Some years ago SAP deprecated the SAPCRYPTOLIB and introduced the CommonCryptoLib (CCL) as its successor. The CCL is not only a replacement for its predecessor but also for OpenSSL, which was used for example by SAP HANA in its early days (and up to SAP HANA 2.0 SPS01 for LDAP).
In the meantime the CCL is available in its latest version 8.5.x and is used by many SAP components. Some examples are:
- SAP Host Agent,
- SAP Instance Agent,
- SAP NetWeaver AS ABAP,
- SAP NetWeaver AS Java,
- SAP HANA,
- SAP Web Dispatcher,
- various Kernel Tools (saphttp, sldreg, sapkprotp, sapcontrol, saphostcontrol, etc.)
- SAP Java Connector (SAP JCo)
- SAP Connector for Microsoft .NET 3.0 (SAP NCo)
All of these components have one thing in common: They make use of one or more communication protocols (e.g., HTTP, P4, IIOP, JDBC, LDAP) which nowadays should be secured using TLS (Transport Layer Security).
Since the main browser vendors decided to no longer support some TLS versions, every admin dealing with web applications had to learn at least in the recent months about the different TLS versions out there.
Some of the TLS versions are existing for more than 20 years and can be considered as weak. For example TLS 1.0 and TLS 1.1 have finally been flagged as deprecated by IETF (see rfc8996, which took them btw more than two and a half years (see https://datatracker.ietf.org/doc/rfc8996/history/).
And others are the new kids on the block like TLS 1.3 and ETS (formerly known as eTLS). They are so “fresh” that they aren’t supported in all products, yet.
Today, the version which can be considered as widely supported is TLS 1.2.
Cipher suites define a set of algorithms that usually contain a key exchange algorithm, a Signature, a bulk encryption algorithm, and a message authentication code (MAC) algorithm.
Not every cipher suites can be combined with every TLS protocol version.
And to cause even more confusion there are different notations on cipher suites: IANA naming vs. OpenSSL naming.
Please note: A comprehensive overview about all available cipher suites, TLS version support and a security classification can be found at https://ciphersuite.info/cs/.
Technical background on the CCL integration
SapSSL is the high-level protocol handler of the SAP Kernel and its components.