Problem: SSL handshake errors are listed in dev_icm file despite the correct ciphersuite settings
Solution: Always refer to 510007 - Additional considerations for setting up SSL on Application Server ABAP for the correct settings.
- Check what protocols are supported by the client . This can be checked from the Chrome browser (Cntrl+Shift+I --> in the security overview )
- Check if the ciphersuites on SAP supports the client settings. This can be checked from sapgenpse command line ( sapgenpse tlsinfo <ciphersuite combination>
- Upload the client's SSL certificates in STRUST client standard
- Check if your client is requesting SNI
Ensure the following parameters are set in accordance
Recommended Configuration of Available TLS Protocol Versions (required for enabling TLSv1.2)
Over the course of year 2016, a growing number of TLS servers were reconfigured to abort/reject TLSv1.0 handshakes, or they are requring forward secrecy (PFS) cipher suites for access. The currently recommended settings for TLSv1.2 interoperability are (requiring at least CommonCryptoLib 8.4.38, recommending at least 8.5.4):
ssl/ciphersuites = <your settings>
ssl/client_ciphersuites = <your settings>
icm/HTTPS/client_sni_enabled = TRUE --> This should be the problem solver
ssl/client_sni_enabled = TRUE
Some Servers (including Servers hosted by Content Distribution Systems such as cloudfront) are being co-hosted with lots of other servers on a single IPv4 address, and are accessible only when Clients include TLS extension server_name_indication (SNI) from rfc6066 in their ClientHello handshake messages. Sending of TLS extensions is unfortunately not backwards compatible with a small, but non-marginal set of old Servers, so TLS extensions are not sent by default. For SAP Netweaver 741+ Kernels, sending of TLS extension SNI can be enabled through profile parameter icm/HTTPS/client_sni_enabled starting with Kernel Patch 2124480. Sending of TLS extension SNI as client can alternatively be enabled in 722 Kernel patchno 223 and higher and 721 Kernel patchno 921 and higher through profile parameter ssl/client_sni_enabled, see SAP Note 2384290.
No comments:
Post a Comment