Solved: CSS ssl-server cipher change

a.veschak · ‎09-29-2008

Hello,

I have a CSS11506 with an SSL proxy list running successfully... but I would like to change to a different cipher suite.

I am currently using cipher rsa-export-with-rc4-40-md5 and would like to move to something with a higher cipher level.

My question is, what do I need to consider to accomplish this change? Can I still utilize my existing certificate and key pairs?

Thanks for any help.

Regards,

-Adam

sachinga.hcl · ‎09-30-2008

Hi ADAM,

For changing the cipher rsa-export-with-rc4-40-md5 to the stronger one you need to do the changes in SSL proxy list.

No modifications to an SSL proxy list are permitted on an active list. Suspend the list prior to making changes, and then reactivate the SSL proxy list once the changes are complete. Once you have modified the SSL proxy list, suspend the SSL service, reactivate the SSL proxy list, and then reactivate the SSL service.

Your old certificate and key pairs wcan be used as it is.

You can use maximum 4 different certificates at a time.

Use the suspend command to suspend an active SSL proxy list.

To suspend an active SSL proxy list, enter:

(config-ssl-proxy-list[ssl_list1])# suspend

An SSL proxy list may belong to multiple SSL services (one SSL proxy list per service), and an SSL service may belong to multiple content rules. You can apply the services to content rules that allow the CSS to direct SSL requests for content.

The CSS supports one active SSL service for each SSL module in the CSS, one SSL service per slot. You can configure more than one SSL service for a slot but only a single SSL service can be active at a time.

Before you can activate an SSL proxy list, ensure that you create at least one server in the list. The CSS checks the SSL proxy list servers to verify that all of the necessary components are configured, including verification of the certificate and key pair against each other. If the verification fails, the certificate name is not accepted and the CSS logs the error message Certificate and key pair do not match and does not activate the SSL proxy list. You must either remove the configured key pair or configure an appropriate certificate.

use the url below for your reference:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.10/command/reference/CmdSSLC.html

use following url for selecting your required cipher suite:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.40/configuration/ssl/guide/terminat.html#wp999114

There are various cipher suites available in the CSS for encrypting SSL traffic (if you have the SSL module, that isâ€¦). You can choose which to support and weight them in your SSL proxy list if you don't agree with Cisco's interpretation of which should be used first.

Soâ€¦ in summary, it appears to come down to the highest level of encryption supported between the browser and the SSL module. IE6 is the limiting factor here as far as I can tell.

Thanks and regards,

Sachin Garg

Senior Specialist Security

HCL Comnet Ltd.

Email: sachinga@hcl.in

View solution in original post

sachinga.hcl · ‎09-30-2008

Hi ADAM,

For changing the cipher rsa-export-with-rc4-40-md5 to the stronger one you need to do the changes in SSL proxy list.

No modifications to an SSL proxy list are permitted on an active list. Suspend the list prior to making changes, and then reactivate the SSL proxy list once the changes are complete. Once you have modified the SSL proxy list, suspend the SSL service, reactivate the SSL proxy list, and then reactivate the SSL service.

Your old certificate and key pairs wcan be used as it is.

You can use maximum 4 different certificates at a time.

Use the suspend command to suspend an active SSL proxy list.

To suspend an active SSL proxy list, enter:

(config-ssl-proxy-list[ssl_list1])# suspend

An SSL proxy list may belong to multiple SSL services (one SSL proxy list per service), and an SSL service may belong to multiple content rules. You can apply the services to content rules that allow the CSS to direct SSL requests for content.

The CSS supports one active SSL service for each SSL module in the CSS, one SSL service per slot. You can configure more than one SSL service for a slot but only a single SSL service can be active at a time.

Before you can activate an SSL proxy list, ensure that you create at least one server in the list. The CSS checks the SSL proxy list servers to verify that all of the necessary components are configured, including verification of the certificate and key pair against each other. If the verification fails, the certificate name is not accepted and the CSS logs the error message Certificate and key pair do not match and does not activate the SSL proxy list. You must either remove the configured key pair or configure an appropriate certificate.

use the url below for your reference:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.10/command/reference/CmdSSLC.html

use following url for selecting your required cipher suite:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.40/configuration/ssl/guide/terminat.html#wp999114

There are various cipher suites available in the CSS for encrypting SSL traffic (if you have the SSL module, that isâ€¦). You can choose which to support and weight them in your SSL proxy list if you don't agree with Cisco's interpretation of which should be used first.

Soâ€¦ in summary, it appears to come down to the highest level of encryption supported between the browser and the SSL module. IE6 is the limiting factor here as far as I can tell.

Thanks and regards,

Sachin Garg

Senior Specialist Security

HCL Comnet Ltd.

Email: sachinga@hcl.in

a.veschak · ‎09-30-2008

Sachin,

Thanks for the detailed reply... just the type of info I was looking for.

Thanks again!

-Adam