So, I followed this document (https://community.rsa.com/docs/DOC-86113) and enabled strict TLS1.2 on my RSA environment. Trouble is when I run SSLLabs.com against my external URL it still seems to say that it sees TLS1.1 enabled. I would think that when I run the command ./rsautil store -a enable_min_protocol_tlsv1_2 true restart that it would do just that, and actually strictly force TLS1.2.
After running the process, and waiting for it to do its magic, the process said that it was successful and both the web tier boxes were rebooted and show online and healthy after the reboot. It even showed a status on them that said “requires restart” before I went to restart them, meaning it noticed the command line change from the OC side. I suspect that maybe it doesn’t allow TLS1.1, even though these online tools say they still see it available though. The reason I say that is that all of the handshakes that happen on the SSLLabs.com site only show TLS1.2, which is rather telling.
Questions:
How do I confirm TLS 1.1 is not working as I'll fail my external audit if TLS 1.1 is enabled.?
Is there any known issues with this article when 8.4.0.1.0 is the current version.?
You can use the openssl client to see which version(s) of TLS are enabled:
openssl s_client -connect webtier-ip-address:443 -tls1_2
openssl s_client -connect webtier-ip-address:443 -tls1_1
etc. Non-working levels will throw an error.
This requires openssl 1.0.1 or newer. "openssl version" will tell you which version you have.
If 1.1 is turned off at the webtiers but SSLLabs.com says the external URL (i.e., the virtual hostname) is allowing it, then you might need to talk to your firewall/load balancer guys.