https://community.cisco.com/t5/application-networking/css-ssl-spec/m-p/538084#M10129 <HTML><HEAD></HEAD><BODY><P>We support SHA.</P><P>Here is the list of supported ciphers.</P><P></P><P>CSS11503(config-ssl-proxy-list[gdufour])# ssl-server 1 cipher ?</P><P> all-cipher-suites</P><P> dhe-dss-export1024-with-rc4-56-sha</P><P> rsa-export1024-with-rc4-56-sha</P><P> dhe-dss-export1024-with-des-cbc-sha</P><P> rsa-export1024-with-des-cbc-sha</P><P> dh-anon-export-with-des40-cbc-sha</P><P> dh-anon-export-with-rc4-40-md5</P><P> dhe-rsa-export-with-des40-cbc-sha</P><P> dhe-dss-export-with-des40-cbc-sha</P><P> rsa-export-with-des40-cbc-sha</P><P> rsa-export-with-rc4-40-md5</P><P> dhe-dss-with-rc4-128-sha</P><P> dh-anon-with-3des-ede-cbc-sha</P><P> dh-anon-with-des-cbc-sha</P><P> dh-anon-with-rc4-128-md5</P><P> dhe-rsa-with-3des-ede-cbc-sha</P><P> dhe-rsa-with-des-cbc-sha</P><P> dhe-dss-with-3des-ede-cbc-sha</P><P> dhe-dss-with-des-cbc-sha</P><P> rsa-with-3des-ede-cbc-sha</P><P> rsa-with-des-cbc-sha</P><P> rsa-with-rc4-128-sha</P><P> rsa-with-rc4-128-md5</P><P></P><P>For the parameters, the CSS uses a slightly modified version of openssl. So, if openssl has the option to set 160 bit parameters, we will have it too.</P><P>I assume this is done by setting the apppropriate option in the dhparam file.</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a008040ad80.html#wp999050" target="_blank">http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a008040ad80.html#wp999050</A></P><P></P><P>Regards,</P><P></P><P>Gilles.</P></BODY></HTML> Mon, 20 Mar 2006 14:38:36 GMT Gilles Dufour 2006-03-20T14:38:36Z https://community.cisco.com/t5/application-networking/css-ssl-spec/m-p/538083#M10128 <P>Hi we have a CESG security requirement with the use of CSS SSl termination:-</P><P></P><P>Requirements</P><P>a. Only ciphersuites containing CESG-approved cryptographic elements may be</P><P>used to secure protectively-marked data. In the current TLS RFC, this equates to</P><P>ciphersuites using Triple-DES as the data encryption algorithm, SHA-1 as the data</P><P>integrity algorithm, DSA/DSS or RSA as the signature algorithm and either RSA</P><P>or Ephemeral Diffie-Hellman as the key exchange algorithm.</P><P></P><P>b. For key exchange algorithms, the composite modulus size must be 1024 bits. For</P><P>signature algorithms, the modulus must be 1024 bits with a 160 bit parameter</P><P></P><P>Question:-</P><P> From the Cisco datasheets, I can see that it supports Triple-DES, but is SHA-1 also supported?</P><P></P><P> It says that key size of 1024 and 2048 are supported, but no mention of parameter size &#150; is 160 bit parameter size supported?</P><P></P><P>Any help will be appreciated.</P><P>Thanks</P> Mon, 20 Mar 2006 13:26:11 GMT https://community.cisco.com/t5/application-networking/css-ssl-spec/m-p/538083#M10128 ravi.saini 2006-03-20T13:26:11Z https://community.cisco.com/t5/application-networking/css-ssl-spec/m-p/538084#M10129 <HTML><HEAD></HEAD><BODY><P>We support SHA.</P><P>Here is the list of supported ciphers.</P><P></P><P>CSS11503(config-ssl-proxy-list[gdufour])# ssl-server 1 cipher ?</P><P> all-cipher-suites</P><P> dhe-dss-export1024-with-rc4-56-sha</P><P> rsa-export1024-with-rc4-56-sha</P><P> dhe-dss-export1024-with-des-cbc-sha</P><P> rsa-export1024-with-des-cbc-sha</P><P> dh-anon-export-with-des40-cbc-sha</P><P> dh-anon-export-with-rc4-40-md5</P><P> dhe-rsa-export-with-des40-cbc-sha</P><P> dhe-dss-export-with-des40-cbc-sha</P><P> rsa-export-with-des40-cbc-sha</P><P> rsa-export-with-rc4-40-md5</P><P> dhe-dss-with-rc4-128-sha</P><P> dh-anon-with-3des-ede-cbc-sha</P><P> dh-anon-with-des-cbc-sha</P><P> dh-anon-with-rc4-128-md5</P><P> dhe-rsa-with-3des-ede-cbc-sha</P><P> dhe-rsa-with-des-cbc-sha</P><P> dhe-dss-with-3des-ede-cbc-sha</P><P> dhe-dss-with-des-cbc-sha</P><P> rsa-with-3des-ede-cbc-sha</P><P> rsa-with-des-cbc-sha</P><P> rsa-with-rc4-128-sha</P><P> rsa-with-rc4-128-md5</P><P></P><P>For the parameters, the CSS uses a slightly modified version of openssl. So, if openssl has the option to set 160 bit parameters, we will have it too.</P><P>I assume this is done by setting the apppropriate option in the dhparam file.</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a008040ad80.html#wp999050" target="_blank">http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a008040ad80.html#wp999050</A></P><P></P><P>Regards,</P><P></P><P>Gilles.</P></BODY></HTML> Mon, 20 Mar 2006 14:38:36 GMT https://community.cisco.com/t5/application-networking/css-ssl-spec/m-p/538084#M10129 Gilles Dufour 2006-03-20T14:38:36Z