Jay Guillette

SSL protocols, RC4 Ciphers and Authentication Manager

Blog Post created by Jay Guillette Employee on Feb 27, 2017

Authentication Manager supports various SSL protocols such as TLS versions 1.1, 1.0, and 1.2, aka TLS1_0, TLS1_1 and TLS1_2 at specific versions of Authentication Manager, but also supports limiting or blocking some of these protocols, especially the older ones. RSA  also stopped support for ciphers that use RC4 algorithms in Authentication Manager 8.2.  

 

Customers are trying to figure out if they need to enforce strict TLS1_2 mode in order to gain support for TLSv1.2, in Authentication Manager, the Self-Service Console, on the Web Tiers, as well as with integrations with API tools like Authentication Manager Prime and Authentication Manager Integration Service (AMIS).  This would also affect SecurID software token distributions to Apple iOS devices since the new App Transport Security (ATS) feature was released in January 2017 that requires SSL connections, such as CT-KIP, to use only TLSv1.2 with SHA2 signed certificates.

 

Secure Sockets Layer (SSL) is a protocol developed by Netscape for transmitting private documents via the internet. It is based in part on asymmetric keys and the Public Key Infrastructure (PKI) so that more efficient symmetric keys can securely be exchanged.

 

SSL negotiation

 

In general and as you would expect, older protocols, such as SSLv2 and SSLv3, are considered less secure or insecure, while newer protocols, such as TLSv1.2 are considered more secure.

 

There are two issues here:

  1. When or in what Authentication Manager version is a protocol supported or available
  2. When and how can older protocols be prevented

 

SSL supported versions

 

  • If you need support for TLS version 1.2 SSL protocol, then upgrade to at least Authentication Manager 8.1 SP1 P3
  • If you need to prevent SSL protocols that a less than TLSv1.2, you need to patch at least to Authentication Manager 8.1 SP1 P13 AND run the strict TLS1_2 enable script
  • If you need to prevent the use of RC4 ciphers, upgrade to at least Authentication Manager 8.2
  • When you have Apple iOS devices that use CT-KIP and App Transport Security has been implemented, you DO NOT need strict TLS.  You only need support for TLS (and SHA2 signed certificates).  See this blog post by Jeffrey Carpenter, RSA Product Marketing Manager, on ATTN: RSA SecurID Customers..Apple iOS ATS Issue and What to Do About It 

 

You enable strict TLS when your security scan flags insecure SSL protocols and your policy dictates they must be eliminated. Beware that there are implications when you do this.  For example, older Windows clients that do not support TLSv1.2 will not work, and this could affect RSA RADIUS in Authentication Manager 8.1 SP1.  If your scan flags insecure RC4 ciphers then plan your upgrade to Authentication Manager 8.2 to address that.


Some errors related to mismatch between SSL client and SSL server as to protocols or ciphers include the following;

ERR_SSL_PROTOCOL_ERROR
socket: Connection refused
connect:errno=111
This page can't be displayed
it is possible this site uses an unsupported protocol or cipher suite such as RC4

SSLv3 Record Layer: Alert (Level: Fatal, Description: Illegal Parameter)

SSL errors

 

See also:

Outcomes