Chapter 4 Configuring SSL Termination
Configuring Virtual SSL Servers for an SSL Proxy List
4-12
Cisco Content Services Switch SSL Configuration Guide
OL-5655-01
For each available SSL version, there is a distinct list of supported cipher suites
representing a selection of cryptographic algorithms and parameters. Your choice
depends on your environment, certificates and keys in use, and security
requirements. By default, no supported cipher suites are enabled.
The syntax for this command is:
ssl-server number cipher name ip_address or hostname port {weight
number}
The options and variables are:
• ssl-server number - The number used to identify the virtual SSL server in the
SSL proxy list.
• cipher name - The name of a specific cipher suite (as listed in Table 4-1).
• ip_address or hostname - The IP address to assign to the back-end content rule
used with the cipher suite. Specify the IP address in either dotted-decimal IP
notation (for example, 192.168.11.1) or mnemonic host-name format (for
example, myhost.mydomain.com).
• port - The TCP port of the back-end content rule through which the back-end
HTTP connections are sent.
• weight number - Optional parameter. Assigns a priority to the cipher suite,
with 10 being the highest weight. By default, all configured cipher suites have
a weight of 1. When negotiating which cipher suite to use, the SSL module
selects from the client list based on the cipher suite configured with the
highest weight. A higher weight will bias towards the specified cipher suite.
To set the weight for a cipher suite, enter a number from 1 to 10. The default is 1.
For example, to select the dhe-rsa-with-3des-ede-cbc-sha cipher suite with an
assigned weight of 5, enter:
(config-ssl-proxy-list[ssl_list1])# ssl-server 20 cipher
dhe-rsa-with-3des-ede-cbc-sha 192.168.11.1 80 weight 5
To remove a specific cipher suite from a specific virtual SSL server, enter:
(config-ssl-proxy-list[ssl_list1])# no ssl-server 20 cipher
dhe-rsa-with-3des-ede-cbc-sha
Table 4-1 lists all supported cipher suites and values for the specific SSL server
(and corresponding SSL proxy list). Table 4-1 also lists whether those cipher
suites are exportable from the CSS, along with the authentication certificate and
encryption key required by the cipher suite.
To Next Page
Loading...
Need help?
General
