search cancel

Reporter ignore ssl setting by ssl edit command.

book

Article ID: 214553

calendar_today

Updated On:

Products

Reporter-VA Reporter-S500

Issue/Introduction

Want to remove cipher by "ssl edit ssl-context default cipher-suites remove"

  • dhe-rsa-aes128-sha
  • dhe-rsa-aes256-sha

Reporter doesn't return "OK" prompt when modify ssl setting by ssl edit command.
Reporter seems to be ignore ssl edit command.

reporter(config)# ssl edit ssl-context default cipher-suites remove dhe-rsa-aes128-sha
reporter(config)# ssl edit ssl-context default cipher-suites remove dhe-rsa-aes256-sha
reporter(config)# 
reporter(config)# exit 
reporter# ssl view ssl-context default
Name:           default
Keyring:        default
CCL:            browser-trusted
Protocols:      tlsv1.1 tlsv1.2
Cipher suites:  ecdhe-rsa-aes256-sha dhe-rsa-aes256-sha aes256-sha256 aes256-sha ecdhe-rsa-aes128-gcm-sha256 
ecdhe-rsa-aes128-sha256 ecdhe-rsa-aes128-sha dhe-rsa-aes128-sha aes128-sha256 aes128-sha

How to remove specific cipher suites?

Environment

Release : 10.5.2.2

Component : SSL

Resolution

The old reporter command line has input limitation.
You can remove specific ciphers when move to edit ssl-context mode.

reporter(config)# ssl edit ssl-context default cipher-suites
reporter(config-ssl-context default cipher-suites)#
reporter(config-ssl-context default cipher-suites)# remove dhe-rsa-aes128-sha
  ok
reporter(config-ssl-context default cipher-suites)# remove dhe-rsa-aes256-sha
  ok
reporter(config-ssl-context default cipher-suites)# exit
reporter(config)# exit 
reporter# ssl view ssl-context default
Name:           default
Keyring:        default
CCL:            browser-trusted
Protocols:      tlsv1.1 tlsv1.2
Cipher suites:  ecdhe-rsa-aes256-sha aes256-sha256 aes256-sha ecdhe-rsa-aes128-gcm-sha256 ecdhe-rsa-aes128-sha256 ecdhe-rsa-aes128-sha aes128-sha256 aes128-sha

Additional Information

The Reporter 10.6.1.1 doesn't has this limitation.

reporter(config)# ssl edit ssl-context default cipher-suites remove dhe-rsa-aes256-sha
  ok
reporter(config)#