AnsweredAssumed Answered

TLS 1.2 enabled on Web Tier but still shows TLS 1.1 enabled

Question asked by Stephen Martin on Mar 14, 2019
Latest reply on Mar 15, 2019 by Edward Davis

Like • Show 0 Likes0
Comment • 9

So, I followed this document (https://community.rsa.com/docs/DOC-86113) and enabled strict TLS1.2 on my RSA environment. Trouble is when I run SSLLabs.com against my external URL it still seems to say that it sees TLS1.1 enabled. I would think that when I run the command ./rsautil store -a enable_min_protocol_tlsv1_2 true restart that it would do just that, and actually strictly force TLS1.2.

After running the process, and waiting for it to do its magic, the process said that it was successful and both the web tier boxes were rebooted and show online and healthy after the reboot. It even showed a status on them that said “requires restart” before I went to restart them, meaning it noticed the command line change from the OC side. I suspect that maybe it doesn’t allow TLS1.1, even though these online tools say they still see it available though. The reason I say that is that all of the handshakes that happen on the SSLLabs.com site only show TLS1.2, which is rather telling.

Questions:

How do I confirm TLS 1.1 is not working as I'll fail my external audit if TLS 1.1 is enabled.?

Is there any known issues with this article when 8.4.0.1.0 is the current version.?

No one else has this question

Outcomes

9 Replies

Steven Spicer Mar 14, 2019 11:42 AM
Mark Correct
Correct Answer
You can use the openssl client to see which version(s) of TLS are enabled:
openssl s_client -connect webtier-ip-address:443 -tls1_2
openssl s_client -connect webtier-ip-address:443 -tls1_1
etc. Non-working levels will throw an error.
This requires openssl 1.0.1 or newer. "openssl version" will tell you which version you have.

If 1.1 is turned off at the webtiers but SSLLabs.com says the external URL (i.e., the virtual hostname) is allowing it, then you might need to talk to your firewall/load balancer guys.
Like • Show 1 Like1
Actions
- Edward Davis @ Steven Spicer on Mar 14, 2019 1:01 PM
  Mark Correct
  Correct Answer
  Another idea is set IE to use --only tls 1.2--, see if you can log into web tier self service page.
  
  Then set to tls1.1 only (remove tls1.2) and retry.
  
  1 person found this helpful
  Like • Show 2 Likes2
  Actions
  - Edward Davis @ Edward Davis on Mar 15, 2019 11:57 AM
    Mark Correct
    Correct Answer
    Update
    ----
    tested
    -----
    8.4.0.1.0 primary 8.4.0.1.0 web tier
    set tls1.2 strict, restarted AM Primary, restarted web tier
    
    a) IE set to TLS1.1 only
    get error message, unable to load any web page
    Can’t connect securely to this page
    This might be because the site uses outdated or unsafe TLS security settings. If this keeps happening, try contacting the website’s owner.
    
    b) IE set to TLS1.2 only
    page loads fine, I can login into web tier
    
    ---
    
    Summary: testing TLS1.2 mode strict, it works, prevents tls 1.1 page loading,
    and unable to access web tier unless you are using tls1.2
    
    If TLS1.2 mode is not set to strict,
    setting IE to TLS1.1 only, works
    setting IE to TLS1.2 only, works
    Like • Show 2 Likes2
    Actions
    - Stephen Martin @ Edward Davis on Mar 15, 2019 12:15 PM
      Mark Correct
      Correct Answer
      Hi Edward,
      
      Is there anyway of turning TLS 1.1 off on the web tier?
      
      Our testing using ssl.labs.com shows:
      
      TLS 1.2 connectivity to the web tier works
      TLS 1.0 is not available/disabled – this is good
      TLS 1.1 is available/enabled… - this is not good as it fails our external audit.
      
      How do we make TLS 1.1 unavailable?
      I would think that when I run the command ./rsautil store -a enable_min_protocol_tlsv1_2 true restart that it would do just that, and actually strictly force TLS1.2
      Like • Show 1 Like1
      Actions
      - Steven Spicer @ Stephen Martin on Mar 15, 2019 12:27 PM
        Mark Correct
        Correct Answer
        Have you tested the webtier internally (connect to the actual webtier host, not the virtual hostname) rather than using ssllabs.com? If the entry point terminates the incoming SSL/TLS and creates its own connection to the webtier host (very common) then the rules at the entry point apply for external testing.
        Like • Show 1 Like1
        Actions
- Jay Guillette @ Steven Spicer on Mar 14, 2019 2:22 PM
  Mark Correct
  Correct Answer
  If you use openssl ver. 0.9, it does not support tlsv1.2 so just testing with it is a test of if tlsv1.1 responds.
  Also if you do Steve's test, you might see a partial response on TLSv1.1, where it says connected on the first response line, and then says ERROR about ciphers or protocols on the second line, which a Scan might flag as a false positive
  Like • Show 3 Likes3
  Actions
- Edward Davis @ Steven Spicer on Mar 15, 2019 3:36 PM
  Mark Correct
  Correct Answer
  This is my ssl test on the web tier itself, to itself (10.101.99.153)
  
  so, it will answer tls1.1 with a 'nothing to do here'
  ---------------------
  TLS1.2 strict enabled, 8.4.0.1.0 web tier
  
  # openssl s_client -connect 10.101.99.153:443 -tls1_1
  CONNECTED(00000003)
  140402749577032:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337:
  ---
  no peer certificate available
  ---
  No client certificate CA names sent
  ---
  SSL handshake has read 5 bytes and written 7 bytes
  ---
  New, (NONE), Cipher is (NONE)
  Secure Renegotiation IS NOT supported
  Compression: NONE
  Expansion: NONE
  SSL-Session:
  Protocol : TLSv1.1
  Cipher : 0000
  Session-ID:
  Session-ID-ctx:
  Master-Key:
  Key-Arg : None
  Krb5 Principal: None
  PSK identity: None
  PSK identity hint: None
  Start Time: 1552678329
  Timeout : 7200 (sec)
  Verify return code: 0 (ok)
  ---
  # openssl s_client -connect 10.101.99.153:443 -tls1_2
  CONNECTED(00000003)
  depth=1 CN = RSA root CA for edavis-vm150.na.rsa.net, serialNumber = 87584c81f5ddb290df09e69e8b010ee31fe273a65aaf498a8dd22064d9f4f61a
  verify error:num=19:self signed certificate in certificate chain
  verify return:0
  ---
  Certificate chain
  0 s:/CN=edavis-vm153.na.rsa.net/serialNumber=9d1bd9a017397a524cc05d7cad6105bff1c57b790f0965e543ea7d16c926ae4b
  i:/CN=RSA root CA for edavis-vm150.na.rsa.net/serialNumber=87584c81f5ddb290df09e69e8b010ee31fe273a65aaf498a8dd22064d9f4f61a
  1 s:/CN=RSA root CA for edavis-vm150.na.rsa.net/serialNumber=87584c81f5ddb290df09e69e8b010ee31fe273a65aaf498a8dd22064d9f4f61a
  i:/CN=RSA root CA for edavis-vm150.na.rsa.net/serialNumber=87584c81f5ddb290df09e69e8b010ee31fe273a65aaf498a8dd22064d9f4f61a
  ---<snip>
  Like • Show 2 Likes2
  Actions
  - Stephen Martin @ Edward Davis on Mar 15, 2019 4:10 PM
    Mark Correct
    Correct Answer
    I have two separate windows 2012 r2 boxes. Both were saying TLS1.1 was enabled when I ran even the OpenSSL command to validate. I then used IISCrypto on each separate server to turn it on and then after a reboot turn it off again. I will stress that I did this same thing yesterday in the same manner and it still showed that TLS1.1 was available.
    
    Now for the extra weird part….
    
    When I just did those same steps again, and this will be the last time I mention that it’s two different separate servers that we did it on, it finally shows as not available, like we expect it to.
    
    I cannot explain this behavior other than to say I’m happy that it now shows disabled. It would certainly appear that regardless of the RSA Software’s setting the OS is a factor in this showing up. The weirdest thing is the RSA documentation doesn’t even touch the idea of the OS level setting at all.
    
    This is how I got TLS 1.1 not to respond….should the documentation be updated??
    Like • Show 1 Like1
    Actions
    - Edward Davis @ Stephen Martin on Mar 15, 2019 5:07 PM
      Mark Correct
      Correct Answer
      We can state that TLS1.2 strict will not negotiate successful connections on anything lower than TLS1.2. Exceptions to security scanner reports are a common way to report false or misleading positives. I do see TLS1.1 responding, but it is dead and no work can be done on it, and your point is valid.
      
      About the documentation or this issue overall...There is a way to make suggestions or recommendations to RSA Product Management and they review these customer suggestions and act on the ones that make the most impact.
      
      Post here and it will get noticed:
      
      RSA Ideas for RSA SecurID Access
      Like • Show 1 Like1
      Actions

TLS 1.2 enabled on Web Tier but still shows TLS 1.1 enabled

Outcomes

Related Content

Recommended Content