Symptom
As a part of our commitment to continuous improvement and to follow industries best practices, we plan to configure our servers to support the latest protocol versions to ensure we are using only the strongest algorithms and ciphers, but equally as important is to disable the older versions. Continuing to support old versions of the protocols can leave our systems vulnerable to downgrade attacks, where hackers force connections to our servers to use older versions of the protocols that have known exploits. This can leave the encrypted connections (whether between a site visitor and your web server, machine to machine, etc.) open to man-in-the-middle and other types of attacks.
Environment
SAP Cloud for Customer
Resolution
Scope
Disabling TLSv1.0 and TLSv1.1 protocol for Inbound Communication Scenarios to C4C and Disabling Cipher suite TLS_RSA_WITH_3DES_EDE_CBC_SHA for Inbound Communication Scenarios.
Why are we disabling TLSv1.0 and TLSv1.1?
The reason that TLSv1.0 and TLSv1.1 are considered unsafe is that they make use of outdated algorithms and cryptosystems that have been found vulnerable, such as SHA-1 and MD5. They also lack modern features like perfect forward secrecy and are susceptible to downgrade attacks.
Scenarios to check
- Browser Settings - Check if TLSv1.2 is enabled or not.
2.Connectivity from SAP CPI to C4C- No action to be taken as SAP CPI already supports TLSv1.2
3.Connectivity from SAP PI/ERP to C4C - Please follow the details mentioned in FAQ section below to know how to enable TLSv1.2 in your system in case it is not done already.
Frequently Asked Questions
a) What is TLSv1.0 and TLSv1.1?
Transport Layer Security (TLS) is a standard protocol that is used to provide secure web communications on the Internet or intranets. It enables clients to authenticate servers or, optionally, servers to authenticate clients. It also provides a secure channel by encrypting communications. TLS is the latest version of the Secure Sockets Layer (SSL) protocol.
b) Which protocols are supported currently when C4C is in Server role?
TLSv1.0, TLSv1.1, TLSv1.2
c) After disabling TLSv1.0 and TLSv1.1 which protocol are supported by C4C in server role?
TLSv1.2
d) Cipher Suites that will be supported by C4C in server role?
TLS_ECDHE_RSA_WITH_AES128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES256_CBC_SHA
e) Settings to enable/check if TLSv1.2 is enabled in your SAP system which communicates with C4C
Check the parameter ssl/client_ciphersuites in your SAP system and see if the value defined for it supports the protocol TLSv1.2, if YES - then the connection will work even after disablement of TLSv1.0 and TLSv1.1 at C4C, in case if your system supports only TLSv1.0 and TLSv1.1 then you need to enable TLSv1.2 protocol by following through the SAP Note: 510007
f) How to check the Supported Protocol and cipher suites of your SAP system which is communicating to C4C(In Inbound Scenarios to C4C)?
Run the following command in your sap web dispatcher or application server whichever is talking to C4C → sapgenpse tlsinfo -c <parameter value defined in ssl/client_ciphesuitesr>
g) How to check the supported protocol and cipher suites of your Non-SAP systems?
There are external sites where you can check which protocols and cipher suites are supported by your system/URL
h) What is the impact of not enabling TLSv1.2 in your systems that are connecting to C4C (Inbound scenarios to C4C)?
Inbound connections to C4C will not work and communication breaks.
Keywords
KBA , tls 1.0 , tls 1.1 , tls 1.2 , LOD-CRM-INT-ERP , Integration of C4C with ERP , Problem