615375
Discoverer
‎08-14-2019 8:48 AM
0 Kudos

Hi Experts,

ECDHE is supported by NW 7.50 and above. We are on 7.40 and required to use tls 1.2 we have updated the SSLContext.properties still it gives error unsupported ciphersuits. need your suggestion.

Thanks

Syed Tufail Kazmi

Show replies
Show replies
former_member611980
Discoverer
‎05-28-2019 12:35 PM
0 Kudos

Looking for an answer/solution for SAP PI to support ECDHE

Show replies
Show replies
volker_teichmann
Explorer
‎03-13-2019 9:33 AM
0 Kudos

Will also suggest to use a Webdispatcher in front of the JAVA System that terminates SSL and can deliver a proper Cipher...

Show replies
Show replies
JaySchwendemann
Active Contributor
‎10-12-2021 5:12 PM
0 Kudos

Unfortunatelly this would be your only option if an PI patching is not feasible. It would not need to be an WebDispatcher though and often enough there is already a proxy infrastructure available that can terminate SSL

I would not reccomend going through the hassle of an extra network entity but rather patch the PI system then, I guess.

Dimitri
Active Contributor
‎03-13-2019 7:47 AM
0 Kudos

Hi Oeystein,

I checked te UPS web site again and they also need the TLS_ECDHE_* cipher suites. In our SSL properties, we've added only these ones

cipherSuite=TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
cipherSuite=TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
cipherSuite=TLS_DHE_RSA_WITH_AES_256_CBC_SHA
cipherSuite=TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
cipherSuite=TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
cipherSuite=TLS_DHE_RSA_WITH_AES_128_CBC_SHA

So I guess the system does not need all cipher suites. Our SAP PO system doesn't even have ECDHE* cipher suites.
But if you only have ECDHE supported by the other party and SAP does not support it, I guess there you have a problem.

Are there alternatives? Perhaps ask the other party to support more cipher suites?

Kind regards,
Dimitri

Show replies
Show replies
mate_moricz
Advisor
Advisor
‎03-13-2019 9:24 AM

Hi,

A possible workaround is to use a reverse proxy for the communication which can handle the ECDHE cipher suites.

Best regards,
Mate

JaySchwendemann
Active Contributor
‎10-12-2021 5:03 PM
0 Kudos

At the risk of being overly picky, it's a "normal" proxy instead of a reverse proxy if you look at it from "your on-prem" world. Also it needs to terminate the SSL (effectively playing "man in the middle") for this to work

Cheers

JaySchwendemann
Active Contributor
‎10-12-2021 5:09 PM
0 Kudos 
I checked te UPS web site again and they also need the TLS_ECDHE_* cipher suites. In our SSL properties, we've added only these ones
cipherSuite=TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

UPS does not need the ECDHE cipher suites. It is just so it will prefer an TLS_ECDHE over an TLS_DHE. It does accept all the mentioned Cipher suites, see e.g. https://www.ssllabs.com/ssltest/analyze.html?d=onlinetools.ups.com&s=153.2.224.76

By addding the missing cipher suites starting with TLS_DHE to your SSLContext.properties you effectively enabled your PI (your client) to use a cipher that UPS (the server) does accept.

The added TLS_ECDHE did not do anything here, because the client does (did) not yet support these.

Dimitri
Active Contributor
‎03-11-2019 9:12 PM
0 Kudos

Hi Oeystein,

Just update the SSLcontext.properties with the needed Cipher Suites. Should work I guess.

Kind regards,
Dimitri

Show replies
Show replies
ystein_emhjellen3
Explorer
‎03-12-2019 4:19 PM
0 Kudos

Hi Dimitri,

Thanks for your suggestion!

According to SAP note 2538934 - ECDHE cipher suites handshake failure (Version 8 from 07.02.2019), the ECDHE cipher suites are not supported. It states: "At the moment, SAP do not support cipher suites with Elliptic curves algorithms for TLS connections outgoing from NW Java server."

https://launchpad.support.sap.com/#/notes/0002538934

So updating the SSLcontext.properties will not work, I think. Mate Moricz confirmed this in his comment on Nov 29, 2018.

Have you succeeded with ECDHE cipher suites by altering the SSLcontext.properties?

I hope SAP will fix this soon, or we need to find a different messaging solution than SAP PI..

Best regards,

Oeystein

ystein_emhjellen3
Explorer
‎03-11-2019 9:42 AM
0 Kudos

Hi!

We also need a solution for supporting ECDHE...!

We have interfaces towards partners that only support ECDHE Ciphers. When will SAP/IAIK support these Ciphers?

Regards,

Oeystein Emhjellen

Show replies
Show replies
mate_moricz
Advisor
Advisor
‎11-30-2018 9:47 AM
0 Kudos

Hi Dimitri,


There is no new Note yet to have a newer IAIK library that supports ECDHE, so right now ECDHE based suites can't be used at all and we don't know when will a new Note released to resolve this.

Best regards,
Mate

Show replies
Show replies
alicifci
Explorer
‎01-21-2019 10:00 AM
0 Kudos

Hi Dimitri,

Still no solution for supporting ECDHE?

We have a lot of customers with partners that only support ECDHD Ciphers. When will SAP/IAIK support these Ciphers?

Can you please inform us about this?

Best regards,

Ali Cifci

SAP Basis - The Netherlands

Dimitri
Active Contributor
‎11-26-2018 2:20 PM
0 Kudos

Hi Balázs,

I will check with UPS and come back to you as soon as possible.

Kind regards,
Dimitri

Show replies
Show replies
former_member285219
Explorer
‎11-26-2018 2:04 PM
0 Kudos

Hi Dimitri,

Does the destination system supports at least one of the cipher suites from the list with TLS 1.2?

Regards,
Balázs

Show replies
Show replies
Dimitri
Active Contributor
‎11-26-2018 7:21 PM
0 Kudos


Hi Balázs,

This is the list of supported ciphers from UPS:

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

Any idea how to tackle that?
Add the on server level and refer in the (SOAP or REST) adapter?

EDIT: in the meantime, I logged an incident at SAP and they refer to OSS Note 2616423. I will try that first and inform you on the outcome.

Thanks.
Dimitri

Ask a Question