Symptom
- Deprecated encryption
Actually the used encryption type (SSL 1, SSL2, TLS) depends of which one is supported by the server and the highest available will be used.
We have the requirement to enforce at least TLS on client side even if an undetected man-in-the-middle attack succeeds to simulate that the server only supports SSL1 or SSL2. - Certificate pinning
Actually the default-os-modus is used to verify the validity of the server certificate: certificate chains as RFC 5280.
That allows easily man-in-the-middle attacks by persons who dispose about trusted signed certificates.
Instead our requirement is to have a mechanism available, when using OData requests, which verifies on SMP if the requested server
uses a specific known certificate, which has been send via secure channel to the app or which has been provided with the app bundle as resource.
The way of delivery is not relevant but the validation against a certificate (as supposed to be existing in the app bundle)
Read more...
Environment
- SAP Mobile Platform (SMP) 3.0 SP06
- SAP Mobile SDK 3.0 SP07
Product
SAP Mobile Platform 3.0
Keywords
KBA , tls , v1.2 , encryption , api , certificate , MOB-SDK , SAP Mobile SDK , Problem
About this page
This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).Search for additional results
Visit SAP Support Portal's SAP Notes and KBA Search.