Ssl – Proxy server accepting TLS 1.0 and calling TLS 1.2 downstream

You can verify if server will serve TLS 1.0 if requested with the following openssl command.

openssl s_client -tls1  -brief -connect example.com:443

If connection has succeed you will see something like:

CONNECTION ESTABLISHED
Protocol version: TLSv1
Ciphersuite: DHE-RSA-AES256-SHA
Peer certificate: CN = example.com
Server Temp Key: DH, 8192 bits

If connection has failed you will see:

write:errno=104

You can test support for other protocols by issuing:

TLS v1.1: openssl s_client -tls1_1 -brief -connect example.com:443

TLS v1.2: openssl s_client -tls1_2 -brief -connect example.com:443

SSL v3: openssl s_client -ssl3 -brief -connect example.com:443

Please keep noted that TLS 1.2 is disabled per default in Windows 2008 (see here). So you need to enable it per registry change (see below), you also need to understand that there is a client config and a server config. So if you for example enable TLS 1.2 on a client level but not on a server level an nMAP against port 443 will not show that TLS 1.2 is enabled as its only enabled for a client.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000

What you need here hardly depends on your application and how it interacts with a remote service. So for example if the 3rd party application will use a https session towards your environment then this would be a server side configuration. However if you have a 3rd party plugin running as a service which perform connections against the 3rd party server then this is a client configuration.

Additionally there is a hotfix which allows applications and services that are written by using WinHTTP for Secure Sockets Layer (SSL) connections to use TLS 1.1 or TLS 1.2 protocols which you should install (it not already done as this is a older fix; see here).

Additionally if the 3rd party component didn´t make use from the Microsoft SCHANNEL implementation any changes on the registry side will not work. Because it could be that the 3rd party component are using another SSL implementation like OpenSSL. In that case you need to get in contact with the vendor to check how you can enable TLS 1.2 here. This for example is also true when using Java components (e.g. TomCat). Then adjusting the Microsoft SCHANNEL implementation will not affect them.

SalesForce itself has a very good documentation from the above in much more details then I could give here. So you should check that out as well (see here). Additional they offer multiple "how to test" way to test the TLS configuration which you can then perform.