Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
434
Views
0
Helpful
2
Replies

Forcing 128bit ssl on CSS11506 ?

Go to solution
dclee
Level 1
Level 1

‎01-05-2010 10:40 AM

We currently use a CSS11506 as our reverse

proxy for all inbound ssl connections. It has the SSL mod installed.

A recent VA discovered that the CSS allows both 56bit and 128bit ssl connections.

Is there a way on the CSS to force only 128bit ssl connections thru ?

Any help would be appreciated.

Cheers


Dave

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee

‎01-06-2010 12:57 AM

Dave,

if you do not configure the ssl cipher for 56 bits encryption the CSS will not accept this level of encryption.

The ciphers are defined as follow :

  ssl-server 1 cipher rsa-with-rc4-128-md5 192.168.20.222 81
  ssl-server 1 cipher rsa-with-rc4-128-sha 192.168.20.222 81

Here is the list of ciphers we do accept

CSS11503-2(config-ssl-proxy-list[gdufour])# ssl-server 1 cipher ?
  all-cipher-suites
  dhe-dss-export1024-with-rc4-56-sha
  rsa-export1024-with-rc4-56-sha
  dhe-dss-export1024-with-des-cbc-sha
  rsa-export1024-with-des-cbc-sha
  dh-anon-export-with-des40-cbc-sha
  dh-anon-export-with-rc4-40-md5
  dhe-rsa-export-with-des40-cbc-sha
  dhe-dss-export-with-des40-cbc-sha
  rsa-export-with-des40-cbc-sha
  rsa-export-with-rc4-40-md5
  dhe-dss-with-rc4-128-sha
  dh-anon-with-3des-ede-cbc-sha
  dh-anon-with-des-cbc-sha
  dh-anon-with-rc4-128-md5
  dhe-rsa-with-3des-ede-cbc-sha
  dhe-rsa-with-des-cbc-sha
  dhe-dss-with-3des-ede-cbc-sha
  dhe-dss-with-des-cbc-sha
  rsa-with-3des-ede-cbc-sha
  rsa-with-des-cbc-sha
  rsa-with-rc4-128-sha
  rsa-with-rc4-128-md5

So, only configure the ones you need.

Gilles.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee

‎01-06-2010 12:57 AM

Dave,

if you do not configure the ssl cipher for 56 bits encryption the CSS will not accept this level of encryption.

The ciphers are defined as follow :

  ssl-server 1 cipher rsa-with-rc4-128-md5 192.168.20.222 81
  ssl-server 1 cipher rsa-with-rc4-128-sha 192.168.20.222 81

Here is the list of ciphers we do accept

CSS11503-2(config-ssl-proxy-list[gdufour])# ssl-server 1 cipher ?
  all-cipher-suites
  dhe-dss-export1024-with-rc4-56-sha
  rsa-export1024-with-rc4-56-sha
  dhe-dss-export1024-with-des-cbc-sha
  rsa-export1024-with-des-cbc-sha
  dh-anon-export-with-des40-cbc-sha
  dh-anon-export-with-rc4-40-md5
  dhe-rsa-export-with-des40-cbc-sha
  dhe-dss-export-with-des40-cbc-sha
  rsa-export-with-des40-cbc-sha
  rsa-export-with-rc4-40-md5
  dhe-dss-with-rc4-128-sha
  dh-anon-with-3des-ede-cbc-sha
  dh-anon-with-des-cbc-sha
  dh-anon-with-rc4-128-md5
  dhe-rsa-with-3des-ede-cbc-sha
  dhe-rsa-with-des-cbc-sha
  dhe-dss-with-3des-ede-cbc-sha
  dhe-dss-with-des-cbc-sha
  rsa-with-3des-ede-cbc-sha
  rsa-with-des-cbc-sha
  rsa-with-rc4-128-sha
  rsa-with-rc4-128-md5

So, only configure the ones you need.

Gilles.

0 Helpful

Go to solution
dclee
Level 1
Level 1
In response to Gilles Dufour

‎01-06-2010 07:24 AM

Thanks for the reply, much appreciated

Cheers


Dave

0 Helpful
Customers Also Viewed These Support Documents