Errors when configuring ProxySG management console SSL cipher strength with a CLI overlay in Director
search cancel

Errors when configuring ProxySG management console SSL cipher strength with a CLI overlay in Director


Article ID: 165603


Updated On:




Using Director, you receive errors when attempting to apply an overlay to disable SSL encryption cyphers, but the same set of commands work when directly attached to the SG in the command line interface. 




 A: To duplicate both these symptoms, follow these two steps:

1: Use SSH to log into the SG, and, follow these steps:

  • ssh admin@<ipaddress of SG>
  • <prompt of SG >en
  • <enter password>
  • <prompt of SG >config t

2: execute these configuration cipher commands.

  •  <prompt of SG> <config> management-services

  • <prompt of SG> <config> edit HTTPS-Console

  • 3,13

  • <prompt of SG> <config> attribute cipher-suite


 2: While in the Director Management console, attempt to execute the above commands in  a CLI-based overlay,  Here are the results and their coresponding errors:

| Output for device "ProxySG"
Error:  Internal Error - device communication interrupted
Error:  Internal Error - device communication interrupted
edit HTTPS-Console
Error:  Internal Error - device communication interrupted
attribute cipher-suite
Error:  Internal Error - device communication interrupted
Error:  Internal Error - device communication interrupted
Error:  Internal Error - device communication interrupted
Overlay execution complete for device "ProxySG"

 Analysis: The above errors are a side effect of how Director sends and processes CLI commands to the proxies. When you enter the command “attribute cipher-suite” the proxy then gives a long list of ciphers, and a prompts you for user input to tell it what ciphers to enable.   Director doesn’t know how to handle this prompt so it errors out, as per the above example.   Director expects to blindly run commands that are either accepted, or errored out by the proxy without the need for additional user input.  Using Cipher Names in your command will solve this, because the SG will no longer prompt you.  This is why you have to use the names on the same line as the “attribute cipher-suite” command – this tells the proxy directly to enable the ciphers you tell it to, without expecting additional user input.


B:To successfully process these commands through Director:

You will need to edit them into the overlay using their coresponding cipher names. Here are the altered commands to use in the overlay:

  • management-servicese
  • edit HTTPS-Console
  • attribute cipher-suite DES-CBC3-SHA EXP-RC4-MD5

NOTE: The above command syntax now has the intended effect of disabling all cipher suites except 3 and 13 and allows the overlay to execute without issue.


C: How to process other cipher commands:

 To procure other names of the cipher suites for  use in your own customized overlay, log into a ProxySG and run the commands given below. This will give you a table with cipher numbers and names. Here you chose the  actual names of the ciphers as given in the "Description" field below.

Connect to your SG, via SSH, and follow these commands.

  • Blue Coat SG210 Series>en
  • Enable Password:
  • Blue Coat SG210 Series#conf t
  • Enter configuration commands, one per line.  End with CTRL-Z.
  • Blue Coat SG210 Series#(config)management-services
  • Blue Coat SG210 Series#(config management-services)edit HTTPS-Console
  • Blue Coat SG210 Series#(config HTTPS-Console)attribute cipher-suite
  • Cipher#  Use        Description        Strength
  • -------  ---  -----------------------  --------
  •       1   no                  RC4-MD5    Medium
  •       2   no                  RC4-SHA    Medium
  •       3  yes             DES-CBC3-SHA      High
  •       4   no             DES-CBC3-MD5      High
  •       5   no              RC2-CBC-MD5    Medium
  •       6   no               RC4-64-MD5       Low
  •       7   no              DES-CBC-SHA       Low
  •       8   no              DES-CBC-MD5       Low
  •       9   no          EXP1024-RC4-MD5    Export
  •      10   no          EXP1024-RC4-SHA    Export
  •      11   no      EXP1024-RC2-CBC-MD5    Export
  •      12   no      EXP1024-DES-CBC-SHA    Export
  •      13  yes              EXP-RC4-MD5    Export
  •      14   no          EXP-RC2-CBC-MD5    Export
  •      15   no          EXP-DES-CBC-SHA    Export
  •      16   no               AES128-SHA    Medium
  •      17   no               AES256-SHA      High