Chapter 4
Configuring SSL Termination
Configuring Virtual SSL Servers for an SSL Proxy List
Specifying SSL Session Handshake Renegotiation
The SSL session handshake commands send the SSL HelloRequest message to a
client to restart SSL handshake negotiation. SSL rehandshake is useful when a
connection has been established for a lengthy period of time and you want to
ensure security by reestablishing the SSL session.
Use the ssl-server number handshake data kbytes command to specify the
maximum amount of data to be exchanged between the CSS and the client, after
which the CSS transmits the SSL handshake message and reestablishes the SSL
session. By setting the data value, you force the SSL session to renegotiate a new
session key after a session has transferred the specified amount of data. Specify
an SSL handshake data value in Kbytes, from 0 (handshake disabled) to 512000.
The default is 0.
For example, to configure an SSL rehandshake message for the SSL proxy list
after a data exchange of 125000 Kbytes is reached with the client, enter:
(config-ssl-proxy-list[ssl_list1])# ssl-server 20 handshake data
125000
To disable the rehandshake data option, enter:
(config-ssl-proxy-list[ssl_list1])# no ssl-server 20 handshake data
Use the ssl-server number handshake timeout seconds command to specify a
maximum timeout value, after which the CSS transmits the SSL handshake
message and reestablishes the SSL session. Setting a timeout value forces the SSL
session to renegotiate a new session key after a session has lasted the defined
number of seconds. The selection of an SSL rehandshake timeout value is
important when using the advanced-balance ssl load-balancing method for a
Layer 5 content rule to fine-tune the SSL session ID used to stick the client to the
server. Specify an SSL handshake timeout value in seconds, from 0 (handshake
disabled) to 72000 (20 hours). The default is 0.
For example, to configure an SSL rehandshake message after a timeout value of
10 hours has elapsed, enter:
(config-ssl-proxy-list[ssl_list1])# ssl-server 20 handshake timeout
36000
To disable the rehandshake timeout option, enter:
(config-ssl-proxy-list[ssl_list1])# no ssl-server 20 handshake timeout
Cisco Content Services Switch SSL Configuration Guide
4-39
OL-5655-01