Applies to:
Venafi TPP 15.3.x - 17.3.x
Summary:
We are able to determine what protocols are in use when doing Network Certificate Validation. In order to see the details, you need to enable the setting first.
To enable the setting:
In Aperture,
(note, in 16.3 and higher this option is enabled by default)
- Click on Configuration
- Click on Folders
- Click on Policy
- Click on Certificate Policy
- Scroll down to the checkbox called Detect all supported SSL/TLS protocols
This will enable the data to be collected. You will now be able to click on each successfully validated certificate, determine the protocol and take further action if needed.
More Info:
If you would like to extract the data in bulk this is also possible. The details below can help:
Using our REST API it is possible to export the protocol results we have detected. It can be very slow as it does not utilize our recursive option of the methods with large data sets. The recommendation would be to use a database query to get the raw data fast and then feed that into a script that parses the protocol result from the Validation Results and translates it to the human readable format.
1. Attached below is the sample REST API
2. Below is a sample Database Script:
select o.Parent + '\' + o.Name as ObjectDN, c.AttributeValue as ValidationResults
from config_objects o, config_contains c
where o.GUID = c.GUID and c.Attribute = 'Validation Results'
order by ObjectDN;
The first and second “columns” of the ValidationResults are the scanned endpoint IP and port, respectively, and the third “column” is the protocol detection result which is a bit mask representing each of the five protocols. The following table lists the conversion from numeric value to the human readable format.
12 |
SSL 2.0 |
48 |
SSL 3.0 |
60 |
SSL 2.0, SSL 3.0 |
192 |
TLS 1.0 |
204 |
SSL 2.0, TLS 1.0 |
240 |
SSL 3.0, TLS 1.0 |
252 |
SSL 2.0, SSL 3.0, TLS 1.0 |
768 |
TLS 1.1 |
780 |
SSL 2.0, TLS 1.1 |
816 |
SSL 3.0, TLS 1.1 |
960 |
TLS 1.0, TLS 1.1 |
828 |
SSL 2.0, SSL 3.0, TLS 1.1 |
972 |
SSL 2.0, TLS 1.0, TLS 1.1 |
1008 |
SSL 3.0, TLS 1.0, TLS 1.1 |
1020 |
SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1 |
3072 |
TLS 1.2 |
3084 |
SSL 2.0, TLS 1.2 |
3120 |
SSL 3.0, TLS 1.2 |
3264 |
TLS 1.0, TLS 1.2 |
3840 |
TLS 1.1, TLS 1.2 |
3132 |
SSL 2.0, SSL 3.0, TLS 1.2 |
3276 |
SSL 2.0, TLS 1.0, TLS 1.2 |
3852 |
SSL 2.0, TLS 1.1, TLS 1.2 |
3312 |
SSL 3.0, TLS 1.0, TLS 1.2 |
3888 |
SSL 3.0, TLS 1.1, TLS 1.2 |
4032 |
TLS 1.0, TLS 1.1, TLS 1.2 |
3324 |
SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.2 |
3900 |
SSL 2.0, SSL 3.0, TLS 1.1, TLS 1.2 |
4044 |
SSL 2.0, TLS 1.0, TLS 1.1, TLS 1.2 |
4080 |
SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2 |
4092 |
SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2 |
Comments