Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Weak ciphers

I want to disallow https requests to content VIPS with weak ciphers. This is for PCI DSS compliance. I'm thinking I can use a parameter map. But I haven't though it all through. Has anyone done similar that can share a config example? If so much appreciated.

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Weak ciphers

Hi Jeff,

As you mentioned you need to create a  parameter-map type SSL and then add it under your ssl-proxy service. Like this:

parameter-map type ssl Strong_Ciphers

  cipher RSA_WITH_AES_128_CBC_SHA

  cipher RSA_WITH_AES_256_CBC_SHA

ssl-proxy service Secure-Web

cert mycert.crt

key newkey.pem

ssl advanced-options Strong_Ciphers

The ACE will offer you the list of supported ciphers so you can choose all you need and also assign a priority.

HTH

__ __

Pablo

4 REPLIES
Bronze

Weak ciphers

Hi Jeff,

As you mentioned you need to create a  parameter-map type SSL and then add it under your ssl-proxy service. Like this:

parameter-map type ssl Strong_Ciphers

  cipher RSA_WITH_AES_128_CBC_SHA

  cipher RSA_WITH_AES_256_CBC_SHA

ssl-proxy service Secure-Web

cert mycert.crt

key newkey.pem

ssl advanced-options Strong_Ciphers

The ACE will offer you the list of supported ciphers so you can choose all you need and also assign a priority.

HTH

__ __

Pablo

New Member

Re: Weak ciphers

Yes. Exactly what I needed to know. The docs I've read didn't really make

it that clear. I'll go in a mark it answered.

Thanks,

Jeff Witkowski

Network Engineer

AAA Life Insurance Company

Tel: 734-779-2033

"pablo.nxh"

01/26/2012 01:19 PM

Please respond to

"cisco-support@sgaur.hosted.jivesoftware.com"

To

Jeff Witkowski

cc

Subject

- Re: Weak ciphers

Home

Re: Weak ciphers

created by pablo.nxh in Application Networking - View the full discussion

Hi Jeff,

As you mentioned you need to create a parameter-map type SSL and then add

it under your ssl-proxy service. Like this:

parameter-map type ssl Strong_Ciphers

cipher RSA_WITH_AES_128_CBC_SHA

cipher RSA_WITH_AES_256_CBC_SHA

ssl-proxy service Secure-Web

cert mycert.crt

key newkey.pem

ssl advanced-options Strong_Ciphers

The ACE will offer you the list of supported ciphers so you can choose all

you need and also assign a priority.

HTH

__ __

Pablo

Reply to this message by going to Home

Start a new discussion in Application Networking at Home

New Member

Re: Weak ciphers

Hi,

Can we do this on ACE module?

I want to drop the clients with the cypher length less than 128 bits, can I follow this procedure? can you please tell me whole procedure to acheive this?

Tharun

New Member

Weak ciphers

I used this advice on my ACE appliances and it worked great. Quite simple. My config looked like so:

I created a parameter map that looks like this:

parameter-map type ssl bireports-ssl-parametermap

  cipher RSA_WITH_3DES_EDE_CBC_SHA priority 3

  cipher RSA_WITH_AES_128_CBC_SHA priority 2

  cipher RSA_WITH_AES_256_CBC_SHA

then I added it to an existing proxy service with my certificates like so with the last line indicating the weak cipher parameter map:

ssl-proxy service reports-proxy

  key reports2012-key.pem

  cert reports.com.cer

  chaingroup reports.com-chaingrp

  ssl advanced-options bireports-ssl-parametermap

2602
Views
10
Helpful
4
Replies