|Applies To||RSA Product Set: SecurID|
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1.1
|Issue||Authentication Manager supports various SSL protocols such as TLS versions 1.1, 1.0, and 1.2, aka TLS1_0, TLS1_1 and TLS1_2 depending on the specific version of Authentication Manager, but also supports limiting or blocking some of these protocols, especially the older ones. In Authentication Manager 8.2 RSA also stopped support for ciphers that use RC4 algorithms. |
Customers are trying to figure out if they need to enforce strict TLS1_2 mode in order to gain support for TLSv1.2, in Authentication Manager, the Self-Service Console, on the Web Tiers, as well as with integrations with API tools like Authentication Manager Prime and Authentication Manager Integration Service (AMIS). This would also affect SecurID software token distributions to Apple iOS devices since the new App Transport Security (ATS) feature was released in January 2017 that requires SSL connections, such as CT-KIP, to use only TLSv1.2 with SHA2 signed certificates.
Enabling strict TLS
You enable strict TLS when your security scan flags insecure SSL protocols and your policy dictates they must be eliminated. Beware that there are implications when you do this. For example, older Windows clients that do not support TLSv1.2 will not work, and this could affect RSA RADIUS in Authentication Manager 8.1 SP1. If your scan flags insecure RC4 ciphers then plan your upgrade to Authentication Manager 8.2 to address that.
Viewing available ciphersuites
You can see RSA ciphersuites in the opt/rsa/am/server/config/config.xml, which has a section for various servers and the biztier server which control the RSA consoles.
If you look at this server's <ssl> section, you can see a list of ciphersuites. Older Authentication Manager 8.0 or 8.1 servers will list ciphersuites such as TLS_RSA_WITH_RC4_128_SHA and TLS_RSA_WITH_AES_256_GCM_SHA256.
Newer Authentication Manager 8.2 servers will exclude all RC4 ciphers, and show ciphersuites such as TLS_ECDHE_WITH_AES_256_GCM_SHA384 and even TLS_RSA_WITH_AES_256_GCM_SHA256 for older browsers/clients, but not RC4, as shown:
Authentication Manager version
You can check your version of Authentication Manager two ways:
|Resolution||Secure Sockets Layer (SSL) is a protocol developed by Netscape for transmitting private documents via the Internet. It is based in part on asymmetric keys and the Public Key Infrastructure, PKI so that more efficient symmetric keys can securely be exchanged.|
In general, and as you would expect, older protocols such as SSLv2 and SSLv3, are considered less secure or insecure. Newer protocols, such as TLSv1.2 are considered more secure.
There are two issues here:
|Notes||Some errors related to mismatch between SSL client and SSL server as to protocols or ciphers include the following:|