Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
690
Views
0
Helpful
3
Replies

Query on SSL Cipher

thiyagarajankalaiselvan
Level 1
Level 1

‎07-25-2012 07:33 AM

Hi,

Can anybody help me to know how to configure Cipher on ACE? why do we need to enable cipher for an application?

Regards,

Thiyagu

Labels:
0 Helpful
3 Replies 3

Kanwaljeet Singh
Cisco Employee
Cisco Employee

‎07-25-2012 08:43 AM

Hi,

You can use parameter  map to include ciphers that you need to negotiate during SSL handshake.

parameter-map type ssl PARAMMAP_SSL_INITIATION

  cipher RSA_WITH_RC4_128_MD5

  cipher RSA_WITH_RC4_128_SHA

  cipher RSA_WITH_DES_CBC_SHA

  cipher RSA_WITH_3DES_EDE_CBC_SHA

  cipher RSA_WITH_AES_128_CBC_SHA

  cipher RSA_WITH_AES_256_CBC_SHA

  cipher RSA_EXPORT_WITH_RC4_40_MD5

  cipher RSA_EXPORT1024_WITH_RC4_56_MD5

  cipher RSA_EXPORT_WITH_DES40_CBC_SHA

  cipher RSA_EXPORT1024_WITH_DES_CBC_SHA

  cipher RSA_EXPORT1024_WITH_RC4_56_SHA

  version all

Regards,

Kanwal

0 Helpful

thiyagarajankalaiselvan
Level 1
Level 1
In response to Kanwaljeet Singh

‎07-26-2012 07:36 AM

Hi,

Please help me know what is the function of Cipher and how to configure cipher for probe, L4 and L7 class-map.

Please share any cisco links to know more about Cisco.

Regards,

Thiyagu

0 Helpful

jsirstin
Level 1
Level 1
In response to thiyagarajankalaiselvan

‎07-26-2012 08:13 AM

The cipher is negotiated in the SSL handshake between the client and server to determine the type and level of encryption you want to use for this connection. By default all of the ciphers that the ACE supports can be used. If you want to restrict this to a specific cipher you can create the parameter-map as Kanwal suggested in the earlier post. This gets applied under the ssl-proxy service used for the ssl termination.

.

The sample below is only related to the cipher for the vip and probe config. You can look over the link below on ssl termination to see how all of these pieces tie together in a full config.

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c3045.shtml

parameter-map type ssl PARAMMAP_SSL_INITIATION

  cipher RSA_WITH_AES_256_CBC_SHA

ssl-proxy service test

  cert  mycert.pem

  key  mykey.pem

  ssl advanced-options test1234

probe https test1234

  interval 30

  passdetect interval 60

  port 443

  ssl cipher RSA_WITH_AES_256_CBC_SHA

  expect status 200 200

I hope this helps.

Best regards

Jim

0 Helpful
Customers Also Viewed These Support Documents