Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
332
Views
0
Helpful
1
Replies

Css Ssl - spec

ravi.saini
Level 1
Level 1

‎03-20-2006 05:26 AM

Hi we have a CESG security requirement with the use of CSS SSl termination:-

Requirements

a. Only ciphersuites containing CESG-approved cryptographic elements may be

used to secure protectively-marked data. In the current TLS RFC, this equates to

ciphersuites using Triple-DES as the data encryption algorithm, SHA-1 as the data

integrity algorithm, DSA/DSS or RSA as the signature algorithm and either RSA

or Ephemeral Diffie-Hellman as the key exchange algorithm.

b. For key exchange algorithms, the composite modulus size must be 1024 bits. For

signature algorithms, the modulus must be 1024 bits with a 160 bit parameter

Question:-

From the Cisco datasheets, I can see that it supports Triple-DES, but is SHA-1 also supported?

It says that key size of 1024 and 2048 are supported, but no mention of parameter size – is 160 bit parameter size supported?

Any help will be appreciated.

Thanks

Labels:
0 Helpful
1 Reply 1

Gilles Dufour
Cisco Employee
Cisco Employee

‎03-20-2006 06:38 AM

We support SHA.

Here is the list of supported ciphers.

CSS11503(config-ssl-proxy-list[gdufour])# ssl-server 1 cipher ?

all-cipher-suites

dhe-dss-export1024-with-rc4-56-sha

rsa-export1024-with-rc4-56-sha

dhe-dss-export1024-with-des-cbc-sha

rsa-export1024-with-des-cbc-sha

dh-anon-export-with-des40-cbc-sha

dh-anon-export-with-rc4-40-md5

dhe-rsa-export-with-des40-cbc-sha

dhe-dss-export-with-des40-cbc-sha

rsa-export-with-des40-cbc-sha

rsa-export-with-rc4-40-md5

dhe-dss-with-rc4-128-sha

dh-anon-with-3des-ede-cbc-sha

dh-anon-with-des-cbc-sha

dh-anon-with-rc4-128-md5

dhe-rsa-with-3des-ede-cbc-sha

dhe-rsa-with-des-cbc-sha

dhe-dss-with-3des-ede-cbc-sha

dhe-dss-with-des-cbc-sha

rsa-with-3des-ede-cbc-sha

rsa-with-des-cbc-sha

rsa-with-rc4-128-sha

rsa-with-rc4-128-md5

For the parameters, the CSS uses a slightly modified version of openssl. So, if openssl has the option to set 160 bit parameters, we will have it too.

I assume this is done by setting the apppropriate option in the dhparam file.

http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a008040ad80.html#wp999050

Regards,

Gilles.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents