03-11-2010 9:48 PM
FYI -
Does anyone know how to disable weak SSL ciphers in SAP R/3 4.7? In particular NULL ciphers?
Does anyone know how to do this on the ABAP side?
03-11-2010 10:09 PM
03-11-2010 10:09 PM
You can try to only activate services which use strong authentication and encryption for the ICF (the settings are "inherited" in the tree).
Not sure how practical that is for you...
I have never seen a system which has all communication channels encrypted which at the same time uses frontend components. That will be your biggest challenge.
Search term: SAML
Cheers,
Julius
03-11-2010 10:09 PM
03-11-2010 10:15 PM
Hi Martin,
Those are the available ciphers and usefull infos for sure, but active services which users are authorized for need to define the authentication method in practice.
That is a different "ball game" if all communication must be encrypted.
Cheers,
Julius
03-11-2010 10:27 PM
Hi Julius,
as far as I understand he just wants to restrict cipher suites used by SSL. Especially, NULL ciphers. This is a common issue, that people think that if it goes over SSL then everything is encypted. This is not true in case that client chooses suite with NULL cipher and server allows this suite.
Cheers
03-11-2010 11:01 PM
Hi Martin,
> as far as I understand he just wants to restrict cipher suites used by SSL.
On the server side.
> Especially, NULL ciphers.
Presented from the (potentially compromised) client side.
> This is a common issue, that people think that if it goes over SSL then everything is encypted. This is not true in case that client chooses suite with NULL cipher and server allows this suite.
Indeed.
It is a tough call to encrypt everything. Activating only the services which you use is a big step in the right direction.
Historically customers have classified their intranets as secure, but many have revised that already because of the browsing habits of users "on the inside".
Cheers,
Julius
04-01-2010 8:25 AM
as note 510007 says, use the profile parameter
ssl/ciphersuites=MEDIUM:HIGH:EXPORT:!LOW:!eNULL
for this purpose, or apply a setting of your preferences.
03-11-2010 10:51 PM
I just tried the following line in the webdispatcher but it did not seem to stop null and low ciphers.
I am going to try and add it to my QAS ABAP instance. I can't do it till saturday.
Thank you for the help fellas.