Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

R/3 4.7 Weak SSL Ciphers

Go to solution
Sunslayer86
Explorer

‎03-11-2010 9:48 PM

0 Kudos

FYI -

Does anyone know how to disable weak SSL ciphers in SAP R/3 4.7? In particular NULL ciphers?

Does anyone know how to do this on the ABAP side?

1 ACCEPTED SOLUTION

Go to solution
martin_voros
Active Contributor

‎03-11-2010 10:09 PM

0 Kudos

Hi,

have a look at note 510007.

Cheers

7 REPLIES 7

Go to solution
Former Member

‎03-11-2010 10:09 PM

0 Kudos

You can try to only activate services which use strong authentication and encryption for the ICF (the settings are "inherited" in the tree).

Not sure how practical that is for you...

I have never seen a system which has all communication channels encrypted which at the same time uses frontend components. That will be your biggest challenge.

Search term: SAML

Cheers,

Julius

Go to solution
martin_voros
Active Contributor

‎03-11-2010 10:09 PM

0 Kudos

Hi,

have a look at note 510007.

Cheers

Go to solution
Former Member
In response to martin_voros

‎03-11-2010 10:15 PM

0 Kudos

Hi Martin,

Those are the available ciphers and usefull infos for sure, but active services which users are authorized for need to define the authentication method in practice.

That is a different "ball game" if all communication must be encrypted.

Cheers,

Julius

Go to solution
martin_voros
Active Contributor
In response to martin_voros

‎03-11-2010 10:27 PM

0 Kudos

Hi Julius,

as far as I understand he just wants to restrict cipher suites used by SSL. Especially, NULL ciphers. This is a common issue, that people think that if it goes over SSL then everything is encypted. This is not true in case that client chooses suite with NULL cipher and server allows this suite.

Cheers

Go to solution
Former Member
In response to martin_voros

‎03-11-2010 11:01 PM

0 Kudos

Hi Martin,

> as far as I understand he just wants to restrict cipher suites used by SSL.

On the server side.

> Especially, NULL ciphers.

Presented from the (potentially compromised) client side.

> This is a common issue, that people think that if it goes over SSL then everything is encypted. This is not true in case that client chooses suite with NULL cipher and server allows this suite.

Indeed.

It is a tough call to encrypt everything. Activating only the services which you use is a big step in the right direction.

Historically customers have classified their intranets as secure, but many have revised that already because of the browsing habits of users "on the inside".

Cheers,

Julius

Go to solution
sebastian_broll
Explorer
In response to martin_voros

‎04-01-2010 8:25 AM

0 Kudos

as note 510007 says, use the profile parameter

ssl/ciphersuites=MEDIUM:HIGH:EXPORT:!LOW:!eNULL

for this purpose, or apply a setting of your preferences.

Go to solution
Sunslayer86
Explorer

‎03-11-2010 10:51 PM

0 Kudos

I just tried the following line in the webdispatcher but it did not seem to stop null and low ciphers.

I am going to try and add it to my QAS ABAP instance. I can't do it till saturday.

Thank you for the help fellas.