Configuring SSL Cipher Settings
You configure SSL cipher settings in the Optimization > SSL: Advanced Settings page.
Note: Unless you have specific organizational requirements, typically you don’t need to change SSL cipher settings.
In cryptography, a cipher is an algorithm for performing encryption and decryption. In RiOS, the types of ciphers are:
• Server ciphers - communicate with the server on the segment between the server-side SteelHead and the SSL server.
• Client ciphers - communicate with the client on the segment between the client-side SteelHead and the SSL client. Although this segment doesn’t include the server-side SteelHead, you must configure the client ciphers on the server-side SteelHead, because the server-side SteelHead actually handles the SSL handshake with the SSL client.
• Peer ciphers - communicate between the two SteelHeads.
The default cipher setting is DEFAULT, which represents a variety of high-strength ciphers that allow for compatibility with many browsers and servers.
Use the default cipher configuration to limit the possible ciphers that are negotiated on the three parts of the secure inner channel connection (the client-to-SteelHead, the server-to-SteelHead, and SteelHead-to-SteelHead).
To configure SSL ciphers
1. Choose Optimization > SSL: Advanced Settings to display the Advanced Settings page.
2. Under Peer Ciphers, complete the configuration on both the server-side and client-side SteelHeads, as described in this table.
Control | Description |
Add a New Peer Cipher | Displays the controls for adding a new peer cipher. |
Cipher | Select the cipher type for communicating with peers from the drop-down list. The Hint text box displays information about the cipher. You must specify at least one cipher for peers, clients, and servers for SSL to function properly. The default cipher setting is DEFAULT, which represents a variety of high-strength ciphers that allow for compatibility with many browsers and servers. |
Insert Cipher At | Select Start, End, or the cipher number from the drop-down list. The default cipher, if used, must be rule number 1. |
Add | Adds the cipher to the list. |
Remove Selected | Select the check box next to the name and click Remove Selected. |
3. On the server-side SteelHead, under Client Ciphers, you can add or remove a client or peer cipher by completing the configuration as described in these tables.
Control | Description |
Add a New Client Cipher | Displays the controls for adding a new client cipher. |
Cipher | Select the cipher type for communicating with clients from the drop-down list. The Hint text box displays information about the cipher. You must specify at least one cipher for peers, clients, and servers for SSL to function properly. The default cipher setting is DEFAULT. which represents a variety of high- strength ciphers that allow for compatibility with many browsers and servers. |
Insert Cipher At | Select Start, End, or a cipher number from the drop-down list. The default cipher, if used, must be rule number 1. |
Add | Adds the cipher to the list. |
Cancel | Cancels your settings. |
Removed Selected | Select the check box next to the name and click Remove Selected. |
Control | Description |
Add a New Peer Cipher | Displays the controls for adding a new peer cipher. |
Cipher | Select the cipher type for communicating with peers from the drop-down list. The Hint text box displays information about the cipher. You must specify at least one cipher for peers, clients, and servers for SSL to function properly. The default cipher setting is DEFAULT, which represents a variety of high-strength ciphers that allow for compatibility with many browsers and servers. |
Insert Cipher At | Select Start, End, or the cipher number from the drop-down list. The default cipher, if used, must be rule number 1. |
Add | Adds the cipher to the list. |
Remove Selected | Select the check box next to the name and click Remove Selected. |
4. On the server-side SteelHead, you can add or remove a server cipher by completing the configuration as described in this table.
Control | Description |
Add a New Server Cipher | Displays the controls for adding a new server cipher. |
Cipher | Select the cipher type for communicating with servers from the drop-down list. The Hint text box displays information about the cipher. You must specify at least one cipher for peers, clients, and servers for SSL to function properly. The default cipher setting is DEFAULT, which represents a variety of high- strength ciphers that are compatible with many browsers and servers. |
Insert Cipher At | Select Start, End, or a cipher number from the drop-down list. The default cipher, if used, must be rule number 1. |
Add | Adds the cipher to the list. |
Cancel | Cancels your settings. |
Removed Selected | Select the check box next to the name and click Remove Selected. |
5. Click Show Effective Overall Cipher List to display a list of ciphers.
Related Topics
Performing Bulk Imports and Exports
You can perform bulk import and export operations in the Optimization > SSL: Advanced Settings page.
These import and export features expedite configuring backup and peer trust relationships:
• Backup - You can use the bulk export feature to back up your SSL configurations, including your server configurations and private keys.
Note: To protect your server private keys, you can choose to not include your
Server Configurations and Private Keys when performing bulk exports of trusted peers. In RiOS 7.0.1, you can prevent your SSL configurations from leaving the SteelHead by making SSL certificates and private keys nonexportable. For details, see
Configuring SSL Server Certificates.
• Peer Trust - If you use self-signed peering certificates and have multiple SteelHeads (including multiple server-side appliances), you can use the bulk import feature to avoid configuring each peering trust relationship between the pairs of SteelHeads.
The bulk data that you import contains the serial number of the exporting SteelHead. The SteelHead importing the data compares its own serial number with the serial number contained in the bulk data.
These rules apply to bulk data when importing and exporting the data:
• Peering Certificate and Key Data - If the serial numbers match, the SteelHead importing the bulk data overwrites its existing peering certificates and keys with that bulk data. If the serial numbers don’t match, the SteelHead importing the bulk data doesn’t overwrite its peering certificate and key.
• Certificate Authority, Peering Trust, and SSL Server Configuration Data - For all other configuration data such as certificate authorities, peering trusts, and server configurations (if included), if there’s a conflict, the imported configuration data takes precedence (that is, the imported configuration data overwrites any existing configurations).
Note: Bulk data importing operations don’t delete configurations; they can only add or overwrite them.
Note: Bulk importing doesn’t require a optimization service restart.
To perform bulk export operations
1. Select one SteelHead (A) and trust all the SteelHeads peering certificates. Make sure you include the peering certificate for SteelHead A. For details about configuring trusted peers, see
Configuring Secure Peers.
2. Choose Optimization > SSL: Advanced Settings to display the Advanced Settings page.
3. Under Bulk Export, complete the configuration as described in this table.
Control | Description |
Include Server Certificates and Private Keys | (Doesn’t appear when exporting of server certificates and keys is disabled globally from the SSL Main Settings Page.) Includes the server certificates and keys in the export file. Note: To protect your server private keys, don’t select when performing bulk exports of trusted peers. |
Include SCEP/CRL Configuration | Includes the SCEP and CRL configurations with the export file. |
Password | Specify and confirm the password used for the export file. |
Export | Exports your SSL configuration and optionally your server private keys and certificates. |
4. Click Save to Disk to save your settings permanently.
To perform bulk import operations
1. Choose Optimization > SSL: Advanced Settings to display the Advanced Settings page.
Figure: Advanced Settings Page
2. Under Bulk Import, complete the configuration as described in these table.
Control | Description |
Upload File | Browse to the previously exported bulk file that contains the certificates and keys. |
Password to Decrypt | Specify the password used to decrypt the file. |
Import | Imports your SSL configuration, keys, and certificates, so that all of the SteelHeads trust one another as peers. |
3. Click Save to Disk to save your settings permanently.
Related Topics