Amazon is sunsetting SSLv3 support soon, and I am trying to verify that boto is utilizing TLS. Is there a good way to verify this? Or is there a good test to show TLS utilization?

At a high-level, the client and the server will negotiate which one to support as part of the SSL/TLS handshake, the highest supported version of the protocol, both from the client and the server side, wins. If client supports the latest and greatest which is TLS 1.2 and the server supports it as well, they will decide to use TLS 1.2. You can sniff the traffic using Wireshark or other similar packet capture tools to determine if the encrypted traffic is using SSLv3 or TLS.

As stated above, you can use a packet sniffer to determine if SSLv3 connections are being made:

# sudo tcpdump -i eth0 'tcp[((tcp[12]>>4)*4)+9:2]=0x0300'

Replace 'eth0' with the correct interface. Then test if it's working, by performing a SSLv3 connection with openssl:

# openssl s_client -connect s3.amazonaws.com:443 -ssl3

That activity should be captured by tcpdump, if network interface is correct. Finally, test your app. If it's using SSLv3 it should be visible as well. You can also change the capture filter to see what protocol is being used:

• TLSv1 - 0x0301
• TLSv1.1 - 0x0302
• TLSv1.2 - 0x0303

At a high-level, the client and the server will negotiate which one to support as part of the SSL/TLS handshake, the highest supported version of the protocol, both from the client and the server side, wins. If client supports the latest and greatest which is TLS 1.2 and the server supports it as well, they will decide to use TLS 1.2. You can sniff the traffic using Wireshark or other similar packet capture tools to determine if the encrypted traffic is using SSLv3 or TLS.