Cisco Catalyst 6500 Series Command Reference Manual page 68

policy ssl
When you enter the close-notify strict command, the SSL Services Module sends a close-notify alert
message to the SSL peer, and the SSL Services Module expects a close-notify alert message from the
SSL peer. If the SSL Services Module does not receive a close-notify alert, SSL resumption is not
allowed for that session.
When you enter the close-notify none command, the SSL Services Module does not send a close-notify
alert message to the SSL peer, and the SSL Services Module does not expect a close-notify alert message
from the SSL peer. The SSL Services Module preserves the session information so that SSL resumption
can be used for future SSL connections.
When close-notify is disabled (default), the SSL Services Module sends a close-notify alert message to
the SSL peer; however, the SSL peer does not expect a close-notify alert before removing the session.
Whether the SSL peer sends the close-notify alert or not, the session information is preserved allowing
session resumption for future SSL connections.
The cipher-suite names follow the same convention as the existing SSL stacks.
The cipher-suites that are acceptable to the proxy-server are as follows:
• all-export—All export ciphers
all-strong—All strong ciphers (default)
•
all—All supported ciphers
•
RSA-WITH-3DES-EDE-CBC-SHA—RSA with 3des-sha
•
RSA-WITH-DES-CBC-SHA—RSA with des-sha
•
RSA-WITH-RC4-128-MD5—RSA with rc4-md5
•
RSA-WITH-RC4-128-SHA—RSA with rc4-sha
•
• RSA-EXP-WITH-DES40-CBC-SHA—RSA export with des40-sha
• RSA-EXP-WITH-RC4-40-MD5—RSA export with rc4-md5
RSA-EXP1024-WITH-DES-CBC-SHA—RSA export1024 with des-sha
•
RSA-EXP1024-WITH-RC4-56-MD5—RSA export1024 with rc4-md5
•
RSA-EXP1024-WITH-RC4-56-SHA—RSA export1024 with rc4-sha
•
RSA-WITH-NULL-MD5—RSA with null-md5
•
If you enter the timeout session timeout absolute command, the session entry is kept in the session
cache for the configured timeout before it is cleaned up. If the session cache is full, the timers are active
for all the entries, the absolute keyword is configured, and all further new sessions are rejected.
If you enter the timeout session timeout command without the absolute keyword, the specified timeout
is treated as the maximum timeout and a best-effort attempt is made to keep the session entry in the
session cache. If the session cache runs out of session entries, the session entry that is currently being
used is removed for incoming new connections.
When you enter the cert-req empty command, the SSL Services Module back-end service always
returns the certificate associated with the trustpoint and does not look for a CA-name match. By default,
the SSL Services Module always looks for a CA-name match before returning the certificate. If the SSL
server does not include a CA-name list in the certificate request during client authentication, the
handshake fails.
By default, the SSL Services Module uses the maximum supported SSL protocol version (SSL2.0,
SSL3.0, or TLS1.0) in the ClientHello message. Enter the tls-rollback [current | any] command if the
SSL client uses the negotiated version instead of the maximum supported version (as specified in the
ClientHello message).
Catalyst 6500 Series Switch SSL Services Module Command Reference
2-42
Chapter 2 Commands for the Catalyst 6500 Series SSL Services Module
OL-9105-01