Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1491
Views
5
Helpful
5
Replies

SSL SHA2 support on ACE30

Paul Pinto
Level 1
Level 1

‎10-10-2014 01:50 AM

Good day,

Regarding the articles from Entrust and Google (Chrome) on the “sun setting” of the SHA 1 hashing algorithm. I guess that other OEM browsers will soon follow suite. What is means for SARS is that Entrust do not issue SSL certificates with SHA1 anymore, the clients SSL certificates expires in June next year and we will have to implement the new certificates on all ACE devices.

The biggest possible impact would be with eFiling season 2015 and the new SHA2 hashing algorithm that will be introduced in the updated ciphers as the new MAC. We will have to confirm that the ACE supports this new MAC and that the ACE will be able to handle the new MAC introduced. SHA 2 has six different hashing functions using longer keys (SHA224, SHA256, SHA384, SHA512, SHA512/224 & SHA512-256), stronger hash functions and additional computational rounds which will result in more processing on the ACE, this is what we need to test/cater for.

 

I see the longer keys (SHA224 to SHA 512) appear to be supported but the reference to the MAC still appears to be specific to SHA1 (this is main concern currently) but need confirmation on all points relating to SHA2.

The versions running are A5.2.1 and A.4.1.0.

 

Thanking you in advance.

Paul

 

Labels:
0 Helpful
5 Replies 5

Kanwaljeet Singh
Cisco Employee
Cisco Employee

‎10-10-2014 05:07 AM

Hi Paul,

At the moment ACE supports verification of certificates signed by SHA2 and but doesn't support SHA2 as cipher suite. I am not aware of any plans to support this but i will check and get back to you.

As a workaround, you can use MD5 as cipher suite.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

0 Helpful

Paul Pinto
Level 1
Level 1
In response to Kanwaljeet Singh

‎10-14-2014 06:06 AM

Hi Kanwal,

 

Thank you so much for your responses. Would this address the new MAC to be introduced? the reference to the MAC still appears to be specific to SHA1 (SSL MAC-SHA1) from  5.1.0 SSL Guide.

Thanks again.

 

Paul.

0 Helpful

Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to Paul Pinto

‎10-14-2014 06:23 AM

Hi Paul,

Yes it should address that. This will be added: RSA_WITH_AES_128_CBC_SHA256 as per the above DDTS in A531a.

Regards,

Kanwal

Note: Please mark answers if  they are helpful.

Paul Pinto
Level 1
Level 1
In response to Kanwaljeet Singh

‎10-14-2014 06:48 AM

Hi Kanmal,

 

Thank you for the prompt response. Will only get to test the codes in the QA environment post filling season, so probably early Dec or Jan 2015.

 

Thanks once again.

 

Paul

0 Helpful

Kanwaljeet Singh
Cisco Employee
Cisco Employee

‎10-10-2014 10:29 AM

Hi Paul,

With this DDTS we have below cipher suite:

CSCuo42542    ER to add support for TLS_RSA_WITH_AES_128_CBC_SHA256 on ACE

RSA_WITH_AES_128_CBC_SHA256

This is there in A531a.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents