How to Check Available SSL/TLS Protocols and Ciphers on a Specific Port Using TestSSLServer
3 hours ago
Originally Published: 2016-04-22
Article Number
000067535
Applies To
RSA Product Set:  SecurID
RSA Product/Service Type:  Authentication Manager
RSA Version/Condition:  8.x
Issue

Use this procedure to identify which SSL/TLS protocol versions and cipher suites are currently enabled on a specific port in your RSA Authentication Manager deployment. This is typically needed when auditing your environment for security compliance, investigating TLS-related connectivity issues, or verifying that deprecated protocols (such as SSLv3 or TLS 1.0) have been successfully disabled.

Prerequisites:

  • Java is installed on the machine you will run the tool from
  • The machine has network connectivity to the target Authentication Manager server and port
  • The TestSSLServer.jar file is downloaded from the attachment section of this article

NOTE: TestSSLServer.jar is a read-only diagnostic tool. Running it does not modify any SSL/TLS configuration on the Authentication Manager server.

 

Resolution
  1. Download TestSSLServer.jar from the attachment section of this article.
  2. Move the file to any machine that has Java installed and can reach the target Authentication Manager server and port.
  3. Open a terminal or command prompt on that machine.
  4. Navigate to the directory where you placed TestSSLServer.jar.
  5. Run the following command, replacing <server_name_or_ip> and <port> with the target server and port:
    java -jar TestSSLServer.jar <server_name_or_ip> <port>

     

    Example: 
    # java -jar TestSSLServer.jar am81p.vcloud.local 7002
    Supported versions: SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
    Deflate compression: no
    Supported cipher suites (ORDER IS NOT SIGNIFICANT):
      SSLv3
         RSA_WITH_AES_128_CBC_SHA
         RSA_WITH_AES_256_CBC_SHA
      (TLSv1.0: idem)
      (TLSv1.1: idem)
      TLSv1.2
         RSA_WITH_AES_128_CBC_SHA
         RSA_WITH_AES_256_CBC_SHA
         RSA_WITH_AES_128_CBC_SHA256
         RSA_WITH_AES_256_CBC_SHA256
         TLS_RSA_WITH_AES_128_GCM_SHA256
    ----------------------
    Server certificate(s):
      d887fe3c5b9f7597c32b1c569e0dc3c219bd7cb2: SERIALNUMBER=04f93769869b944d3817e9327f809f4a9e864db0adb54067a077469629781cdc, CN=am81p.vcloud.local
    ----------------------
    Minimal encryption strength:     strong encryption (96-bit or more)
    Achievable encryption strength:  strong encryption (96-bit or more)
    BEAST status: vulnerable
    CRIME status: protected

Reading the output:

  • Supported versions — Lists all SSL/TLS protocol versions currently enabled on that port
  • SSLv3 — Enabled with ciphers RSA_WITH_AES_128_CBC_SHA and RSA_WITH_AES_256_CBC_SHA
  • (TLSv1.0: idem) — TLS 1.0 is also supported, with exactly the same list of cipher suites (and selection algorithm) as SSLv3; otherwise, TestSSLServer would have listed the suites separately, the same way it did for SSLv3
  • (TLSv1.1: idem) — TLS 1.1 is also supported, with exactly the same list of cipher suites (and selection algorithm) as SSLv3; otherwise, TestSSLServer would have listed the suites separately, the same way it did for SSLv3
  • TLSv1.2 — Enabled with ciphers RSA_WITH_AES_128_CBC_SHA, RSA_WITH_AES_256_CBC_SHA, RSA_WITH_AES_128_CBC_SHA256, RSA_WITH_AES_256_CBC_SHA256, and TLS_RSA_WITH_AES_128_GCM_SHA256
Attachments
If the attachment does not open when clicked, please refresh the page and try again. You must be logged into view the file(s).