How to Check Available SSL/TLS Protocols and Ciphers on a Specific Port Using TestSSLServer
Originally Published: 2016-04-22
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
Issue
Use this procedure to identify which SSL/TLS protocol versions and cipher suites are currently enabled on a specific port in your RSA Authentication Manager deployment. This is typically needed when auditing your environment for security compliance, investigating TLS-related connectivity issues, or verifying that deprecated protocols (such as SSLv3 or TLS 1.0) have been successfully disabled.
Prerequisites:
- Java is installed on the machine you will run the tool from
- The machine has network connectivity to the target Authentication Manager server and port
- The
TestSSLServer.jarfile is downloaded from the attachment section of this article
NOTE: TestSSLServer.jar is a read-only diagnostic tool. Running it does not modify any SSL/TLS configuration on the Authentication Manager server.
Resolution
- Download
TestSSLServer.jarfrom the attachment section of this article. - Move the file to any machine that has Java installed and can reach the target Authentication Manager server and port.
- Open a terminal or command prompt on that machine.
- Navigate to the directory where you placed
TestSSLServer.jar. - Run the following command, replacing
<server_name_or_ip>and<port>with the target server and port:java -jar TestSSLServer.jar <server_name_or_ip> <port>
Example:# java -jar TestSSLServer.jar am81p.vcloud.local 7002 Supported versions: SSLv3 TLSv1.0 TLSv1.1 TLSv1.2 Deflate compression: no Supported cipher suites (ORDER IS NOT SIGNIFICANT): SSLv3 RSA_WITH_AES_128_CBC_SHA RSA_WITH_AES_256_CBC_SHA (TLSv1.0: idem) (TLSv1.1: idem) TLSv1.2 RSA_WITH_AES_128_CBC_SHA RSA_WITH_AES_256_CBC_SHA RSA_WITH_AES_128_CBC_SHA256 RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256 ---------------------- Server certificate(s): d887fe3c5b9f7597c32b1c569e0dc3c219bd7cb2: SERIALNUMBER=04f93769869b944d3817e9327f809f4a9e864db0adb54067a077469629781cdc, CN=am81p.vcloud.local ---------------------- Minimal encryption strength: strong encryption (96-bit or more) Achievable encryption strength: strong encryption (96-bit or more) BEAST status: vulnerable CRIME status: protected
Reading the output:
- Supported versions — Lists all SSL/TLS protocol versions currently enabled on that port
- SSLv3 — Enabled with ciphers
RSA_WITH_AES_128_CBC_SHAandRSA_WITH_AES_256_CBC_SHA - (TLSv1.0: idem) — TLS 1.0 is also supported, with exactly the same list of cipher suites (and selection algorithm) as SSLv3; otherwise, TestSSLServer would have listed the suites separately, the same way it did for SSLv3
- (TLSv1.1: idem) — TLS 1.1 is also supported, with exactly the same list of cipher suites (and selection algorithm) as SSLv3; otherwise, TestSSLServer would have listed the suites separately, the same way it did for SSLv3
- TLSv1.2 — Enabled with ciphers
RSA_WITH_AES_128_CBC_SHA,RSA_WITH_AES_256_CBC_SHA,RSA_WITH_AES_128_CBC_SHA256,RSA_WITH_AES_256_CBC_SHA256, andTLS_RSA_WITH_AES_128_GCM_SHA256
Attachments
If the attachment does not open when clicked, please refresh the page and try again. You must be logged into view the file(s).
Related Articles
Identity Management and Governance: No available certificate or key corresponds to the SSL cipher suites which are enabled. 46Number of Views How to disable a weak certificate on TCP ports 5550 and 5580 (CVE-2004-2761, CVE-2005-4900) 456Number of Views Checking the SSL ciphers suites used by RSA Authentication Manager 8.2-8.7 SP2 82Number of Views How to check if NTP is working on your RSA SecurID Access Identity Router 662Number of Views How to check/restart the Webtier services deployed on a Linux machine in RSA Authentication Manager 8.x 1.09KNumber of Views
Trending Articles
RSA Release Notes for RSA Authentication Manager 8.8 RSA MFA Agent 2.5 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager Upgrade Process Authentication Manager Security Console and Operations Console Inaccessible After Certificate Update RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide
Don't see what you're looking for?