01-28-2012 02:04 AM
I tried to create a L7 class-map for blocking the clients with ciphes strength less than 128 in ACE20 running with Software version A2(2.3).
But there were no command inside the L7 class-map called cipher for matching the cipher strength 128. Command Tried to issue was
host1/Admin(config-cmap-http-lb)#match cipher less-than 128
So I want to know whether this is possible on ACE 20 and SW version A2(2.3). Kindly suggest a way to acheive this.
I have seen some other configuration using the parameter-match, But I dont know the Cipher Names which to allow. I want to drop all the connections with less than 128 bits cipher strength.
Can anyone help on this???
Tharun
Solved! Go to Solution.
01-28-2012 07:24 AM
By default all available ciphers will be allowed. Those are:
–RSA_EXPORT1024_WITH_DES_CBC_SHA
–RSA_EXPORT1024_WITH_RC4_56_MD5
–RSA_EXPORT1024_WITH_RC4_56_SHA
–RSA_EXPORT_WITH_DES40_CBC_SHA
–RSA_EXPORT_WITH_RC4_40_MD5
–RSA_WITH_3DES_EDE_CBC_SHA
–RSA_WITH_AES_128_CBC_SHA
–RSA_WITH_AES_256_CBC_SHA
–RSA_WITH_DES_CBC_SHA
–RSA_WITH_RC4_128_MD5
–RSA_WITH_RC4_128_SHA
To narrow that down, create a parameter-map that specifies only the strong ones. Then apply that PMAP using the ssl advanced-options keyword in your ssl-proxy service section. Something like this:
parameter-map type ssl
cipher RSA_WITH_RC4_128_MD5
cipher RSA_WITH_RC4_128_SHA
cipher RSA_WITH_3DES_EDE_CBC_SHA
cipher RSA_WITH_AES_128_CBC_SHA
ssl-proxy service
key
cert
chaingroup
ssl advanced-options
01-28-2012 07:24 AM
By default all available ciphers will be allowed. Those are:
–RSA_EXPORT1024_WITH_DES_CBC_SHA
–RSA_EXPORT1024_WITH_RC4_56_MD5
–RSA_EXPORT1024_WITH_RC4_56_SHA
–RSA_EXPORT_WITH_DES40_CBC_SHA
–RSA_EXPORT_WITH_RC4_40_MD5
–RSA_WITH_3DES_EDE_CBC_SHA
–RSA_WITH_AES_128_CBC_SHA
–RSA_WITH_AES_256_CBC_SHA
–RSA_WITH_DES_CBC_SHA
–RSA_WITH_RC4_128_MD5
–RSA_WITH_RC4_128_SHA
To narrow that down, create a parameter-map that specifies only the strong ones. Then apply that PMAP using the ssl advanced-options keyword in your ssl-proxy service section. Something like this:
parameter-map type ssl
cipher RSA_WITH_RC4_128_MD5
cipher RSA_WITH_RC4_128_SHA
cipher RSA_WITH_3DES_EDE_CBC_SHA
cipher RSA_WITH_AES_128_CBC_SHA
ssl-proxy service
key
cert
chaingroup
ssl advanced-options
01-29-2012 08:30 AM
Hi Marvin,
Is it possible to create a class-map with SSL parameter in ACE 20 with the SW version A2(2.3)?
I have seen the sorted list of the Strong Ciphers, Is that all greater than 128 bits? By creating this parameter map will it effect any users comming with more than 128 bits of cipher strength?
Tharun
01-29-2012 08:53 AM
Actually I adapted my commands above from an ACE-20 I had running A2(1.6a). They should be fine on an ACE-20 with A2(2.3) as well.
Users with ciphers greater than or equal to 128-bits will not be affected by the above. Users presenting requests with less than 128-bit ciphers will not be able to make the SSL connection.
01-29-2012 11:02 PM
Prameter Maping is working fine on the device but I want to know whether can I create a L7 class-map for blocking the clients with ciphes strength less than 128 in ACE20 running with Software version A2(2.3).
But there were no command inside the L7 class-map called cipher for matching the cipher strength 128. Command Tried to issue was
host1/Admin(config-cmap-http-lb)#match cipher less-than 128
Thanks
01-31-2012 12:04 AM
Hi Tharun,
If the ciphers requested by the customer are not in the SSL parameter map you defined, then the connection would be blocked. There is no need for a L7 class-map to do this (and in fact, it's not possible to use one)
Daniel
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide