cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3490
Views
10
Helpful
4
Replies

Weak ciphers

jwitkow11
Level 1
Level 1

I want to disallow https requests to content VIPS with weak ciphers. This is for PCI DSS compliance. I'm thinking I can use a parameter map. But I haven't though it all through. Has anyone done similar that can share a config example? If so much appreciated.

1 Accepted Solution

Accepted Solutions

pablo.nxh
Level 3
Level 3

Hi Jeff,

As you mentioned you need to create a  parameter-map type SSL and then add it under your ssl-proxy service. Like this:

parameter-map type ssl Strong_Ciphers

  cipher RSA_WITH_AES_128_CBC_SHA

  cipher RSA_WITH_AES_256_CBC_SHA

ssl-proxy service Secure-Web

cert mycert.crt

key newkey.pem

ssl advanced-options Strong_Ciphers

The ACE will offer you the list of supported ciphers so you can choose all you need and also assign a priority.

HTH

__ __

Pablo

View solution in original post

4 Replies 4

pablo.nxh
Level 3
Level 3

Hi Jeff,

As you mentioned you need to create a  parameter-map type SSL and then add it under your ssl-proxy service. Like this:

parameter-map type ssl Strong_Ciphers

  cipher RSA_WITH_AES_128_CBC_SHA

  cipher RSA_WITH_AES_256_CBC_SHA

ssl-proxy service Secure-Web

cert mycert.crt

key newkey.pem

ssl advanced-options Strong_Ciphers

The ACE will offer you the list of supported ciphers so you can choose all you need and also assign a priority.

HTH

__ __

Pablo

Yes. Exactly what I needed to know. The docs I've read didn't really make

it that clear. I'll go in a mark it answered.

Thanks,

Jeff Witkowski

Network Engineer

AAA Life Insurance Company

Tel: 734-779-2033

"pablo.nxh"

01/26/2012 01:19 PM

Please respond to

"cisco-support@sgaur.hosted.jivesoftware.com"

To

Jeff Witkowski

cc

Subject

- Re: Weak ciphers

Home

Re: Weak ciphers

created by pablo.nxh in Application Networking - View the full discussion

Hi Jeff,

As you mentioned you need to create a parameter-map type SSL and then add

it under your ssl-proxy service. Like this:

parameter-map type ssl Strong_Ciphers

cipher RSA_WITH_AES_128_CBC_SHA

cipher RSA_WITH_AES_256_CBC_SHA

ssl-proxy service Secure-Web

cert mycert.crt

key newkey.pem

ssl advanced-options Strong_Ciphers

The ACE will offer you the list of supported ciphers so you can choose all

you need and also assign a priority.

HTH

__ __

Pablo

Reply to this message by going to Home

Start a new discussion in Application Networking at Home

Hi,

Can we do this on ACE module?

I want to drop the clients with the cypher length less than 128 bits, can I follow this procedure? can you please tell me whole procedure to acheive this?

Tharun

I used this advice on my ACE appliances and it worked great. Quite simple. My config looked like so:

I created a parameter map that looks like this:

parameter-map type ssl bireports-ssl-parametermap

  cipher RSA_WITH_3DES_EDE_CBC_SHA priority 3

  cipher RSA_WITH_AES_128_CBC_SHA priority 2

  cipher RSA_WITH_AES_256_CBC_SHA

then I added it to an existing proxy service with my certificates like so with the last line indicating the weak cipher parameter map:

ssl-proxy service reports-proxy

  key reports2012-key.pem

  cert reports.com.cer

  chaingroup reports.com-chaingrp

  ssl advanced-options bireports-ssl-parametermap

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: