Configuring SSL cipher settings

You configure SSL cipher settings under Optimization > SSL: Advanced Settings.

Unless you have specific organizational requirements, typically you do not need to change SSL cipher settings.

In cryptography, a cipher is an algorithm for performing encryption and decryption. In RiOS, the types of ciphers are:

• Server ciphers—Communicate with the server on the segment between the server-side SteelHead and the SSL server.

• Client ciphers—Communicate with the client on the segment between the client-side appliance and the SSL client. Although this segment does not include the server-side SteelHead, you must configure the client ciphers on the server-side SteelHead, because the server-side SteelHead actually handles the SSL handshake with the SSL client.

• Peer ciphers—Communicate between the two SteelHeads.

The default cipher setting is DEFAULT, which represents a variety of high-strength ciphers that allow for compatibility with many browsers and servers.

Use the default cipher configuration to limit the possible ciphers that are negotiated on the three parts of the secure inner channel connection (the client-to-SteelHead, the server-to-SteelHead, and SteelHead-to-SteelHead).

Under Peer Ciphers, complete the configuration on both the client-side appliance and server-side SteelHead. These configuration options are available:

Specifies the cipher type for communicating with peers from the drop-down list. The Hint text box displays information about the cipher.

You must specify at least one cipher for peers, clients, and servers for SSL to function properly.

The default cipher setting is DEFAULT, which represents a variety of high-strength ciphers that allow for compatibility with many browsers and servers.

Specifies Start, End, or the cipher number from the drop-down list. The default cipher, if used, must be rule number 1.

On the server-side SteelHead, under Client Ciphers, you can add or remove a client or peer cipher. These configuration options are available:

Specifies the cipher type for communicating with clients from the drop-down list. The Hint text box displays information about the cipher.

You must specify at least one cipher for peers, clients, and servers for SSL to function properly.

The default cipher setting is DEFAULT. which represents a variety of high-strength ciphers that allow for compatibility with many browsers and servers.

Specifies Start, End, or a cipher number from the drop-down list. The default cipher, if used, must be rule number 1.

On the server-side SteelHead, you can add or remove a server cipher. These configuration options are available:

Specifies the cipher type for communicating with servers from the drop-down list. The Hint text box displays information about the cipher.

You must specify at least one cipher for peers, clients, and servers for SSL to function properly.

The default cipher setting is DEFAULT, which represents a variety of high- strength ciphers that are compatible with many browsers and servers.

Specifies Start, End, or a cipher number from the drop-down list. The default cipher, if used, must be rule number 1.

You can perform bulk import and export operations under Optimization > SSL: Advanced Settings.

These import and export features expedite configuring backup and peer trust relationships:

• Backup—You can use the bulk export feature to back up your SSL configurations, including your server configurations and private keys.

To protect your server private keys, you can choose to not include your Server Configurations and Private Keys when performing bulk exports of trusted peers. You can prevent your SSL configurations from leaving the SteelHead by making SSL certificates and private keys nonexportable.

• Peer Trust—If you use self-signed peering certificates and have multiple SteelHeads (including multiple server-side appliances), you can use the bulk import feature to avoid configuring each peering trust relationship between the pairs of appliances.

The bulk data that you import contains the serial number of the exporting appliance. The appliance importing the data compares its own serial number with the serial number contained in the bulk data.

• Peering Certificate and Key Data—If the serial numbers match, the SteelHead importing the bulk data overwrites its existing peering certificates and keys with that bulk data. If the serial numbers do not match, the SteelHead importing the bulk data does not overwrite its peering certificate and key.

• Certificate Authority, Peering Trust, and SSL Server Configuration Data—For all other configuration data such as certificate authorities, peering trusts, and server configurations (if included), if there is a conflict, the imported configuration data takes precedence (that is, the imported configuration data overwrites any existing configurations).

Bulk data importing operations do not delete configurations; they can only add or overwrite them.

Select one SteelHead (A) and trust all the SteelHeads peering certificates. Make sure you include the peering certificate for SteelHead A.

Includes the server certificates and keys in the export file. (This option doesn’t appear when exporting of server certificates and keys is disabled globally from the SSL Main Settings Page.)

To protect your server private keys, don’t select when performing bulk exports of trusted peers.

Exports your SSL configuration and optionally your server private keys and certificates.

Browses to the previously exported bulk file that contains the certificates and keys.

Imports your SSL configuration, keys, and certificates, so that all of the SteelHeads trust one another as peers.