SSLCIPH (JANUS DEFINE parameter): Difference between revisions
No edit summary |
No edit summary |
||
Line 8: | Line 8: | ||
Typically, <var>SSLCIPH</var> is allowed to default to 0: all the Janus-supported ciphers are available, and the cipher that is ultimately used depends on the outcome of the handshake negotiation with the client that seeks the service at this port. The negotiation selects the strongest available cipher that the client can support. | Typically, <var>SSLCIPH</var> is allowed to default to 0: all the Janus-supported ciphers are available, and the cipher that is ultimately used depends on the outcome of the handshake negotiation with the client that seeks the service at this port. The negotiation selects the strongest available cipher that the client can support. | ||
However, to make only a subset of the server ciphers available, you can specify <var>SSLCIPH</var> followed by the (bitmask) value that selects the subset. For example, <code>SSLCIPH 2</code> indicates that only strong RC4 encryption is available. It is probably a good idea to disable export ciphers as they are weakened by design and given | However, to make only a subset of the server ciphers available, you can specify <var>SSLCIPH</var> followed by the (bitmask) value that selects the subset. For example, <code>SSLCIPH 2</code> indicates that only strong RC4 encryption is available. It is probably a good idea to disable export ciphers as they are weakened by design, and given that the current preferred cipher is AES, it might make sense to set SSLCIPH to X'03C0' to force AES bulk encryption. | ||
Currently, these ciphers are supported: | Currently, these ciphers are supported: | ||
<table class="syntaxTable"> | <table class="syntaxTable"> | ||
<tr><th>1</th> | <tr><th>Bit</th><th>TLS specification symbol</th><th>Description</th></tr> | ||
<tr><th>1</th><td>TLS_RSA_EXPORT_WITH_RC4_40_MD5</td> | |||
<td>RC4 bulk cipher with MD5 digest algorithm with 40 bits of the 128 bit RC4 key transmitted encrypted, the rest transmitted "in the clear" (unencrypted). This is considered a moderately strong encryption algorithm and is available on virtually every client implementation of SSL.</td></tr> | <td>RC4 bulk cipher with MD5 digest algorithm with 40 bits of the 128 bit RC4 key transmitted encrypted, the rest transmitted "in the clear" (unencrypted). This is considered a moderately strong encryption algorithm and is available on virtually every client implementation of SSL.</td></tr> | ||
<tr><th>2</th> | <tr><th>2</th><td>TLS_RSA_WITH_RC4_128_MD5</td> | ||
<td>RC4 bulk cipher with MD5 digest algorithm with all 128 bits of the RC4 key transmitted encrypted. This is considered a very strong encryption algorithm | <td>RC4 bulk cipher with the MD5 digest algorithm with all 128 bits of the RC4 key transmitted encrypted. This is considered a very strong encryption algorithm although MD5 is generally deprecated as a digest algorithm. | ||
</td></tr></table> | </td></tr> | ||
<tr><th>4</th><td>TLS_RSA_WITH_RC4_128_SHA</td> | |||
<td>RC4 bulk cipher with the SHA digest algorithm with all 128 bits of the RC4 key transmitted encrypted. This is considered a very strong encryption algorithm and is preferable to TLS_RSA_WITH_RC4_128_MD5 because SHA is considered a superior digest algorithm.</td></tr> | |||
</table> | |||
<var>SSLCIPH</var> is valid for <var>[[JANUS DEFINE#type|SRVSOCK]]</var>, <var>[[JANUS DEFINE#type|WEBSERV]]</var>, <var>[[JANUS DEFINE#type|OPENSERV]]</var>, and <var>[[JANUS DEFINE#type|SDS]]</var> port types. | <var>SSLCIPH</var> is valid for <var>[[JANUS DEFINE#type|SRVSOCK]]</var>, <var>[[JANUS DEFINE#type|WEBSERV]]</var>, <var>[[JANUS DEFINE#type|OPENSERV]]</var>, and <var>[[JANUS DEFINE#type|SDS]]</var> port types. |
Revision as of 16:51, 4 January 2014
SSLCIPH xxx — Limit SSL ciphers offered by this port
SSLCIPH is a parameter on JANUS DEFINE, which defines and sets characteristics of a Janus port.
This parameter lets you limit the stream ciphers (encryption algorithms) that this port offers for SSL connections. A Janus port whose definition includes an SSL parameter supports Janus Network Security SSL (Secure Sockets Layer) or TLS (Transport Layer Security) encrypted connections.
Typically, SSLCIPH is allowed to default to 0: all the Janus-supported ciphers are available, and the cipher that is ultimately used depends on the outcome of the handshake negotiation with the client that seeks the service at this port. The negotiation selects the strongest available cipher that the client can support.
However, to make only a subset of the server ciphers available, you can specify SSLCIPH followed by the (bitmask) value that selects the subset. For example, SSLCIPH 2
indicates that only strong RC4 encryption is available. It is probably a good idea to disable export ciphers as they are weakened by design, and given that the current preferred cipher is AES, it might make sense to set SSLCIPH to X'03C0' to force AES bulk encryption.
Currently, these ciphers are supported:
Bit | TLS specification symbol | Description |
---|---|---|
1 | TLS_RSA_EXPORT_WITH_RC4_40_MD5 | RC4 bulk cipher with MD5 digest algorithm with 40 bits of the 128 bit RC4 key transmitted encrypted, the rest transmitted "in the clear" (unencrypted). This is considered a moderately strong encryption algorithm and is available on virtually every client implementation of SSL. |
2 | TLS_RSA_WITH_RC4_128_MD5 | RC4 bulk cipher with the MD5 digest algorithm with all 128 bits of the RC4 key transmitted encrypted. This is considered a very strong encryption algorithm although MD5 is generally deprecated as a digest algorithm. |
4 | TLS_RSA_WITH_RC4_128_SHA | RC4 bulk cipher with the SHA digest algorithm with all 128 bits of the RC4 key transmitted encrypted. This is considered a very strong encryption algorithm and is preferable to TLS_RSA_WITH_RC4_128_MD5 because SHA is considered a superior digest algorithm. |
SSLCIPH is valid for SRVSOCK, WEBSERV, OPENSERV, and SDS port types.