How to allow or block SSL ciphers based on cipher strength for EXP ciphers.
search cancel

How to allow or block SSL ciphers based on cipher strength for EXP ciphers.

book

Article ID: 166289

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

 

How to allow or block SSL ciphers based on cipher strength for EXP (exported) ciphers through CPL.

 

Resolution

 

There are two ways to allow or block EXP ciphers

 Solution 1:

  Create following CPL rule to allow any particular EXP ciphers as shown below.

<Proxy>

ALLOW client.connection.negotiated_cipher= \

(EXP-RC4-MD5 || EXP1024-RC4-MD5|| EXP1024-RC4-SHA|| EXP1024-RC2-CBC-MD5|| EXP1024-DES-CBC-SHA) \

DENY

 

  Create the following rule to block any particular EXP ciphers as shown below

<Proxy>

DENY client.connection.negotiated_cipher= \

(EXP-RC4-MD5 || EXP1024-RC4-MD5|| EXP1024-RC4-SHA|| EXP1024-RC2-CBC-MD5|| EXP1024-DES-CBC-SHA)

 

 Solution 2:

   This can be achieved through CLI also by adding only the specific ciphers for SSL handshake in the case of reverse proxy. The SSL handshake will fail if the client tries to negotiate with any other cipher suite other than the ones added through CLI as shown.

SGOS#(config) proxy-services

SGOS#(config proxy-services) create https-reverse-proxy service-name

SGOS#(config proxy-services) edit service-name

SGOS#(config service_name) attribute cipher-suite <cipher-suite+>

 

Example :

SGOS#(config service_name) attribute cipher-suite rc4-md5 rc4-sha des-cbc3-sha aes128-sha aes256-sha 

 

Powered by Wolken Software