Step
suite for the SSL client policy.
6.
Specify the SSL version for the
SSL client policy.
Command
prefer-cipher
{ dhe_rsa_aes_128_cbc_s
ha |
dhe_rsa_aes_128_cbc_sh
a256 |
dhe_rsa_aes_256_cbc_sh
a |
dhe_rsa_aes_256_cbc_sh
a256 |
ecdhe_ecdsa_aes_128_c
bc_sha256 |
ecdhe_ecdsa_aes_128_g
cm_sha256 |
ecdhe_ecdsa_aes_256_c
bc_sha384 |
ecdhe_ecdsa_aes_256_g
cm_sha384 |
ecdhe_rsa_aes_128_cbc_
sha256 |
ecdhe_rsa_aes_128_gcm
_sha256 |
ecdhe_rsa_aes_256_cbc_
sha384 |
ecdhe_rsa_aes_256_gcm
_sha384 |
exp_rsa_des_cbc_sha |
exp_rsa_rc2_md5 |
exp_rsa_rc4_md5 |
rsa_3des_ede_cbc_sha |
rsa_aes_128_cbc_sha |
rsa_aes_128_cbc_sha256
| rsa_aes_256_cbc_sha |
rsa_aes_256_cbc_sha256
| rsa_des_cbc_sha |
rsa_rc4_128_md5 |
rsa_rc4_128_sha }
•
In FIPS mode:
prefer-cipher
{ ecdhe_ecdsa_aes_128_
cbc_sha256 |
ecdhe_ecdsa_aes_128_g
cm_sha256 |
ecdhe_ecdsa_aes_256_c
bc_sha384 |
ecdhe_ecdsa_aes_256_g
cm_sha384 |
ecdhe_rsa_aes_128_cbc_
sha256 |
ecdhe_rsa_aes_128_gcm
_sha256 |
ecdhe_rsa_aes_256_cbc_
sha384 |
ecdhe_rsa_aes_256_gcm
_sha384 |
rsa_aes_128_cbc_sha |
rsa_aes_128_cbc_sha256
| rsa_aes_256_cbc_sha |
rsa_aes_256_cbc_sha256
}
•
In non-FIPS mode:
version { ssl3.0 | tls1.0 |
tls1.1 | tls1.2 }
389
Remarks
The default preferred cipher
suite is rsa_rc4_128_md5.
•
In FIPS mode:
The default preferred cipher
suite is
sa_aes_128_cbc_sha.
By default, an SSL client policy
uses TLS 1.0.
As a best practice to ensure