I have a customer who wants to remove their vulnerability to (among other things) POODLE by getting rid of SSLv3 for communicating with external vendors via their PI system, by restricting traffic to using the TLS protocol.
Unfortunately, not all their External Partners can meet this requirement, so temporarily, they want to have SSLv3 traffic (where still necessary) over one port and TLS traffic over another. The plan is that there will also be fire wall rules restricting the IP addresses of "legacy partners" to the SSLv3 port. Following the instructions in 510007 - Setting up SSL on Application Server ABAP, they have installed SAPCRYPTOLIB version 5.5 and have set up the following configuration in DEFAULT.PFL:
* outgoing connections ssl/ciphersuites = 135:HIGH * * incoming connections - TLS only protocol icm/server_port_02 = PROT=HTTPS,PORT=443,SSLCONFIG=......... icm/ssl_config_02 = CIPHERS=135:HIGH:MEDIUM:+e3DES * * incoming connections - SSL protocol icm/server_port_01 = PROT=HTTPS,PORT=444,SSLCONFIG=......... icm/ssl_config_01 = CIPHERS=196:HIGH:MEDIUM:+e3DES *
So, what happens now is that f the External Partner attempts to initiate SSLv3 communications via port 443, then it fails. Yes, as currently setup, the External Partner can also initiate TLS communication over this port, but this is fine (for example, wireshark shows that the TLS protocol doesn't get downgraded to SSLv3).
The problem is that there is no way to control by port or customer whether outgoing connections are going to an SSLv3 or TLS only partner, so ssl/ciphersuites must allow for SSLv3 connections. This means that we can get a partner responding, over port 443, with the SSLv3 protocol without any error, thus allowing for an interception (ala POODLE).
Can we prevent SSLV3 traffic from succeeding over port 443, regardless of who initiates it ?