SSLCIPH (JANUS DEFINE parameter): Difference between revisions

From m204wiki
Jump to navigation Jump to search
mNo edit summary
m (remove displaytitle)
 
(29 intermediate revisions by 5 users not shown)
Line 1: Line 1:
{{DISPLAYTITLE:SSLCIPH}}
<span class="pageSubtitle">SSLCIPH xxx &mdash; Limit SSL ciphers offered by this port</span>
<span class="pageSubtitle"><section begin="desc" />SSLCIPH xxx -- limit SSL ciphers offered by this port<section end="desc" /></span>


<var>SSLCIPH</var> is a parameter on [[JANUS DEFINE]], which defines and sets characteristics of a Janus port. See the [[JANUS DEFINE#parmlist|List of JANUS DEFINE parameters]].
==Description==
<var>SSLCIPH</var> is a parameter on the <var>[[JANUS DEFINE]]</var> command, which defines and sets characteristics of a Janus port.  


This parameter lets you limit the stream ciphers (encryption algorithms) that this port offers for SSL connections. A Janus port whose definition includes an <var>[[SSL (JANUS DEFINE parameter)|SSL]]</var> parameter supports <var class="product">[http://sirius-software.com/maint/download/jansslr.pdf Janus Network Security]</var> SSL (Secure Sockets Layer) or TLS (Transport Layer Security) encrypted connections.  
This parameter lets you limit the stream ciphers (encryption algorithms) that this port offers for SSL connections. A Janus port whose definition includes an <var>[[SSL (JANUS DEFINE parameter)|SSL]]</var> parameter supports <var class="product">[[Janus Network Security]]</var> SSL (Secure Sockets Layer) or TLS (Transport Layer Security) encrypted connections.  


Typically, <var>SSLCIPH</var> is allowed to default to 0: all the Janus-supported ciphers are available, and the cipher that is ultimately used depends on the outcome of the handshake negotiation with the client that seeks the service at this port. The negotiation selects the strongest available cipher that the client can support.  
Typically, <var>SSLCIPH</var> is allowed to default to 0: all the Janus-supported ciphers are available, and the cipher that is ultimately used depends on the outcome of the handshake negotiation with the client that seeks the service at this port. The negotiation selects the strongest available cipher that the client can support.  


However, to make only a subset of the server ciphers available, you can specify <var>SSLCIPH</var> followed by the (bitmask) value that selects the subset. For example, <code>SSLCIPH 2</code> indicates that only strong RC4 encryption is available.  
However, to make only a subset of the server ciphers available, you can specify <var>SSLCIPH</var> followed by the (bitmask) value that selects the subset. For example, <code>SSLCIPH 2</code> indicates that only strong RC4 encryption is available. It is probably a good idea to disable export ciphers (<code>SSLCIPH X'03F6'</code>), since they are weakened by design. Also, given that the current preferred cipher is AES, it might make sense to set <var>SSLCIPH</var> to X'03C0' to force [http://en.wikipedia.org/wiki/Advanced_Encryption_Standard AES] bulk encryption.  


Currently, these ciphers are supported:
Currently, these ciphers are supported:


<table class="syntaxTable">
<table class="thJustBold">
<tr><th>1</th>
<tr class="head"><th>Bit</th><th>TLS specification symbol</th><th>Description</th></tr>
<td>RC4 bulk cipher with MD5 digest algorithm with 40 bits of the 128 bit RC4 key transmitted encrypted, the rest transmitted "in the clear" (unencrypted). This is considered a moderately strong encryption algorithm and is available on virtually every client implementation of SSL.</td></tr>
<tr><th>2</th>
<td>RC4 bulk cipher with MD5 digest algorithm with all 128 bits of the RC4 key transmitted encrypted. This is considered a very strong encryption algorithm but is only available on clients that have been specially configured to support this cipher. This encryption level is not available for export from the United States.
</td></tr></table>


<var>SSLCIPH</var> is valid for SRVSOCK, <var>[[JANUS DEFINE#type|WEBSERV]]</var>, OPENSERV and SDS port types.
<tr><th>X'0001'</th><td>TLS_RSA_EXPORT_WITH_RC4_40_MD5</td>
<td>RC4 bulk cipher with MD5 digest algorithm with 40 bits of the 128 bit RC4 key transmitted encrypted, the rest transmitted "in the clear" (unencrypted). This is considered a weak level of encryption because of the small number of bits in the unencrypted part of the key.</td></tr>
 
<tr><th>X'0002'</th><td>TLS_RSA_WITH_RC4_128_MD5</td>
<td>RC4 bulk cipher with the MD5 digest algorithm with all 128 bits of the RC4 key transmitted encrypted. This is considered a fairly strong encryption algorithm although MD5 is generally deprecated as a digest algorithm.</td></tr>
 
<tr><th>X'0004'</th><td>TLS_RSA_WITH_RC4_128_SHA</td>
<td>RC4 bulk cipher with the SHA digest algorithm with all 128 bits of the RC4 key transmitted encrypted. This is considered a fairly strong encryption algorithm and is preferable to TLS_RSA_WITH_RC4_128_MD5 because SHA is considered a superior digest algorithm.</td></tr>
 
<tr><th>X'0008'</th><td>TLS_RSA_EXPORT_WITH_DES40_CBC_SHA</td><td>DES bulk cipher with SHA digest algorithm with 40 bits of the 56 bit DES key transmitted encrypted, the rest transmitted "in the clear" (unencrypted). This is considered a weak level of encryption because of the small number of bits in the unencrypted part of the key. Only available in <var class="product">Model 204</var> 7.5 and later.</td></tr>
 
<tr><th>X'0010'</th><td>TLS_RSA_WITH_DES_CBC_SHA</td><td>DES bulk cipher with SHA digest algorithm with all 56 bits of the DES key transmitted encrypted. This is considered a weak level of encryption because of the small number of bits in the key. Only available in <var class="product">Model 204</var> 7.5 and later.</td></tr>
 
<tr><th>X'0020'</th><td>TLS_RSA_WITH_3DES_EDE_CBC_SHA</td><td>Triple-DES bulk cipher with SHA digest algorithm with an encrypted 168 bit key. This is considered a fairly strong level of encryption. Only available in <var class="product">Model 204</var> 7.5 and later.</td></tr>
 
<tr><th>X'0040'</th><td>TLS_RSA_WITH_AES_128_CBC_SHA</td><td>AES bulk cipher with SHA digest algorithm with an encrypted 128 bit key and encrypting 128 bit blocks. This is considered a strong level of encryption. Only available in <var class="product">Model 204</var> 7.5 and later.</td></tr>
 
<tr><th>X'0080'</th><td>TLS_RSA_WITH_AES_256_CBC_SHA</td><td>AES bulk cipher with SHA digest algorithm with an encrypted 256 bit key and encrypting 256 bit blocks. This is considered a strong level of encryption. Only available in <var class="product">Model 204</var> 7.5 and later.</td></tr>
 
<tr><th>X'0100'</th><td>TLS_RSA_WITH_AES_128_CBC_SHA256</td><td>AES bulk cipher with SHA-256 digest algorithm with an encrypted 128 bit key and encrypting 128 bit blocks. This is considered a strong level of encryption. Only available in <var class="product">Model 204</var> 7.5 and later.</td></tr>
 
<tr><th>X'0200'</th><td>TLS_RSA_WITH_AES_256_CBC_SHA256</td><td>AES bulk cipher with SHA-256 digest algorithm with an encrypted 256 bit key and encrypting 256 bit blocks. This is considered a strong level of encryption. Only available in <var class="product">Model 204</var> 7.5 and later.</td></tr>
</table>
 
<var>SSLCIPH</var> is valid for <var>[[JANUS DEFINE#type|SRVSOCK]]</var>, <var>[[JANUS DEFINE#type|CLSOCK]]</var>, <var>[[JANUS DEFINE#type|WEBSERV]]</var>, <var>[[JANUS DEFINE#type|OPENSERV]]</var>, and <var>[[JANUS DEFINE#type|SDS]]</var> port types.


==See also==
==See also==
<ul>
<ul>
<li>[[SSLPROT (JANUS DEFINE parameter)]]
<li>[[List of Janus commands]]
<li>[[List of Janus commands]]
<li>[[JANUS DEFINE#parmlist|List of JANUS DEFINE parameters]]
<li>[[JANUS DEFINE#parmlist|List of JANUS DEFINE parameters]]

Latest revision as of 23:30, 7 June 2016

SSLCIPH xxx — Limit SSL ciphers offered by this port

Description

SSLCIPH is a parameter on the JANUS DEFINE command, which defines and sets characteristics of a Janus port.

This parameter lets you limit the stream ciphers (encryption algorithms) that this port offers for SSL connections. A Janus port whose definition includes an SSL parameter supports Janus Network Security SSL (Secure Sockets Layer) or TLS (Transport Layer Security) encrypted connections.

Typically, SSLCIPH is allowed to default to 0: all the Janus-supported ciphers are available, and the cipher that is ultimately used depends on the outcome of the handshake negotiation with the client that seeks the service at this port. The negotiation selects the strongest available cipher that the client can support.

However, to make only a subset of the server ciphers available, you can specify SSLCIPH followed by the (bitmask) value that selects the subset. For example, SSLCIPH 2 indicates that only strong RC4 encryption is available. It is probably a good idea to disable export ciphers (SSLCIPH X'03F6'), since they are weakened by design. Also, given that the current preferred cipher is AES, it might make sense to set SSLCIPH to X'03C0' to force AES bulk encryption.

Currently, these ciphers are supported:

BitTLS specification symbolDescription
X'0001'TLS_RSA_EXPORT_WITH_RC4_40_MD5 RC4 bulk cipher with MD5 digest algorithm with 40 bits of the 128 bit RC4 key transmitted encrypted, the rest transmitted "in the clear" (unencrypted). This is considered a weak level of encryption because of the small number of bits in the unencrypted part of the key.
X'0002'TLS_RSA_WITH_RC4_128_MD5 RC4 bulk cipher with the MD5 digest algorithm with all 128 bits of the RC4 key transmitted encrypted. This is considered a fairly strong encryption algorithm although MD5 is generally deprecated as a digest algorithm.
X'0004'TLS_RSA_WITH_RC4_128_SHA RC4 bulk cipher with the SHA digest algorithm with all 128 bits of the RC4 key transmitted encrypted. This is considered a fairly strong encryption algorithm and is preferable to TLS_RSA_WITH_RC4_128_MD5 because SHA is considered a superior digest algorithm.
X'0008'TLS_RSA_EXPORT_WITH_DES40_CBC_SHADES bulk cipher with SHA digest algorithm with 40 bits of the 56 bit DES key transmitted encrypted, the rest transmitted "in the clear" (unencrypted). This is considered a weak level of encryption because of the small number of bits in the unencrypted part of the key. Only available in Model 204 7.5 and later.
X'0010'TLS_RSA_WITH_DES_CBC_SHADES bulk cipher with SHA digest algorithm with all 56 bits of the DES key transmitted encrypted. This is considered a weak level of encryption because of the small number of bits in the key. Only available in Model 204 7.5 and later.
X'0020'TLS_RSA_WITH_3DES_EDE_CBC_SHATriple-DES bulk cipher with SHA digest algorithm with an encrypted 168 bit key. This is considered a fairly strong level of encryption. Only available in Model 204 7.5 and later.
X'0040'TLS_RSA_WITH_AES_128_CBC_SHAAES bulk cipher with SHA digest algorithm with an encrypted 128 bit key and encrypting 128 bit blocks. This is considered a strong level of encryption. Only available in Model 204 7.5 and later.
X'0080'TLS_RSA_WITH_AES_256_CBC_SHAAES bulk cipher with SHA digest algorithm with an encrypted 256 bit key and encrypting 256 bit blocks. This is considered a strong level of encryption. Only available in Model 204 7.5 and later.
X'0100'TLS_RSA_WITH_AES_128_CBC_SHA256AES bulk cipher with SHA-256 digest algorithm with an encrypted 128 bit key and encrypting 128 bit blocks. This is considered a strong level of encryption. Only available in Model 204 7.5 and later.
X'0200'TLS_RSA_WITH_AES_256_CBC_SHA256AES bulk cipher with SHA-256 digest algorithm with an encrypted 256 bit key and encrypting 256 bit blocks. This is considered a strong level of encryption. Only available in Model 204 7.5 and later.

SSLCIPH is valid for SRVSOCK, CLSOCK, WEBSERV, OPENSERV, and SDS port types.

See also