Issue
Ensure a version of TLS is disabled using OpenSSL
Product Line
EcoStruxure Building Operation
Environment
- Enterprise Central
- Enterprise Server
- Automation Server
Cause
Need to verify TLS is disabled on an EBO server in case of incorrect text entry
Resolution
It is possible to check which TLS protocols are set to be disabled using WorkStation Control Panel's Security Settings or in the Device Administrator SSL Security Settings tab. If the version required is not disabled then consult Disabling TLS and SSH.
Once the protocol is set to disabled follow the steps below to verify using OpenSSL
- Open a command prompt and change directory to the OpenSSL folder.
- If OpenSSL is not available consult OpenSSL installed with EBO or install OpenSSL as mentioned in Ensuring the SSL Host Certificate and key file are a matching pair
- To check if TLS is disabled enter the command openssl s_client -connect 'server address':'port'-'TLS version'. For example if the server IP address is 192.168.5.95 and using port 443:-
- openssl s_client -connect 192.168.5.95:443 -tls1
- openssl s_client -connect 192.168.5.95:443 -tls1_1
- openssl s_client -connect 192.168.5.95:443 -tls1_2
- openssl s_client -connect 192.168.5.95:443 -tls1_3
- If an error is returned (1) and no certificates are available (2) then the TLS version is Disabled.
- If a certificate chain (3) and certificate details (4) are returned the TLS version is Enabled. The image illustrates only the start of the returned information, more will be available.
For additional information search "OpenSSL s_client" using an online web browser. The s_client command can be used to test TLS server connectivity, TLS/SSL version support, check cipher suites, and verify server certificates.
