How to verify if TLS1.0 and TLS1.1 is disabled in CA PAM

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager (PAM)

Issue/Introduction

After following the KB article: 129888 how can it be verified that the TLS1.0/TLS1.1 are disabled?

Environment

All supported versions of CA PAM

Resolution

Follow the below steps to verify the same

Option A: Using nmap

NMAP is a powerful network scanning tool that includes scripts to probe and gather information about remote systems. It can also check the TLS version supported by a server.

The first step is to install nmap in case it is already not installed.

Excute the following command to know the TLS version that is currently enabled and also display the supported ciphers
nmap -p 443 --script ssl-enum-ciphers <IP/hostname of CA PAM Server>

Expected output:

Option B: Using openssl (OpenSSL is a powerful command-line tool for cryptographic operations, including checking the TLS version supported by a system)

1) openssl s_client -connect <IP/hostname of CA PAM Server>:443 -tls1_1

Expected output: (When TLS 1.0/1.1 is disabled)

openssl s_client -connect <IP/hostname of CA PAM Server>:443 -tls1_1
CONNECTED(00000003)
80CB7E52D67F0000:error:0A000410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1586:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 104 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1726479242
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---

Expected output for TLS 1.2 enabled verification: (In here using the self signed certificate for the purpose of demo)

openssl s_client -connect <IP/hostname of CA PAM Server>:443 -tls1_2
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 C = US, O = CA, CN = xceedium.com
verify error:num=18:self-signed certificate
verify return:1
depth=0 C = US, O = CA, CN = xceedium.com
verify return:1
---
Certificate chain
0 s:C = US, O = CA, CN = xceedium.com
i:C = US, O = CA, CN = xceedium.com
a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA512
v:NotBefore: Jul 27 17:35:00 2022 GMT; NotAfter: Jul 27 17:35:00 2027 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIBozCCAUigAwIBAgIJAIJusCCFTwDqMAoGCCqGSM49BAMEMDExCzAJBgNVBAYT
..................
GamChwIhALvSmwwDkoiznEFfisCeuS+f4G3EwHuEYeZkIiNl2n7U
-----END CERTIFICATE-----
subject=C = US, O = CA, CN = xceedium.com
issuer=C = US, O = CA, CN = xceedium.com
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 889 bytes and written 314 bytes
Verification error: self-signed certificate
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-AES256-GCM-SHA384
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-ECDSA-AES256-GCM-SHA384
Session-ID: 0A079A02CFF5C2285A1EFB1BF1E00F3B34C5D8807E1DBB62DDC0674D922B9F88
Session-ID-ctx:
Master-Key: 1AB9EA2F81EC24DF79738F8B458AC384B14DF44009099C5EDA007A5CC8A1F3CE625CE160AD3541D751A6FBD51D42E787
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - d4 ad 96 0d 07 b4 37 1a-55 59 24 ac 98 ee 5b a4 ......7.UY$...[.

0090 - 00 00 00 00 00 00 00 00-00 00 00 ...........

Start Time: 1726479367
Timeout : 7200 (sec)
Verify return code: 18 (self-signed certificate)
Extended master secret: yes
---