01-26-2012 08:37 AM
I want to disallow https requests to content VIPS with weak ciphers. This is for PCI DSS compliance. I'm thinking I can use a parameter map. But I haven't though it all through. Has anyone done similar that can share a config example? If so much appreciated.
Solved! Go to Solution.
01-26-2012 10:18 AM
Hi Jeff,
As you mentioned you need to create a parameter-map type SSL and then add it under your ssl-proxy service. Like this:
parameter-map type ssl Strong_Ciphers
cipher RSA_WITH_AES_128_CBC_SHA
cipher RSA_WITH_AES_256_CBC_SHA
ssl-proxy service Secure-Web
cert mycert.crt
key newkey.pem
ssl advanced-options Strong_Ciphers
The ACE will offer you the list of supported ciphers so you can choose all you need and also assign a priority.
HTH
__ __
Pablo
01-26-2012 10:18 AM
Hi Jeff,
As you mentioned you need to create a parameter-map type SSL and then add it under your ssl-proxy service. Like this:
parameter-map type ssl Strong_Ciphers
cipher RSA_WITH_AES_128_CBC_SHA
cipher RSA_WITH_AES_256_CBC_SHA
ssl-proxy service Secure-Web
cert mycert.crt
key newkey.pem
ssl advanced-options Strong_Ciphers
The ACE will offer you the list of supported ciphers so you can choose all you need and also assign a priority.
HTH
__ __
Pablo
01-26-2012 10:31 AM
Yes. Exactly what I needed to know. The docs I've read didn't really make
it that clear. I'll go in a mark it answered.
Thanks,
Jeff Witkowski
Network Engineer
AAA Life Insurance Company
Tel: 734-779-2033
"pablo.nxh"
01/26/2012 01:19 PM
Please respond to
"cisco-support@sgaur.hosted.jivesoftware.com"
To
Jeff Witkowski
cc
Subject
Home
Re: Weak ciphers
created by pablo.nxh in Application Networking - View the full discussion
Hi Jeff,
As you mentioned you need to create a parameter-map type SSL and then add
it under your ssl-proxy service. Like this:
parameter-map type ssl Strong_Ciphers
cipher RSA_WITH_AES_128_CBC_SHA
cipher RSA_WITH_AES_256_CBC_SHA
ssl-proxy service Secure-Web
cert mycert.crt
key newkey.pem
ssl advanced-options Strong_Ciphers
The ACE will offer you the list of supported ciphers so you can choose all
you need and also assign a priority.
HTH
__ __
Pablo
Reply to this message by going to Home
Start a new discussion in Application Networking at Home
01-26-2012 07:37 PM
Hi,
Can we do this on ACE module?
I want to drop the clients with the cypher length less than 128 bits, can I follow this procedure? can you please tell me whole procedure to acheive this?
Tharun
01-27-2012 11:55 AM
I used this advice on my ACE appliances and it worked great. Quite simple. My config looked like so:
I created a parameter map that looks like this:
parameter-map type ssl bireports-ssl-parametermap
cipher RSA_WITH_3DES_EDE_CBC_SHA priority 3
cipher RSA_WITH_AES_128_CBC_SHA priority 2
cipher RSA_WITH_AES_256_CBC_SHA
then I added it to an existing proxy service with my certificates like so with the last line indicating the weak cipher parameter map:
ssl-proxy service reports-proxy
key reports2012-key.pem
cert reports.com.cer
chaingroup reports.com-chaingrp
ssl advanced-options bireports-ssl-parametermap
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide