Authentication Manager supports various SSL protocols such as TLS versions 1.1, 1.0, and 1.2, aka TLS1_0, TLS1_1 and TLS1_2 depending on the specific version of Authentication Manager, but also supports limiting or blocking some of these protocols, especially the older ones. In Authentication Manager 8.2 RSA also stopped support for ciphers that use RC4 algorithms.
Customers are trying to figure out if they need to enforce strict TLS1_2 mode in order to gain support for TLSv1.2, in Authentication Manager, the Self-Service Console, on the Web Tiers, as well as with integrations with API tools like Authentication Manager Prime and Authentication Manager Integration Service (AMIS). This would also affect SecurID software token distributions to Apple iOS devices since the new App Transport Security (ATS) feature was released in January 2017 that requires SSL connections, such as CT-KIP, to use only TLSv1.2 with SHA2 signed certificates.
If you need support for TLS version 1.2 SSL protocol, then upgrade to at least Authentication Manager 8.1 SP1 P3.
If you need to prevent SSL protocols that a less than TLSv1.2, you need to patch at least to Authentication Manager 8.1 SP1 P13 and run the strict TLS1_2 enable script.
If you need to prevent the use of RC4 ciphers, upgrade to at least Authentication Manager 8.2.
You enable strict TLS when your security scan flags insecure SSL protocols and your policy dictates they must be eliminated. Beware that there are implications when you do this. For example, older Windows clients that do not support TLSv1.2 will not work, and this could affect RSA RADIUS in Authentication Manager 8.1 SP1. If your scan flags insecure RC4 ciphers then plan your upgrade to Authentication Manager 8.2 to address that.
Viewing available ciphersuites
You can see RSA ciphersuites in the opt/rsa/am/server/config/config.xml, which has a section for various servers and the biztier server which control the RSA consoles.
If you look at this server's <ssl> section, you can see a list of ciphersuites. Older Authentication Manager 8.0 or 8.1 servers will list ciphersuites such as TLS_RSA_WITH_RC4_128_SHA and TLS_RSA_WITH_AES_256_GCM_SHA256.
Newer Authentication Manager 8.2 servers will exclude all RC4 ciphers, and show ciphersuites such as TLS_ECDHE_WITH_AES_256_GCM_SHA384 and even TLS_RSA_WITH_AES_256_GCM_SHA256 for older browsers/clients, but not RC4, as shown:
Secure Sockets Layer (SSL) is a protocol developed by Netscape for transmitting private documents via the Internet. It is based in part on asymmetric keys and the Public Key Infrastructure, PKI so that more efficient symmetric keys can securely be exchanged.
In general, and as you would expect, older protocols such as SSLv2 and SSLv3, are considered less secure or insecure. Newer protocols, such as TLSv1.2 are considered more secure.
There are two issues here:
When or in what Authentication Manager version is a protocol supported or available
When and how can older protocols be prevented
Some errors related to mismatch between SSL client and SSL server as to protocols or ciphers include the following:
socket: Connection refused
This page can't be displayed
it is possible this site uses an unsupported protocol or cipher suite such as RC4
SSLv3 Record Layer: Alert (Level: Fatal, Description: Illegal Parameter)