Ciphersuites - Cisco IE-3000-8TC Software Configuration Manual
Software configuration guide
Hide thumbs
Also See for IE-3000-8TC:
- Command reference manual (802 pages) ,
- Administration manual (496 pages) ,
- Message manual (98 pages)
Table of Contents
Advertisement
Chapter 11
Configuring Switch-Based Authentication
3082029F 30820208 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
59312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33303830 37353530 37323126 30240609 2A864886 F70D0109
<output truncated>
You can remove this self-signed certificate by disabling the secure HTTP server and entering the no
crypto pki trustpoint TP-self-signed-30890755072 global configuration command. If you later
re-enable a secure HTTP server, a new self-signed certificate is generated.
The values that follow TP self-signed depend on the serial number of the device.
Note
You can use an optional command (ip http secure-client-auth) to allow the HTTPS server to request
an X.509v3 certificate from the client. Authenticating the client provides more security than server
authentication by itself.
For additional information on Certificate Authorities, see the "Configuring Certification Authority
Interoperability" chapter in the Cisco IOS Security Configuration Guide, Release 12.2 from the
Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Command
References.
CipherSuites
A CipherSuite specifies the encryption algorithm and the digest algorithm to use on a SSL connection.
When connecting to the HTTPS server, the client Web browser offers a list of supported CipherSuites,
and the client and server negotiate the best encryption algorithm to use from those on the list that are
supported by both. For example, Netscape Communicator 4.76 supports U.S. security with RSA Public
Key Cryptography, MD2, MD5, RC2-CBC, RC4, DES-CBC, and DES-EDE3-CBC.
For the best possible encryption, you should use a client browser that supports 128-bit encryption, such
as Microsoft Internet Explorer Version 5.5 (or later) or Netscape Communicator Version 4.76 (or later).
The SSL_RSA_WITH_DES_CBC_SHA CipherSuite provides less security than the other CipherSuites,
as it does not offer 128-bit encryption.
The more secure and more complex CipherSuites require slightly more processing time. This list defines
the CipherSuites supported by the switch and ranks them from fastest to slowest in terms of router
processing load (speed):
1.
2.
3.
4.
RSA (in conjunction with the specified encryption and digest algorithm combinations) is used for both
key generation and authentication on SSL connections. This usage is independent of whether or not a
CA trustpoint is configured.
OL-13018-03
SSL_RSA_WITH_DES_CBC_SHA—RSA key exchange (RSA Public Key Cryptography) with
DES-CBC for message encryption and SHA for message digest
SSL_RSA_WITH_RC4_128_MD5—RSA key exchange with RC4 128-bit encryption and MD5 for
message digest
SSL_RSA_WITH_RC4_128_SHA—RSA key exchange with RC4 128-bit encryption and SHA for
message digest
SSL_RSA_WITH_3DES_EDE_CBC_SHA—RSA key exchange with 3DES and DES-EDE3-CBC
for message encryption and SHA for message digest
Configuring the Switch for Secure Socket Layer HTTP
Cisco IE 3000 Switch Software Configuration Guide
11-39
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
