Secure Sockets Layer, SSL connections use a protocol such as SSL ver. 3 or TLS ver. 1, and they use a Cipher, such as RC4.
RSA Authentication Manager products generally;
- no longer use the older SSL ver. 2, aka SSL2
- still allow SSL v.3, aka ssl3 unless disbled with AM SP1 P13, the TLS patch
- prefer or default to using TLS ver. 1 aka TLS1 starting with AM version 8.1 SP1 P2
One immediate problem with AM 8.1 SP1 P13 is that while the Web Logic Server embedded in AM supports TLS1_2, the openssl utility included in the Suse Linux distribution does not. So if you use openssl to test or prove that the AM server works (and and prevents other protocols such as SSL v. 3 or TLS v. 1), you have to test from another platform, not from the AM server itself.
This Knowledge Base, KB article shows how to verify the TLS 1.2 configuration is working correctly, as well as shows some useful testing and troubleshooting techniques using the openssl utility.
openssl version will display the version of your openssl distribution. On an AM 8.1 SP1 P13 or earlier version of the SecurID appliance included ver. 0.98, which does not support TLS1_2
Many later versions of Red Hat or Ubuntu include a later version of openssl, v. 1.0.1,
you can force openssl s_client to request a specific protocol such as TLS v. 1.2 with the -tls1_2 switch. In this example 192.168.2.30 is an AM 8.1 SP1 P13 SecurID appliance and :7004 is the Security Console and Self Service Console port
openssl s_client -connect 192.168.2.30:7004 -tls1_2
You will get a syntax error with openssl v. 0.98 because TLS1.2 is not supported, so the -tls1_2 switch is not supported unknown option. But the same command with openssl version 1.0.1 or later works, the option is known and recognized.
you will see the protocol listed lower in the display