10-29-2014 1:38 PM
All,
It seems there are presently a few discussions on how to mitigate POODLE, but they are fragmented and incomplete. For the sake of this discussion, I'd like to disable all SSLv3 on AS ABAP and AS Java. Vulnerability scans have turned up the following ports:
5XX14 - HTTPS Start Service
443XX - HTTPS for ABAP ICM
5XX01 - HTTPS Dispatcher for Java
In summary, I'd like suggestions on how to disable SSLv3 (only run TLS) on the following platforms:
I look forward to your thoughts.
POODLE Discussion threads I have found:
Relevant OSS Notes I've seen Discussed:
10-29-2014 2:27 PM
So far on AS ABAP HTTPS ICM (Netweaver 7.0 and maybe 7.3 as well?) setting the profile parameter "ssl/ciphersuites = 129:HIGH" in RZ10 has worked. This may also work in AS JAVA HTTPS Dispatcher (Netweaver 7.3)
10-29-2014 2:27 PM
So far on AS ABAP HTTPS ICM (Netweaver 7.0 and maybe 7.3 as well?) setting the profile parameter "ssl/ciphersuites = 129:HIGH" in RZ10 has worked. This may also work in AS JAVA HTTPS Dispatcher (Netweaver 7.3)
11-06-2014 12:49 PM
Hi Phillip
I have been reading your posting with interest. I can see that OSS Note provides the solution for AS ABAP.
This change means that all communications will use TLS. Did you experience any problems. I am also interested to know what you found out about the Java stack? We are running PI Dual Stack and PO Single Stack so this is very interesting.
Regards
Rob Warde
11-10-2014 9:08 PM
Hi Philip,
I am working on the SAP PO Single Stack. It will be of great assistance , if there is any details
of TLS configuration for PO server , as you have provided for the Dual Stack.
11-10-2014 9:56 PM
It seems that adding "ssl/ciphersuites = 129:HIGH" to the profile (you pick, Default, Instance, etc) takes care of the following circumstances:
11-12-2014 7:57 AM
Hi Phillip,
SAP released OSS Notes for this yesterday with the solution for ABAP/Java/Hana
it's updated my last comment here.
Best regards,
Andy.
11-12-2014 1:41 PM
I will copy/paste here for convenience Thanks, Andy.
POODLE
Today the POODLE resolution OSS Note has been published:
2089135 - Upgrade OpenSSL to resolve the POODLE issue with the SSL 3.0 protocol
and supporting Notes:
SAP Note 2092630 – Turning off SSLv3 on SAP NETWEAVER AS ABAP and AS JAVA, and on SAP HANA XS
SAP Note 2089135 – Upgrade OpenSSL to resolve the POODLE issue with the SSL 3.0 protocol
SAP Note 2083444 – Impact of the POODLE vulnerability on SAP BusinessObjects software
Best regards,
Andy.