on 11-26-2018 12:02 PM
All,
We need to integrate with UPS and they recently changed their policy.
When I test with a REST adapter, I get this error: Client: Peer sent alert: Alert Fatal: handshake failure.
When I check XPI inspector traces, I see this
Seems like TLS 1.2 support is OK (we are on SAP PO 7.5, SP11), but the cipher suits seems to be the problem.
What can we do to get over this problem?
Thanks a lot!
Dimitri
Hi Dimitri,
You can overwrite the default SSL settings by using a custom SSLContext.properties file and include the DHE based cipher suites (ECDHE is not supported by the current version of the IAIK library used). One important thing to mention: you need to add all the default cipher suites to this custom file and the additional DHE based too because only those cipher suites will be available that are in this file (meaning you can basicly exclude the default ones if they are not added to the file). So the SSLContext.properties can look like this:
#default suites
cipherSuite=TLS_RSA_WITH_AES_256_GCM_SHA384
cipherSuite=TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384
cipherSuite=TLS_RSA_WITH_AES_256_CBC_SHA256
cipherSuite=TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
cipherSuite=TLS_RSA_WITH_AES_128_GCM_SHA256
cipherSuite=TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256
cipherSuite=TLS_RSA_WITH_AES_128_CBC_SHA256
cipherSuite=TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
cipherSuite=TLS_RSA_WITH_AES_256_CBC_SHA
cipherSuite=TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
cipherSuite=TLS_RSA_WITH_AES_128_CBC_SHA
cipherSuite=TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
cipherSuite=SSL_RSA_WITH_3DES_EDE_CBC_SHA
cipherSuite=SSL_RSA_WITH_RC4_128_SHA
#the required DHE base suites
cipherSuite=TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
cipherSuite=TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
cipherSuite=TLS_DHE_RSA_WITH_AES_256_CBC_SHA
cipherSuite=TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
cipherSuite=TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
cipherSuite=TLS_DHE_RSA_WITH_AES_128_CBC_SHA
The SSLContext.properties file can be found in the jar file at "usr/sap/<SID>/SYS/global/security/lib/tools/" and choose iaik_ssl.jar file. In this file go to ../iaik_ssl/iaik/security/ssl/".
Best regards,
Mate
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello all,
From April 2019:
Support for ECDHE or ECDSA is now possible if you meet the requirements outlined in SAP Note 2708581 ECC Support for Outbound Connections in SAP NW AS Java.
Regards
Mark
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Experts,
ECDHE is supported by NW 7.50 and above. We are on 7.40 and required to use tls 1.2 we have updated the SSLContext.properties still it gives error unsupported ciphersuits. need your suggestion.
Thanks
Syed Tufail Kazmi
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Looking for an answer/solution for SAP PI to support ECDHE
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Will also suggest to use a Webdispatcher in front of the JAVA System that terminates SSL and can deliver a proper Cipher...
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Unfortunatelly this would be your only option if an PI patching is not feasible. It would not need to be an WebDispatcher though and often enough there is already a proxy infrastructure available that can terminate SSL
I would not reccomend going through the hassle of an extra network entity but rather patch the PI system then, I guess.
Hi Oeystein,
I checked te UPS web site again and they also need the TLS_ECDHE_* cipher suites. In our SSL properties, we've added only these ones
cipherSuite=TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
cipherSuite=TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
cipherSuite=TLS_DHE_RSA_WITH_AES_256_CBC_SHA
cipherSuite=TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
cipherSuite=TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
cipherSuite=TLS_DHE_RSA_WITH_AES_128_CBC_SHA
So I guess the system does not need all cipher suites. Our SAP PO system doesn't even have ECDHE* cipher suites.
But if you only have ECDHE supported by the other party and SAP does not support it, I guess there you have a problem.
Are there alternatives? Perhaps ask the other party to support more cipher suites?
Kind regards,
Dimitri
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
A possible workaround is to use a reverse proxy for the communication which can handle the ECDHE cipher suites.
Best regards,
Mate
I checked te UPS web site again and they also need the TLS_ECDHE_* cipher suites. In our SSL properties, we've added only these ones
cipherSuite=TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
UPS does not need the ECDHE cipher suites. It is just so it will prefer an TLS_ECDHE over an TLS_DHE. It does accept all the mentioned Cipher suites, see e.g. https://www.ssllabs.com/ssltest/analyze.html?d=onlinetools.ups.com&s=153.2.224.76
By addding the missing cipher suites starting with TLS_DHE to your SSLContext.properties you effectively enabled your PI (your client) to use a cipher that UPS (the server) does accept.
The added TLS_ECDHE did not do anything here, because the client does (did) not yet support these.
Hi Oeystein,
Just update the SSLcontext.properties with the needed Cipher Suites. Should work I guess.
Kind regards,
Dimitri
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Dimitri,
Thanks for your suggestion!
According to SAP note 2538934 - ECDHE cipher suites handshake failure (Version 8 from 07.02.2019), the ECDHE cipher suites are not supported. It states: "At the moment, SAP do not support cipher suites with Elliptic curves algorithms for TLS connections outgoing from NW Java server."
https://launchpad.support.sap.com/#/notes/0002538934
So updating the SSLcontext.properties will not work, I think. Mate Moricz confirmed this in his comment on Nov 29, 2018.
Have you succeeded with ECDHE cipher suites by altering the SSLcontext.properties?
I hope SAP will fix this soon, or we need to find a different messaging solution than SAP PI..
Best regards,
Oeystein
Hi!
We also need a solution for supporting ECDHE...!
We have interfaces towards partners that only support ECDHE Ciphers. When will SAP/IAIK support these Ciphers?
Regards,
Oeystein Emhjellen
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Dimitri,
There is no new Note yet to have a newer IAIK library that supports ECDHE, so right now ECDHE based suites can't be used at all and we don't know when will a new Note released to resolve this.
Best regards,
Mate
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Balázs,
I will check with UPS and come back to you as soon as possible.
Kind regards,
Dimitri
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Dimitri,
Does the destination system supports at least one of the cipher suites from the list with TLS 1.2?
Regards,
Balázs
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Balázs,
This is the list of supported ciphers from UPS:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Any idea how to tackle that?
Add the on server level and refer in the (SOAP or REST) adapter?
EDIT: in the meantime, I logged an incident at SAP and they refer to OSS Note 2616423. I will try that first and inform you on the outcome.
Thanks.
Dimitri
User | Count |
---|---|
86 | |
10 | |
10 | |
9 | |
6 | |
6 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.