Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SSL SHA2 support on ACE30

Good day,

Regarding the articles from Entrust and Google (Chrome) on the “sun setting” of the SHA 1 hashing algorithm. I guess that other OEM browsers will soon follow suite. What is means for SARS is that Entrust do not issue SSL certificates with SHA1 anymore, the clients SSL certificates expires in June next year and we will have to implement the new certificates on all ACE devices.

The biggest possible impact would be with eFiling season 2015 and the new SHA2 hashing algorithm that will be introduced in the updated ciphers as the new MAC. We will have to confirm that the ACE supports this new MAC and that the ACE will be able to handle the new MAC introduced. SHA 2 has six different hashing functions using longer keys (SHA224, SHA256, SHA384, SHA512, SHA512/224 & SHA512-256), stronger hash functions and additional computational rounds which will result in more processing on the ACE, this is what we need to test/cater for.

 

I see the longer keys (SHA224 to SHA 512) appear to be supported but the reference to the MAC still appears to be specific to SHA1 (this is main concern currently) but need confirmation on all points relating to SHA2.

The versions running are A5.2.1 and A.4.1.0.

 

Thanking you in advance.

Paul

 

5 REPLIES
Cisco Employee

Hi Paul,At the moment ACE

Hi Paul,

At the moment ACE supports verification of certificates signed by SHA2 and but doesn't support SHA2 as cipher suite. I am not aware of any plans to support this but i will check and get back to you.

As a workaround, you can use MD5 as cipher suite.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

New Member

Hi Kanwal, Thank you so much

Hi Kanwal,

 

Thank you so much for your responses. Would this address the new MAC to be introduced? the reference to the MAC still appears to be specific to SHA1 (SSL MAC-SHA1) from  5.1.0 SSL Guide.

Thanks again.

 

Paul.

Cisco Employee

Hi Paul,Yes it should address

Hi Paul,

Yes it should address that. This will be added: RSA_WITH_AES_128_CBC_SHA256 as per the above DDTS in A531a.

Regards,

Kanwal

Note: Please mark answers if  they are helpful.

New Member

Hi Kanmal, Thank you for the

Hi Kanmal,

 

Thank you for the prompt response. Will only get to test the codes in the QA environment post filling season, so probably early Dec or Jan 2015.

 

Thanks once again.

 

Paul

Cisco Employee

Hi Paul,With this DDTS we

Hi Paul,

With this DDTS we have below cipher suite:

CSCuo42542    ER to add support for TLS_RSA_WITH_AES_128_CBC_SHA256 on ACE

RSA_WITH_AES_128_CBC_SHA256

This is there in A531a.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

 

527
Views
5
Helpful
5
Replies
CreatePlease login to create content