Re: SAP, OpenSSL, and Heartbleed
Based on this note 1633459 ADS uses OpenSSL. It still might not be vulnerable. I don't think it uses OpenSSL for TLS. I think it uses it as a crypto library for signing PDFs. But again, pure...
View ArticleRe: User XYZ has no authorization for tp command IMPORT
I suggest extra troubleshooting:- does this happen for all users, or only one? Who are the users for which it works? what is different about them?- note that SAP_ALL is famous for not including "all"...
View ArticleRe: remote host supports the use of SSL ciphers that offer weak encryption
Hi, according to the note, the following ciphers are related to the different levels: Category Position Name of SSLciphersuite -----------------------------------------------------------...
View ArticleRe: SAP, OpenSSL, and Heartbleed
An even more comprehensive test, for all sorts of SSL configuration issues, not just Heartbleed vulnerability, is at Qualys SSL Labs - Projects / SSL Server Test. However, neither one of these is easy...
View ArticleRe: SAP, OpenSSL, and Heartbleed
Thanks. It's good to see SAP is responding to something about this, although this still doesn't answer the question about sapcryptolib and common-cryptolib used in the core ABAP and J2EE products. I...
View ArticleRe: SAP, OpenSSL, and Heartbleed
Using a Python script found at heartbleed-masstest/ssltest.py at master · musalbas/heartbleed-masstest · GitHub I was able to test for vulnerability in our internal SRM and ECC systems, as well as our...
View ArticleRe: SAP, OpenSSL, and Heartbleed
Hi, I just tested that script and it seems to be working fine. I simply changed port number from 443 to something else and it works. E.g. s.connect((domain, 8300)) Unfortunately, I do not have access...
View ArticleRe: SAP, OpenSSL, and Heartbleed
Odd. When I changed the port, it told me my servers had "No SSL," which I knew to be incorrect. I'll give it another shot.
View ArticleRe: SAP, OpenSSL, and Heartbleed
Self respecting customers will have a SAP webdispatcher between the internet component and the backend port. I think that is foxing your attempts based on expected https ports. Frank Koehntopp also...
View ArticleRe: SAP, OpenSSL, and Heartbleed
From a risk perspective, you can still have a lot more "success" with external SAP ITS, partner connections and webdynpros/webguis than heartbleed IMO. Cheers,Julius
View ArticleRe: SAP, OpenSSL, and Heartbleed
True. In my case, I am trying to test internal systems for which I am the system administrator. If there's anyone with a right to test them, it's me. I have also been involving our internal network...
View ArticleClik here to view.
Remove multiple roles from multiple user.
I want to remove multiple Roles from multiple users but there is also condition that in all user there is no all roles exist.in some user there is one or two roles or more roles are not exist .so give...
View ArticleRe: minimum Authorization SAP user to extract data using sap connector
That might be a good idea as you are now referring to the specifics of the data and not general rfc access without mentioning what the application is attempting to do.
View ArticleRe: SAP, OpenSSL, and Heartbleed
By uncommenting the various 'print' messages in the script, and ultimately using the original script, unmodified, which allows interactive testing with any tcp port of one host at a time, I figured out...
View ArticleRe: SAP, OpenSSL, and Heartbleed
Allaine, You left out an important part of Note 2003582, "Default Tomcat provided by SAP with SAP Business Intelligence products is not affected by this issue, unless customers explicitly enable SSL...
View ArticleRe: SAP, OpenSSL, and Heartbleed
Another good case for a SAP webdispatcher inbetween which is hardened and terminates the SSL. Server side SSL in dmz or server zone is not seen. That has always been SAP's recommendation. If the...
View ArticleRe: SAP, OpenSSL, and Heartbleed
That might not always be feasible. PCI requires end to end encryption when you are are transferring card details. HIPAA might have similar requirements. Also assuming that web dispatcher implementation...
View ArticleClik here to view.
Re: SAP, OpenSSL, and Heartbleed
Hi Sean, I didn't left out anything when I mentioned that statement (see screenshot). Please note that at that time the latest version of the note was 3. SAP had modified it since then and is...
View Article