cancel
Showing results for 
Search instead for 
Did you mean: 

TLS version upgrade

 
laiju.c.babu
Regular Advisor

TLS version upgrade

Hi Team,

 

As per the security audit in our machine we have to update the TLS version to TLSv1.1 or TLS1.2 or  disable CBC mode cipehrs. In my machine how can i chceck currently running TLS version. If its a low version copuld any one pleae tell me how can i upgrade that version or disable CBC mode ciphers.

 

For checking the TLS version i used the below command but i didnt get any helpful output. Could  you please help me on this.

 

     [4]> openssl s_client -connect <hostname fgdn>:443 -ssl2
connect: Connection refused
connect:errno=239

Laiju.C.Babu
2 REPLIES
Matti_Kurkela
Honored Contributor

Re: TLS version upgrade

Usually you cannot update TLS separately from whatever application is using it.

 

For example, the Apache webserver uses the OpenSSL library for TLS/SSL support: you'll need to find out which TLS/SSL version(s) are supported by your version of Apache&OpenSSL.

 

If the OpenSSL library version already includes support for TLS1.1 or TLS1.2, changing the SSL/TLS settings in the Apache configuration may be enough to disable the weak TLS versions and/or ciphers. But if your current version of OpenSSL does not include support for TLS1.1, you must upgrade OpenSSL to a newer version - and if your current version of Apache does not support the newer OpenSSL version, you will have to upgrade Apache too.

 

Other applications, like J2EE Java Application Servers, may include their own SSL/TLS implementations: check the website, support service and/or documentation of such applications to find out how their SSL/TLS support can be controlled or upgraded.

 

> openssl s_client -connect <hostname fgdn>:443 -ssl2

 

This command attempts to connect from the local host to the port 443 of the server named <hostname fgdn>, trying the obsolete SSL version 2 first. If it says "Connection refused", it may mean several things:

 

  • maybe the server process is not running on the server right now? (it needs to be running, otherwise this command cannot connect to it and determine the SSL/TLS versions it accepts.)
  • maybe the server was there at the time of audit, but has now been uninstalled? (i.e. there is nothing to upgrade any more)
  • maybe some other security mechanism (e.g. a network firewall) is already protecting the server by rejecting the connection? (If the server is only accessible from a very limited number of secure locations, it might not be your biggest security issue after all... in that case, determine which are the actually most important issues and fix them first, then return to this server after the bigger issues have been fixed.)

Here are some example outputs from "openssl s_client":

(Note: if it looks black-on-black, select it with your mouse and copy&paste it to Notepad or similar to see the text, until the HP Community maintainers fix it)

 

$ openssl s_client -connect 192.168.42.1:443 -ssl2
CONNECTED(00000003)
18035:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:

This indicates the server rejected SSL2 and cut off the connection completely.

 

Let's try again without the -ssl2 option:

~$ openssl s_client -connect 192.168.42.1:443 
CONNECTED(00000003)

<a lot of information about the server certificate here>

---
SSL handshake has read 4673 bytes and written 331 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA

<more information about the SSL/TLS session here>
---
closed

 This indicates the server accepted TLS1.0, using cipher DHE-RSA-AES256-SHA, which is pretty good (although I'd have to find a way to upgrade this to TLS1.1 or better).

 

Let's see if it accepts a weak CBC mode cipher:

$ openssl s_client -cipher DES-CBC-MD5 -connect 192.168.42.1:443
CONNECTED(00000003)
10704:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:602:

 Nope, that was rejected.

 

You can get a list of all ciphers supported by your openssl command line tool with the command:

$ openssl ciphers -v
MK
laiju.c.babu
Regular Advisor

Re: TLS version upgrade

Hi MK,

 

Thanks a lot for this detailed explanation. Now i got some idea , that if i have to upgrade this version then  i have to get the help from an application guy also.

 

In my server there is no httpd service is running and when i executed the command which you mentioned (for getting the TLS version)  i got the below alert

 

Connection refiused

Error no : 239.

 

Since there is not httpd daemons are not running then can i avoid this alert,

 

Regards

Laiju.C.Babu