Start of change

System SSL/TLS protocol version counters

The System Service Tools Advanced Analysis command SSLCONFIG can be used to turn on System SSL/TLS protocol version counters. The counters show protocols that are actively being negotiated by System SSL/TLS.

If you want to determine the System SSL/TLS protocols that are used on your system, you can use SSLCONFIG option connectionCounts. When enabled, SSLCONFIG option connectionCounts keeps a running count of new System SSL/TLS connections that are grouped by the negotiated SSL/TLS protocol. There is a slight performance cost to count the connections.

SSLCONFIG option -h displays the help panel that describes how to use SSLCONFIG option connectionCounts.

The following steps can be used to determine whether a particular protocol is used on your system before you disable support for the protocol.
  1. Reset the connectionCounts to clear the current protocol version counts.
    SSLCONFIG -connectionCounts:reset
  2. Track the System SSL/TLS connections to determine which protocols are used for active connections.
    SSLCONFIG -connectionCounts:enable
  3. After the connection counts run over an interval that exhibits normal System SSL/TLS traffic on your system, display the number of SSL/TLS connections by protocol type since the last reset.
    SSLCONFIG -fonnectionCounts:display
  4. Determine what applications are using the protocols that you would like to disable. Update the application's configuration to no longer use these protocols.
    Note: The count does not provide guidance as to which application is using a particular protocol. For more information about how to determine what application uses a particular protocol, see How to determine what System SSL/TLS protocols and cipher suites are used on the system.
  5. Reset the connectionCounts to clear the current protocol version counts.
    SSLCONFIG -connectionCounts:reset
  6. After another interval that exhibits normal System SSL/TLS traffic on your system, display the number of SSL/TLS connections by protocol type since the last reset.
    SSLCONFIG -connectionCounts:display

    If the protocol to disable has a connection count of 0, you know that protocol version was not used during the monitored interval.

  7. Turn off SSL connection counting.
    SSLCONFIG -connectionCounts:disable
End of change