Amazon is sunsetting SSLv3 support soon, and I am trying to verify that boto is utilizing TLS. Is there a good way to verify this? Or is there a good test to show TLS utilization?
1. Click on: Start -> Control Panel -> Internet Options 2. Click on the Advanced tab 3. Scroll to the bottom and check the TLS version described in steps 3 and 4: 4.
How to check if TLS 1.2 is enabled? If the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\DisabledByDefault is present, the value should be 0.
You should use openssl s_client, and the option you are looking for is -tls1_2. If you get the certificate chain and the handshake you know the system in question supports TLS 1.2. If you see don't see the certificate chain, and something similar to "handshake error" you know it does not support TLS 1.2.
As stated above, you can use a packet sniffer to determine if SSLv3 connections are being made:
# sudo tcpdump -i eth0 'tcp[((tcp[12]>>4)*4)+9:2]=0x0300'
Replace 'eth0' with the correct interface. Then test if it's working, by performing a SSLv3 connection with openssl:
# openssl s_client -connect s3.amazonaws.com:443 -ssl3
That activity should be captured by tcpdump, if network interface is correct. Finally, test your app. If it's using SSLv3 it should be visible as well. You can also change the capture filter to see what protocol is being used:
At a high-level, the client and the server will negotiate which one to support as part of the SSL/TLS handshake, the highest supported version of the protocol, both from the client and the server side, wins. If client supports the latest and greatest which is TLS 1.2 and the server supports it as well, they will decide to use TLS 1.2. You can sniff the traffic using Wireshark or other similar packet capture tools to determine if the encrypted traffic is using SSLv3 or TLS.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With