Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

weak cipher blocking in ACE20

I tried to create a L7 class-map for blocking the clients with ciphes strength less than 128 in ACE20 running with Software version A2(2.3).

But there were no command inside the L7 class-map called cipher for matching the cipher strength 128. Command Tried to issue was

host1/Admin(config-cmap-http-lb)#match cipher less-than 128

So I want to know whether this is possible on ACE 20 and SW version A2(2.3).  Kindly suggest a way to acheive this.

I have seen some other configuration using the parameter-match, But I dont know the Cipher Names which to allow.  I want to drop all the connections with less than 128 bits cipher strength.

Can anyone help on this???

Tharun

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: weak cipher blocking in ACE20

By default all available ciphers will be allowed. Those are:

–RSA_EXPORT1024_WITH_DES_CBC_SHA

–RSA_EXPORT1024_WITH_RC4_56_MD5

–RSA_EXPORT1024_WITH_RC4_56_SHA

–RSA_EXPORT_WITH_DES40_CBC_SHA

–RSA_EXPORT_WITH_RC4_40_MD5

–RSA_WITH_3DES_EDE_CBC_SHA

–RSA_WITH_AES_128_CBC_SHA

–RSA_WITH_AES_256_CBC_SHA

–RSA_WITH_DES_CBC_SHA

–RSA_WITH_RC4_128_MD5

–RSA_WITH_RC4_128_SHA

To narrow that down, create a parameter-map that specifies only the strong ones. Then apply that PMAP using the ssl advanced-options keyword in your ssl-proxy service section. Something like this:

parameter-map type ssl _SSL_PMAP

  cipher RSA_WITH_RC4_128_MD5

  cipher RSA_WITH_RC4_128_SHA

  cipher RSA_WITH_3DES_EDE_CBC_SHA

  cipher RSA_WITH_AES_128_CBC_SHA

ssl-proxy service _SSL

  key

  cert

  chaingroup

  ssl advanced-options _SSL_PMAP

5 REPLIES
Hall of Fame Super Silver

Re: weak cipher blocking in ACE20

By default all available ciphers will be allowed. Those are:

–RSA_EXPORT1024_WITH_DES_CBC_SHA

–RSA_EXPORT1024_WITH_RC4_56_MD5

–RSA_EXPORT1024_WITH_RC4_56_SHA

–RSA_EXPORT_WITH_DES40_CBC_SHA

–RSA_EXPORT_WITH_RC4_40_MD5

–RSA_WITH_3DES_EDE_CBC_SHA

–RSA_WITH_AES_128_CBC_SHA

–RSA_WITH_AES_256_CBC_SHA

–RSA_WITH_DES_CBC_SHA

–RSA_WITH_RC4_128_MD5

–RSA_WITH_RC4_128_SHA

To narrow that down, create a parameter-map that specifies only the strong ones. Then apply that PMAP using the ssl advanced-options keyword in your ssl-proxy service section. Something like this:

parameter-map type ssl _SSL_PMAP

  cipher RSA_WITH_RC4_128_MD5

  cipher RSA_WITH_RC4_128_SHA

  cipher RSA_WITH_3DES_EDE_CBC_SHA

  cipher RSA_WITH_AES_128_CBC_SHA

ssl-proxy service _SSL

  key

  cert

  chaingroup

  ssl advanced-options _SSL_PMAP

New Member

weak cipher blocking in ACE20

Hi Marvin,

Is it possible to create a class-map with SSL parameter in ACE 20 with the  SW version A2(2.3)?

I have seen the sorted list of the Strong Ciphers, Is that all greater than 128 bits?  By creating this parameter map will it effect any users comming with more than 128 bits of cipher strength?

Tharun

Hall of Fame Super Silver

weak cipher blocking in ACE20

Actually I adapted my commands above from an ACE-20 I had running A2(1.6a). They should be fine on an ACE-20 with A2(2.3) as well.

Users with ciphers greater than or equal to 128-bits will not be affected by the above. Users presenting requests with less than 128-bit ciphers will not be able to make the SSL connection.

New Member

weak cipher blocking in ACE20

Prameter Maping is working fine on the device but I want to know whether can I create a L7 class-map for blocking the clients with ciphes strength less than 128 in ACE20 running with Software version A2(2.3).

But there were no command inside the L7 class-map called cipher for matching the cipher strength 128. Command Tried to issue was

host1/Admin(config-cmap-http-lb)#match cipher less-than 128

Thanks

Cisco Employee

weak cipher blocking in ACE20

Hi Tharun,

If the ciphers requested by the customer are not in the SSL parameter map you defined, then the connection would be blocked. There is no need for a L7 class-map to do this (and in fact, it's not possible to use one)

Daniel

956
Views
0
Helpful
5
Replies
CreatePlease login to create content