01-05-2010 10:40 AM
We currently use a CSS11506 as our reverse
proxy for all inbound ssl connections. It has the SSL mod installed.
A recent VA discovered that the CSS allows both 56bit and 128bit ssl connections.
Is there a way on the CSS to force only 128bit ssl connections thru ?
Any help would be appreciated.
Cheers
Dave
Solved! Go to Solution.
01-06-2010 12:57 AM
Dave,
if you do not configure the ssl cipher for 56 bits encryption the CSS will not accept this level of encryption.
The ciphers are defined as follow :
ssl-server 1 cipher rsa-with-rc4-128-md5 192.168.20.222 81
ssl-server 1 cipher rsa-with-rc4-128-sha 192.168.20.222 81
Here is the list of ciphers we do accept
CSS11503-2(config-ssl-proxy-list[gdufour])# ssl-server 1 cipher ?
all-cipher-suites
dhe-dss-export1024-with-rc4-56-sha
rsa-export1024-with-rc4-56-sha
dhe-dss-export1024-with-des-cbc-sha
rsa-export1024-with-des-cbc-sha
dh-anon-export-with-des40-cbc-sha
dh-anon-export-with-rc4-40-md5
dhe-rsa-export-with-des40-cbc-sha
dhe-dss-export-with-des40-cbc-sha
rsa-export-with-des40-cbc-sha
rsa-export-with-rc4-40-md5
dhe-dss-with-rc4-128-sha
dh-anon-with-3des-ede-cbc-sha
dh-anon-with-des-cbc-sha
dh-anon-with-rc4-128-md5
dhe-rsa-with-3des-ede-cbc-sha
dhe-rsa-with-des-cbc-sha
dhe-dss-with-3des-ede-cbc-sha
dhe-dss-with-des-cbc-sha
rsa-with-3des-ede-cbc-sha
rsa-with-des-cbc-sha
rsa-with-rc4-128-sha
rsa-with-rc4-128-md5
So, only configure the ones you need.
Gilles.
01-06-2010 12:57 AM
Dave,
if you do not configure the ssl cipher for 56 bits encryption the CSS will not accept this level of encryption.
The ciphers are defined as follow :
ssl-server 1 cipher rsa-with-rc4-128-md5 192.168.20.222 81
ssl-server 1 cipher rsa-with-rc4-128-sha 192.168.20.222 81
Here is the list of ciphers we do accept
CSS11503-2(config-ssl-proxy-list[gdufour])# ssl-server 1 cipher ?
all-cipher-suites
dhe-dss-export1024-with-rc4-56-sha
rsa-export1024-with-rc4-56-sha
dhe-dss-export1024-with-des-cbc-sha
rsa-export1024-with-des-cbc-sha
dh-anon-export-with-des40-cbc-sha
dh-anon-export-with-rc4-40-md5
dhe-rsa-export-with-des40-cbc-sha
dhe-dss-export-with-des40-cbc-sha
rsa-export-with-des40-cbc-sha
rsa-export-with-rc4-40-md5
dhe-dss-with-rc4-128-sha
dh-anon-with-3des-ede-cbc-sha
dh-anon-with-des-cbc-sha
dh-anon-with-rc4-128-md5
dhe-rsa-with-3des-ede-cbc-sha
dhe-rsa-with-des-cbc-sha
dhe-dss-with-3des-ede-cbc-sha
dhe-dss-with-des-cbc-sha
rsa-with-3des-ede-cbc-sha
rsa-with-des-cbc-sha
rsa-with-rc4-128-sha
rsa-with-rc4-128-md5
So, only configure the ones you need.
Gilles.
01-06-2010 07:24 AM
Thanks for the reply, much appreciated
Cheers
Dave
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide