How to limit accepted SSL/TLS versions when using Sim800 - ssl

I'm using sim800 module to connect to a server using TLS. Due to a security policy in our company, the module must not continue the connection establishment if the remote host tries to use and older version of SSL/TLS.
Is there a command or setting in sim800 that can be used to choose the TLS/SSL version when connecting to a server?
*I have searched its SSL and AT command manuals and couldn't find anything useful.

There's a TLS firmware of sim800 and you can upgrade to it, this firmware use TLS version 1.2 but you can't select the version of TLS,infact sim800 use latest version of TLS that firmware supported.
TLS Firmware version
1418B09SIM800C24_TLS

Related

Python Code to check the minimum TLS version of the Server

I am trying to build a code to check the TLS version of the servers. We have some servers whose TLS version are using v1.0 as a minimum requirement but those can still negotiate with v1.2.
I am trying to check which are all our servers who still negotiate with v1.0

Replace default TLS stack for OpenSSL in Windows

Recently, we have encountered a problem while installing one of our applications for a customer. During installation the application needs to perform some requests to our cloud service and we realised it could not establish HTTPS connection: the very TLS handshake failed. After researching a bit we found the server was a Windows Server 2008 which does not support TLS v1.2, which is the minimum required to connect to our servers. There are some workarounds (this one, for instance) but none of them worked. In addition, we cannot install any update to that windows due to customer policies.
While looking for a solution, using wireshark, we noticed that our program tried to connect using TLS v1.2 and failed, but Chrome browser was able to connect to the same cloud server using TLS v1.3, which is not even supported in Windows Server 2008. From that we deduced that Chrome is likely using its own TLS stack to establish the connection.
I am wondering that if Chrome is doing that, we should also be able to do the same. The application is developed in .Net Core and I have googled a lot looking for information on how to do this, and I've found lots of information on how to configure TLS certificates in .Net Core, but none on replacing the TLS stack with, say, OpenSSL or others. I do know this is possible in Java, so is it possible to replace the TLS stack in .Net core?
.NET Core itself doesn't let you plug in your own crypto stack.
You pointed to Bouncy Castle as an example of Java letting you use an alternate crypto stack; there's a port of Bouncy Castle to C#/.NET as well.
Their source code has a test case that demonstrates how to write a TLS client using Bouncy Castle:
https://github.com/bcgit/bc-csharp/blob/master/crypto/test/src/crypto/tls/test/TlsClientTest.cs

TLS1.3 version mismatch

I want to capture a sample SSL traffic with wireshark, which it's version is TLS1.3(newest version). I enabled the TLS 1.3(draft23) flag in chrome browser, and also update my wireshark to version 2.6.2.
then I start to open some sites like https://gmail.com and https://www.thesslstore.com which supports this version and capture the traffic.
but when I open the captured traffic, the version of SSL header is TLS1.0 or TLS1.3 while in the section of the protocol in the top of window, TLSv1.3 is showed.
There are routers, gateways, etc. that look at this header. Because TLS 1.3 is somewhat new, you will often see older TLS versions specified. I most often see TLS 1.2, but my code talks to AWS - that may be their standard.

How to know the TLS version install and how to upgrade to TLS v1.3

I have a Ubuntu 16.04 Server and I would like to know witch version of TLS is already installed on my server.
And how to upgrade to version 1.3 if version version is under v1.3
Thank you
While you don't specify it you are probably asking about the TLS support in your web and/or mail server. For the common servers on Linux the support is implemented with OpenSSL. Since you are using Ubuntu 16.04 you by default have OpenSSL version 1.0.2 which supports TLS up to TLS 1.2. But note that configuration of the servers might cause the actual protocol support to be limited.
There is no official TLS 1.3 yet, i.e. the protocol is still not finalized. Support for TLS 1.3 is expected to be available in OpenSSL 1.1.1 which is still in development.
Sniffing the packets with some application like Wireshark would reveal the information; the protocol version used in a connection is in the ServerHello message or
use http://ssl-checker.online-domain-tools.com tool to verify
I would suggest that you use the SSL test website by Qualys. If you ran your webserver with SSLProtocol +All for just a quick test, it would tell you what SSLProtocols are being served with your pages and a recommendation on which ones should and should not be used.
On a side note, I made a recurring task to test my sites; I found something even today that had changed since I last checked 3 months ago.
https://www.ssllabs.com/ssltest/index.html

How can I tell what version my SSL supports?

I have a security requirement checklist that requires the following:
SSL must be configured to support only SSL version 3 or TLS version
How can I tell what version my SSL supports? I'm using openssl.
If you are developing software using OpenSSL the choice of what particular instance of the protocol (SSL2, SSL3, TLS1) is permitted is established by the context that you make for creating SSL objects. Here is the minimal example of setting up a context that supports only TLS1:
new_ctx = SSL_CTX_new (TLSv1_server_method ());
If you want to support SSL3 and above, you'd use:
new_ctx = SSL_CTX_new (SSLv23_method ());
SSL_CTX_set_options (new_ctx, SSL_OP_NO_SSLv2);
This only scratches the surface, but maybe will point you in the right direction.