This blog post covers TLS specifics, the benefits of TLS 1.3 and the newly added support for the encryption protocol in SAP BTP as June update
Now, TLS 1.3 Support for Cloud Foundry Platform Domains
|
This is a reminder that TLS 1.3 is planned to be enabled for platform domains in the SAP BTP, Cloud Foundry environment on June 15, 2023. TLS 1.2 remains as a fallback option. For custom domains, the configuration will not be adjusted from platform-side and TLS 1.3 must be enabled in the custom domain configuration, see Manage TLS Configurations. For detailed information see SAP Note 3308931 Action: In the transition period until TLS 1.3 is enabled in June, you can verify your clients by connecting them to our test application for which TLS 1.3 is enabled:
|
What is TLS? Transport Layer Security encryption explained in plain english
How TLS, digital certificates, and sessions help keep communications secure
Almost all modern-day webpages, plus many desktop and mobile applications, use the HTTPS protocol to secure communication from the client to the server and vice versa. The S in HTTPS stands for Secure and implies that the data is transferred not in plain text but in encrypted form.
The encryption in HTTPS is achieved by using a cryptographic protocol named Transport Layer Security (TLS) or, formerly, Secure Sockets Layer (SSL). The idea is to prevent an intermediate from sniffing the ongoing packets and obtaining sensitive data (like usernames, passwords, financial data, personal content, etc.)—cryptographic encryption ensures that all data is unreadable for third parties.
There is widespread support for TLS versions TLS 1.2 (in use since 2008) and TLS 1.3 (released in August 2018), which are considered a standard for creating a secure application. Older versions of TLS (TLS 1.0 and TLS 1.1) were discontinued in 2019 and, alongside the obsolete versions of SSL (SSL 2.0 and SSL 3.0), are considered insecure..
if you are deploying an application today and wondering which TLS version you should use, go for TLS 1.3! The latest version of TLS has significant improvements such as:
- Faster and simpler TLS handshake – In older TLS versions, the TLS handshake was carried in plain text, introducing additional steps for encryption and decryption. With version 1.3, the server certificate encryption applies by default, which lowers the number of packets needed for a successful handshake from 5-7 to 0-3.
- Better latency with Zero Round-Trip Time (0-RTT) key exchanges – The TLS 1.3 specification allows the client to send application data to the server immediately after the ClientHello message, with zero round-trip time and refers to that data as 0-RTT data. TLS 0-RTT (also known as “TLS early data”) is a method of lowering the time to first byte on a TLS connection. TLS 1.3 only requires 1-RTT (a single round trip) of the protocol, where TLS 1.2 and below required two.
- More secure cryptographic ciphers – Version 1.3 supports only five cipher suites (compared to over 58 suites in TLS 1.2). Only ciphers implementing Perfect Forward Secrecy are supported, while vulnerable algorithms and ciphers are removed. Some of the ciphers supported in TLS 1.2 are no longer considered secure, which means that you need to take note of them as well, so not all TLS 1.2 connections are guaranteed to be secure.
In conclusion, TLS 1.3 provides better handshake performance, improved latency and more robust security.
How to Check the TLS Version of your BTP CF Application.
TLS 1.3 enabled
TLS 1.3 disabled and TLS 1.2 is running for this application
Reference
The TLS Handshake Explained
Original Article:
https://blogs.sap.com/2023/06/02/sap-btp-update-supports-tls-1.3-what-is-it-and-why-use-it/