I'm trying to eliminate the use of SSL 3.0 following the POODLE vulnerability disclosure. However, something is broken and I'm not sure how to un-break it. It might be a fundamental flaw.
I'm trying to request something from an HTTPS server. On this server, SSLv3 has been disabled. TLS 1.0, 1.1 and 1.2 are enabled. Weaker cipher suites are also disabled. CommonCryptoLib version 8.4.30 pl40 is installed on top of kernel 7.41 pl26. The configuration is quite well exposed here.
The problem is that when CL_HTTP_CLIENT makes the request - and the same happens testing an RFC connection created via SM59 - the following is dumped out into the ICM trace:
*** ERROR during SecuSSL_SessionStart() from SSL_connnect()==SSL_ERROR_SSL session uses PSE file "E:\usr\sap\PDE\DVEBMGS00\sec\SAPSSLA.pse" SecuSSL_SessionStart: SSL_connnect() failed (536875072/0x20001040) => "SSL API error" >> Begin of Secu-SSL Errorstack >> 0x20001040 SAPCRYPTOLIB SSL_connect SSL API error received a fatal SSLv3 handshake failure alert message from the peer 0xa0600266 SSL ssl3_read_bytes received a fatal SSLv3 handshake failure alert message from the peer << End of Secu-SSL Errorstack SSL_get_state()==0x2120 "SSLv3 read server hello A" No certificate request received from Server SSL NI-hdl 331: local=10.10.20.9:50551 peer=37.128.189.157:443 <<- ERROR: SapSSLSessionStart(sssl_hdl=00000000311F8560)==SSSLERR_SSL_CONNECT *** ERROR => SSL handshake with www.yesbadezimmer.de:443 failed: SSSLERR_SSL_CONNECT (-57) SAPCRYPTO:SSL_connect() failed [Thr 4832] SapSSLSessionStart()==SSSLERR_SSL_CONNECT SSL:SSL_connnect() failed (536875072/0x20001040) => "SSL API error" >> SecuSSL ErrStack: 0x20001040 SAPCRYPTOLIB SSL_connect SSL API error received a fatal SSLv3 handshake failure alert message from the peer 0xa0600266 SSL ssl3_read_bytes received a fatal SSLv3 handshake failure alert message from the peer << SSL:SSL_get_state()==0x2120 "SSLv3 read server hello A" SSL NI-hdl 331: local=10.10.20.9:50551 peer=37.128.189.157:443 cli SSL session PSE "E:\usr\sap\PDE\DVEBMGS00\sec\SAPSSLA.pse" Target Hostname="www.yesbadezimmer.de" [Thr 4832] {00080020} [icxxconn.c 2010]
Profile parameter ssl/ciphersuites is set to 129:HIGH and profile parameter ssl/client_ciphersuites is set to 128:HIGH. According to SAP Note 510007, this should mean that an SSL 2.0 CLIENT-HELLO is allowable for backwards compatibility reasons for inbound HTTPS connections, SSLv3 is disabled, TLS 1.0 is enabled, and only the cipher suites TLS_RSA_WITH_AES128_CBC_SHA and TLS_RSA_WITH_AES256_CBC_SHA are enabled for both inbound and outbound communication over HTTPS. SSL_RSA_WITH_3DES_EDE_CBC_SHA should be disabled because it requires SSLv3. Performing a scan against this server of the available cipher suites reveals a typographical error in the SAP Note, as actually SSL_RSA_WITH_3DES_EDE_CBC_SHA should read TLS_RSA_WITH_3DES_EDE_CBC_SHA.
The upshot of this is that, assuming the profile parameters are being correctly respected, no communication with HTTPS services should ever be attempted via SSL 3.0, but it clearly is trying it. Can anyone else replicate what I'm seeing here and/or does anyone have a workaround or fix for this issue? It's the line in the ICM trace stating that it "received a fatal SSLv3 handshake failure alert message from the peer" which is making me think that there's something fundamentally wrong here.