Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Mitigating POODLE - Disable SSLv3/use only TLS

Former Member
0 Kudos

All,

It seems there are presently a few discussions on how to mitigate POODLE, but they are fragmented and incomplete.  For the sake of this discussion, I'd like to disable all SSLv3 on AS ABAP and AS Java.  Vulnerability scans have turned up the following ports:

5XX14 - HTTPS Start Service

443XX - HTTPS for ABAP ICM

5XX01 - HTTPS Dispatcher for Java

In summary, I'd like suggestions on how to disable SSLv3 (only run TLS) on the following platforms:

  • AS ABAP HTTPS ICM (Netweaver 7.0)
  • AS ABAP HTTPS ICM (Netweaver 7.3)
  • AS JAVA HTTPS Dispatcher (Netweaver 7.3)
  • AS JAVA HTTPS Dispatcher (Netweaver 7.0)
  • HTTPS Start Service (TCP Port 5XX14)

I look forward to your thoughts.

POODLE Discussion threads I have found:

Relevant OSS Notes I've seen Discussed:

510007

1 ACCEPTED SOLUTION

Former Member
0 Kudos

So far on AS ABAP HTTPS ICM (Netweaver 7.0 and maybe 7.3 as well?) setting the profile parameter "ssl/ciphersuites = 129:HIGH" in RZ10 has worked.  This may also work in AS JAVA HTTPS Dispatcher (Netweaver 7.3)

6 REPLIES 6

Former Member
0 Kudos

So far on AS ABAP HTTPS ICM (Netweaver 7.0 and maybe 7.3 as well?) setting the profile parameter "ssl/ciphersuites = 129:HIGH" in RZ10 has worked.  This may also work in AS JAVA HTTPS Dispatcher (Netweaver 7.3)

0 Kudos

Hi Phillip

I have been reading your posting with interest. I can see that OSS Note provides the solution for AS ABAP.

This change means that all communications will use TLS. Did you experience any problems. I am also interested to know what you found out about the Java stack? We are running PI Dual Stack and PO Single Stack so this is very interesting.

Regards

Rob Warde

0 Kudos

Hi Philip,

I am working on the SAP PO Single Stack. It will be of great assistance , if there is any details

of TLS configuration for PO server , as you have provided for the Dual Stack.

0 Kudos

It seems that adding "ssl/ciphersuites = 129:HIGH" to the profile (you pick, Default, Instance, etc) takes care of the following circumstances:

  • AS Java 7.30
  • AS Java 7.0
  • AS ABAP 7.0

0 Kudos

Hi Phillip,

SAP released OSS Notes for this yesterday with the solution for ABAP/Java/Hana

it's updated my last comment here.

Best regards,

Andy.

0 Kudos

I will copy/paste here for convenience  Thanks, Andy.

POODLE

Today the POODLE resolution  OSS Note has been published:

     2089135 - Upgrade OpenSSL to resolve the POODLE issue with the SSL 3.0 protocol


and supporting Notes:

SAP Note 2092630 – Turning off SSLv3 on SAP NETWEAVER AS ABAP and AS JAVA, and on SAP HANA XS

SAP Note 2089135 – Upgrade OpenSSL to resolve the POODLE issue with the SSL 3.0 protocol

SAP Note 2083444 – Impact of the POODLE vulnerability on SAP BusinessObjects software


Best regards,


Andy.