Transport Layer Security is used for web traffic. TLS v1.3 is a modern way of implementing this. It is safer and faster than the older TLS v1.2.
| Aspect | TLS 1.2 | TLS 1.3 |
|---|---|---|
| Year standardized | 2008 | 2018 |
| Handshake latency | 2 round trips (typically) | 1 round trip (or 0‑RTT) |
| Cryptographic algorithms | Many (incl. weak/legacy) | Only modern, secure algorithms |
| Forward secrecy | Optional | Mandatory |
| Security posture | Flexible but complex | Simpler, safer by design |
| Compatibility | Very wide | Requires modern stacks |
The problem with TLSv1.3 is that old infrastructure and applications still do not support it properly. Please be careful with testing when activating.
General SAP background notes:
- 3448964 – How-To probe a port for allowed TLS version
- 3727660 – What is the importance of adopting TLS 1.3?.
TLS v1.3 for ABAP
Background OSS notes:
- 3318423 – Is TLS 1.3 Supported by SAP Kernel for ABAP and SAP S/4HANA?
- 3346659 – TLS Ciphersuite String Configuration for SAP AS ABAP Systems and for SAP Kernel Software Components
- 3532801 – Support for TLS 1.3 — Downport for SAP AS ABAP Kernel
Do look at the regressions listed in OSS note 3318423 – Is TLS 1.3 Supported by SAP Kernel for ABAP and SAP S/4HANA? – SAP for Me. Most of them are fixed by applying latest kernel and/or crypto library update.
OSS note 3346659 – TLS Ciphersuite String Configuration for SAP AS ABAP Systems and for SAP Kernel Software Components contains section to enable TLS v1.3 next to TLS v1.2. This might be a good intermediate implementation step.
For some reasons there might be issues with custom code using HTTP_GET, HTTP_POST or similar. See OSS note 2582368 – SapSSL update for client-side sending of TLS extension SNI by saphttp, sapkprotp, sldreg. Workaround according to this note is to use HTTP2_GET and HTTP2_POST from function group SCMS instead.
TLS v1.3 for HANA
Background OSS notes:
- 3239829 – How to verify certification information in HANA server when you try to enable SSL/TLS connection
- 3309489 – SAP HANA support for TLS 1.3
- 3509026 – How to enable TLS 1.3 for all Hana ports
- 3616175 – TLS1.3 Cannot Be Enabled for HANA Internal Web Dispatcher
TLS v1.3 for other SAP products
TLS v1.3 support for other SAP products (list is not extensive, search on me.sap.com if your product is not yet in the list):
- Ariba: 3526671 – Deprecation of Weak TLS 1.2 Ciphers and Implementation of TLS 1.3 Support
- BO BI platform: 2939945 – Is TLS 1.3 supported with SAP BusinessObjects BI Platform 4.x / 2025?
- BTP general: 3435199 – TLS 1.3 Support for platform domains of the SAP BTP, Neo environment
- BTP CPI: 3330954 – FAQ: Rollout of TLS 1.3 for inbound to CPI connections on CF
- BTP cloud integration: 3525369 – FAQ: Rollout of TLS 1.3 for inbound to Cloud Integration connections on NEO
- BTP work zone: 3495355 – TLS 1.3 enabled for SAP Build Work Zone, all editions
- Cloud integration for data services: 3626277 – Rollout of TLS 1.3 for inbound communication to SAP Cloud Integration for data services
- Content server: 3405657 – What version of Content Server is available for TLS 1.3?
- Netweaver JAVA: 2834475 – Does SAP NetWeaver AS Java support TLS 1.3?
- SAP JVM: 3648994 – SAP JVM support for TLS 1.3
- Solution manager diagnostics agents: 3021677 – Diagnostics Agent TLS 1.3