Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to tell if boto is using SSLv3 or TLS?

Amazon is sunsetting SSLv3 support soon, and I am trying to verify that boto is utilizing TLS. Is there a good way to verify this? Or is there a good test to show TLS utilization?

like image 883
ashchristopher Avatar asked Apr 27 '15 18:04

ashchristopher


People also ask

How do you check which TLS protocol is being used?

1. Click on: Start -> Control Panel -> Internet Options 2. Click on the Advanced tab 3. Scroll to the bottom and check the TLS version described in steps 3 and 4: 4.

How do I know if TLSv1 is enabled?

How to check if TLS 1.2 is enabled? If the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\DisabledByDefault is present, the value should be 0.

How do I know if my server is TLS 1.2 Linux?

You should use openssl s_client, and the option you are looking for is -tls1_2. If you get the certificate chain and the handshake you know the system in question supports TLS 1.2. If you see don't see the certificate chain, and something similar to "handshake error" you know it does not support TLS 1.2.


2 Answers

As stated above, you can use a packet sniffer to determine if SSLv3 connections are being made:

# sudo tcpdump -i eth0 'tcp[((tcp[12]>>4)*4)+9:2]=0x0300'

Replace 'eth0' with the correct interface. Then test if it's working, by performing a SSLv3 connection with openssl:

# openssl s_client -connect s3.amazonaws.com:443 -ssl3

That activity should be captured by tcpdump, if network interface is correct. Finally, test your app. If it's using SSLv3 it should be visible as well. You can also change the capture filter to see what protocol is being used:

  • TLSv1 - 0x0301
  • TLSv1.1 - 0x0302
  • TLSv1.2 - 0x0303
like image 168
synclabs Avatar answered Oct 10 '22 07:10

synclabs


At a high-level, the client and the server will negotiate which one to support as part of the SSL/TLS handshake, the highest supported version of the protocol, both from the client and the server side, wins. If client supports the latest and greatest which is TLS 1.2 and the server supports it as well, they will decide to use TLS 1.2. You can sniff the traffic using Wireshark or other similar packet capture tools to determine if the encrypted traffic is using SSLv3 or TLS.

like image 24
guerilla7 Avatar answered Oct 10 '22 07:10

guerilla7