How do we enable/disable encryption algorithms if SSL is terminating on the router (no ELB before the routers)?

For example,

Disable: MD5,3DES,SHA-1 Enable: AES128,AES256,SHA-2

OPDK version 15.07

Solved Solved
1 3 531
1 ACCEPTED SOLUTION

Dear @Akash Prabhashankar,

If SSL terminates at the router, then you need to set the supported ciphers in the Cipher element within the SSLInfo section of the virtual host. For ex:

If the ciphers/algorithms TLS_RSA_WITH_AES_256_CBC_SHA256 and TLS_RSA_WITH_AES_128_CBC_SHA256 are supported, then include them as shown below:

<VirtualHost name="https_vhost”> 
    <HostAliases> 
        <HostAlias>www.somehost.com</HostAlias> 
    </HostAliases> 
    <Interfaces/> 
    <Port>someport</Port> 
    <SSLInfo> 
        <Ciphers> 
            <Cipher>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256</Cipher>
            <Cipher>TLS_RSA_WITH_AES_128_CBC_SHA256</Cipher>   
        </Ciphers> 
        <ClientAuthEnabled>false</ClientAuthEnabled> 
        <Enabled>true</Enabled> 
        <IgnoreValidationErrors>false</IgnoreValidationErrors> 
        <KeyAlias>myKeyAlias</KeyAlias> 
        <KeyStore>myKeyStore</KeyStore> 
        <Protocols> 
            <Protocol>TLSv1</Protocol> 
            <Protocol>TLSv1.1</Protocol> 
            <Protocol>TLSv1.2</Protocol> 
        </Protocols> 
    </SSLInfo> 
</VirtualHost>	

Note: You can include any other Ciphers that you would like to enable/support under Cipher element. Just ensure the ciphers that you want to disable (unsupported) are not listed under Cipher element.

Thanks,

Amar

View solution in original post

3 REPLIES 3

Dear @Akash Prabhashankar,

If SSL terminates at the router, then you need to set the supported ciphers in the Cipher element within the SSLInfo section of the virtual host. For ex:

If the ciphers/algorithms TLS_RSA_WITH_AES_256_CBC_SHA256 and TLS_RSA_WITH_AES_128_CBC_SHA256 are supported, then include them as shown below:

<VirtualHost name="https_vhost”> 
    <HostAliases> 
        <HostAlias>www.somehost.com</HostAlias> 
    </HostAliases> 
    <Interfaces/> 
    <Port>someport</Port> 
    <SSLInfo> 
        <Ciphers> 
            <Cipher>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256</Cipher>
            <Cipher>TLS_RSA_WITH_AES_128_CBC_SHA256</Cipher>   
        </Ciphers> 
        <ClientAuthEnabled>false</ClientAuthEnabled> 
        <Enabled>true</Enabled> 
        <IgnoreValidationErrors>false</IgnoreValidationErrors> 
        <KeyAlias>myKeyAlias</KeyAlias> 
        <KeyStore>myKeyStore</KeyStore> 
        <Protocols> 
            <Protocol>TLSv1</Protocol> 
            <Protocol>TLSv1.1</Protocol> 
            <Protocol>TLSv1.2</Protocol> 
        </Protocols> 
    </SSLInfo> 
</VirtualHost>	

Note: You can include any other Ciphers that you would like to enable/support under Cipher element. Just ensure the ciphers that you want to disable (unsupported) are not listed under Cipher element.

Thanks,

Amar

Thank you so much @AMAR DEVEGOWDA

@AMAR DEVEGOWDA does this require RMP restart?