Sunday, 02 May 2021 21:32

CommonCryptoLib: TLS protocol versions and cipher suites

Written by Johannes Goerlich
Rate this item
(0 votes)
“© 2020. SAP SE or an SAP affiliate company. All rights reserved.” “Used with permission of SAP SE”

Some years ago SAP deprecated the SAPCRYPTOLIB and introduced the CommonCryptoLib (CCL) as its successor. The CCL is not only a replacement for its predecessor but also for OpenSSL, which was used for example by SAP HANA in its early days (and up to SAP HANA 2.0 SPS01 for LDAP).

In the meantime the CCL is available in its latest version 8.5.x and is used by many SAP components. Some examples are:

  • SAP Host Agent,
  • SAP Instance Agent,
  • SAP NetWeaver AS ABAP,
  • SAP NetWeaver AS Java,
  • SAP Web Dispatcher,
  • various Kernel Tools (saphttp, sldreg, sapkprotp, sapcontrol, saphostcontrol, etc.)
  • SAP Java Connector (SAP JCo)
  • SAP Connector for Microsoft .NET 3.0 (SAP NCo)

All of these components have one thing in common: They make use of one or more communication protocols (e.g., HTTP, P4, IIOP, JDBC, LDAP) which nowadays should be secured using TLS (Transport Layer Security).

Protocol versions

Since the main browser vendors decided to no longer support some TLS versions, every admin dealing with web applications had to learn at least in the recent months about the different TLS versions out there.
Some of the TLS versions are existing for more than 20 years and can be considered as weak. For example TLS 1.0 and TLS 1.1 have finally been flagged as deprecated by IETF (see rfc8996, which took them btw more than two and a half years (see
And others are the new kids on the block like TLS 1.3 and ETS (formerly known as eTLS). They are so “fresh” that they aren’t supported in all products, yet.

Please note: As of SAP notes 2765639 in AS ABAP, SAP note 2834475 in AS Java and SAP note 2939945 in SAP BusinessObjects BI Platform 4.x TLS 1.3 is currently not supported.

Today, the version which can be considered as widely supported is TLS 1.2.

Cipher suites

Cipher suites define a set of algorithms that usually contain a key exchange algorithm, a Signature, a bulk encryption algorithm, and a message authentication code (MAC) algorithm.

Not every cipher suites can be combined with every TLS protocol version.

And to cause even more confusion there are different notations on cipher suites: IANA naming vs. OpenSSL naming.

Please note: A comprehensive overview about all available cipher suites, TLS version support and a security classification can be found at

Technical background on the CCL integration

SapSSL is the high-level protocol handler of the SAP Kernel and its components.

Continue reading here
Read 73 times

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.