11

Amazon is sunsetting SSLv3 support soon, and I am trying to verify that boto is utilizing TLS. Is there a good way to verify this? Or is there a good test to show TLS utilization?

ashchristopher
  • 25,143
  • 18
  • 48
  • 49
  • I currently have big issues because python 2.7 is getting stuck at SSL3 handshake when doing S3 stuff with boto. – skrat Apr 28 '15 at 16:42
  • 1
    See: https://github.com/boto/boto/issues/3103#issuecomment-97103125. As this states, this is not a boto issue per se but it is certainly a concern for boto users. If you have a reasonably modern version of openssl you should be ok. – garnaat Apr 29 '15 at 02:12

2 Answers2

3

As stated above, you can use a packet sniffer to determine if SSLv3 connections are being made:

# sudo tcpdump -i eth0 'tcp[((tcp[12]>>4)*4)+9:2]=0x0300'

Replace 'eth0' with the correct interface. Then test if it's working, by performing a SSLv3 connection with openssl:

# openssl s_client -connect s3.amazonaws.com:443 -ssl3

That activity should be captured by tcpdump, if network interface is correct. Finally, test your app. If it's using SSLv3 it should be visible as well. You can also change the capture filter to see what protocol is being used:

  • TLSv1 - 0x0301
  • TLSv1.1 - 0x0302
  • TLSv1.2 - 0x0303
synclabs
  • 277
  • 1
  • 4
  • 8
1

At a high-level, the client and the server will negotiate which one to support as part of the SSL/TLS handshake, the highest supported version of the protocol, both from the client and the server side, wins. If client supports the latest and greatest which is TLS 1.2 and the server supports it as well, they will decide to use TLS 1.2. You can sniff the traffic using Wireshark or other similar packet capture tools to determine if the encrypted traffic is using SSLv3 or TLS.

guerilla7
  • 77
  • 1
  • 8