Forcing 128bit ssl on CSS11506 ?

Answered Question

We currently use a CSS11506 as our reverse

proxy for all inbound ssl connections. It has the SSL mod installed.


A recent VA discovered that the CSS allows both 56bit and 128bit ssl connections.


Is there a way on the CSS to force only 128bit ssl connections thru ?


Any help would be appreciated.


Cheers


Dave

Correct Answer by Gilles Dufour about 7 years 5 months ago

Dave,


if you do not configure the ssl cipher for 56 bits encryption the CSS will not accept this level of encryption.

The ciphers are defined as follow :


  ssl-server 1 cipher rsa-with-rc4-128-md5 192.168.20.222 81
  ssl-server 1 cipher rsa-with-rc4-128-sha 192.168.20.222 81


Here is the list of ciphers we do accept


CSS11503-2(config-ssl-proxy-list[gdufour])# ssl-server 1 cipher ?
  all-cipher-suites
  dhe-dss-export1024-with-rc4-56-sha
  rsa-export1024-with-rc4-56-sha
  dhe-dss-export1024-with-des-cbc-sha
  rsa-export1024-with-des-cbc-sha
  dh-anon-export-with-des40-cbc-sha
  dh-anon-export-with-rc4-40-md5
  dhe-rsa-export-with-des40-cbc-sha
  dhe-dss-export-with-des40-cbc-sha
  rsa-export-with-des40-cbc-sha
  rsa-export-with-rc4-40-md5
  dhe-dss-with-rc4-128-sha
  dh-anon-with-3des-ede-cbc-sha
  dh-anon-with-des-cbc-sha
  dh-anon-with-rc4-128-md5
  dhe-rsa-with-3des-ede-cbc-sha
  dhe-rsa-with-des-cbc-sha
  dhe-dss-with-3des-ede-cbc-sha
  dhe-dss-with-des-cbc-sha
  rsa-with-3des-ede-cbc-sha
  rsa-with-des-cbc-sha
  rsa-with-rc4-128-sha
  rsa-with-rc4-128-md5


So, only configure the ones you need.


Gilles.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Gilles Dufour Wed, 01/06/2010 - 00:57
User Badges:
  • Cisco Employee,

Dave,


if you do not configure the ssl cipher for 56 bits encryption the CSS will not accept this level of encryption.

The ciphers are defined as follow :


  ssl-server 1 cipher rsa-with-rc4-128-md5 192.168.20.222 81
  ssl-server 1 cipher rsa-with-rc4-128-sha 192.168.20.222 81


Here is the list of ciphers we do accept


CSS11503-2(config-ssl-proxy-list[gdufour])# ssl-server 1 cipher ?
  all-cipher-suites
  dhe-dss-export1024-with-rc4-56-sha
  rsa-export1024-with-rc4-56-sha
  dhe-dss-export1024-with-des-cbc-sha
  rsa-export1024-with-des-cbc-sha
  dh-anon-export-with-des40-cbc-sha
  dh-anon-export-with-rc4-40-md5
  dhe-rsa-export-with-des40-cbc-sha
  dhe-dss-export-with-des40-cbc-sha
  rsa-export-with-des40-cbc-sha
  rsa-export-with-rc4-40-md5
  dhe-dss-with-rc4-128-sha
  dh-anon-with-3des-ede-cbc-sha
  dh-anon-with-des-cbc-sha
  dh-anon-with-rc4-128-md5
  dhe-rsa-with-3des-ede-cbc-sha
  dhe-rsa-with-des-cbc-sha
  dhe-dss-with-3des-ede-cbc-sha
  dhe-dss-with-des-cbc-sha
  rsa-with-3des-ede-cbc-sha
  rsa-with-des-cbc-sha
  rsa-with-rc4-128-sha
  rsa-with-rc4-128-md5


So, only configure the ones you need.


Gilles.

Actions

This Discussion