SAP Knowledge Base Article - Public

2092680 - SAP Crystal Reports, Salesforce.com and SSL vulnerability

Symptom

  • Salesforce.com announced disabling SSL 3.0 encryption.
    For reference, see the Salesforce Knowledge Article Number 000206013
        
  • How it is going to affect Crystal Reports connectivity to Salesforce.com?

Environment

  • SAP Crystal Reports 2008
  • SAP Crystal Reports 2011
  • SAP Crystal Reports 2013
  • SAP Crystal Reports 2016
          
  • Salesforce.com

Cause

  • On October 15, 2014, Google researchers published details on a security vulnerability (CVE-2014-3566) that affects the Secure Socket Layer (SSL) 3.0 encryption protocol, also known as “POODLE,” which may allow a man-in-the-middle attack to extract data from secure HTTP connections. This is why Salesforce.com decided for security reason to disable it.

Resolution

  • For Crystal Reports 2013, 2016:
    • SAP Crystal Reports 2013 and 2016 are using Simba Salesforce ODBC driver to connect to Salesforce.com.
    • Simba confirmed the ODBC driver does not rely on SSL 3.0, therefore the driver would not be affected.
                   
          
  • For Crystal Reports 2008, 2011:
    • Crystal Reports 2008 and 2011 uses a Java based driver to connect to Salesforce.com, which uses JDK 1.5 and 1.6 that support both SSL 3.0 and TLS 1.0. Therefore, it is possible to switching to TLS 1.0 encryption. 
    • If you have any concerns about security, then it is possible to disable the SSL 3.0, by setting the registry key Dhttps.protocols, to TLSv1. Below is an example on how to change the registry key for Crystal Reports 2011 installed on MS windows 64bit: 
      1. Open the Microsoft Registry Editor
      2. Got o the following path:
          
             HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\SAP BusinessObjects\Suite XI 4.0\Crystal Reports
             
      3. Edit the entry: JVMOptions, and set the alue to: TLSv1
            
             “JVMOptions” =”-Dhttps.protocols=TLSv1”

Keywords

Secure Socket layer, POODLE, SSLv3, TLSv1, HTTP, HTTPS, SFDC , KBA , crystal reports , vulnerability , ssl , salesforce.com , sfdc , BI-RA-CR , Crystal Reports designer or Business View Manager , Problem

Product

Crystal Reports 2008 V1 ; SAP Crystal Reports 2011 ; SAP Crystal Reports 2011, feature pack 03