Chapter 5
Configuring Back-End SSL
Configuring Back-End SSL Servers in an SSL Proxy List
The all-cipher-suites option reenables all cipher suites for the back-end server
Note
This option works only when you do not configure specifically-defined ciphers.
To return to using the all-cipher-suites option, you must remove all
specifically-defined ciphers.
For example, to configure a cipher of rsa-with-rc4-128-md5, enter:
(config-ssl-proxy-list[ssl_list1])# backend-server 1 cipher
rsa-with-rc4-128-md5
When negotiating which cipher suite to use, the SSL module sends the ciphers in
weighted order to the server with the highest weighted cipher first in the list.
By default, all configured cipher suites have a weight of 1. Optionally, you can
assign a priority weight to the cipher suite, with 10 being the highest.
For example, to set a weight of 10 to a cipher suite, enter:
(config-ssl-proxy-list[ssl_list1])# backend-server 1 cipher
rsa-with-rc4-128-md5 weight 10
To remove one or more of the configured cipher suites for the back-end server,
enter:
(config-ssl-proxy-list[ssl_list1])# no backend-server 1 cipher
rsa-with-rc4-128-md5
Configuring SSL Session Cache Timeout
In SSL, every time a client and server go through a full key exchange and establish
a new master secret key, a new session is created. Enabling a session cache
timeout allows the reuse of the master key on subsequent connections by the
client. When you disable the cache timeout, the full SSL handshake must occur
on each new connection to the SSL module (the virtual client). Use the
backend-server number session-cache command to configure the SSL module to
resume connection with a back-end SSL server using a previously established
secret key.
By default, the cache timeout is enabled with a timeout of 300 seconds
(5 minutes). The timeout value can range from 0 to 72000 (0 seconds to 20 hours).
A timeout value of 0 disables the session cache reuse.
Cisco Content Services Switch SSL Configuration Guide
5-9
OL-5655-01