This blog shows an easy way to determine supported outbound (client) cipher suites in PI / PO.
The key element to determine the supported cipher suites in an easy way is to use the internet tool "How's my SSL?" (https://www.howsmyssl.com/)
The trick is, to setup a dummy ICO / IFlow using a receiver channel pointing to the api version of How's my SSL. It's easy to test it using the send test message
feature within PI / PO, but you can also use a synchronous sender channel (E. g. To call the interface with SOAP UI).
Attached you can find screenshot showing a dummy IFlow:
SOAP Receiver Channel:
Empty test message:
Result showing supported client cipher suites:
Attention: In PO Version (7.31 SP17) the HTTP_AAE adapter does not seem to use the IAIK library. We implemented SAP note 2284059
and get this result.
{"given_cipher_suites":["TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"
"TLS_RSA_WITH_AES_256_CBC_SHA"
"TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
"TLS_ECDH_RSA_WITH_AES_256_CBC_SHA"
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA"
"TLS_DHE_DSS_WITH_AES_256_CBC_SHA"
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA"
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
"TLS_RSA_WITH_AES_128_CBC_SHA"
"TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA"
"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA"
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA"
"TLS_DHE_DSS_WITH_AES_128_CBC_SHA"
"TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA"
"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA"
"TLS_RSA_WITH_3DES_EDE_CBC_SHA"
"TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA"
"TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA"
"TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA"
"TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
"TLS_EMPTY_RENEGOTIATION_INFO_SCSV"]
"ephemeral_keys_supported":true
"session_ticket_supported":false
"tls_compression_supported":false
"unknown_cipher_suite_supported":false
"beast_vuln":true
"able_to_detect_n_minus_one_splitting":true
"insecure_cipher_suites":{}
"tls_version":"TLS 1.0"
"rating":"Bad"}
Further details about IAIK and TLS 1.2 can be found in this previous blog post: Outbound support for TLS 1.1/1.2