Forum Discussion
- Chris_MillerAltostratusLowest I see through the "New SSL Certificate" section of the Config Utility is 512. You're talking about terminating SSL connections, right?
- jco_105989NimbostratusRight,
- JRahmAdminCertificate key length supports 512-4096. Default ciphers in 10.2 no longer include MD5 hash:
- jco_105989NimbostratusThanks for reply
- L4L7_53191NimbostratusJco: that's the public key length, which is a different thing. The ciphers come into play after the negotiation takes place. The 256 encryption you're using is used for the encryption of the data - the handshake is used to negotiate the encryption cipher and length, which is where your 256 bits comes into play.
- JRahmAdminDid you generate your key on the LTM? If so, you just need to import the certificate you purchased under Local Traffic->SSL Certificate List -> Import. If not, then you'll need to import both key & certificate (same location). Once that is in place, you'll need to create a clientssl profile that references your certificate. You can specify the cipher to be only AES256-SHA in the ssl profile ciphers section, but it's atypical to limit clients to just one, you might prevent some clients from connecting. Of course, if it's a security requirement for that particular application, then the clients will be knowledgeable on this I suppose, or at least the administrators of those clients will be.
- jco_105989NimbostratusWhat means when i set cipher value as DEFAULT ?
- hooleylistCirrostratusYou can use tmm --clientciphers 'CIPHER_STRING' to see what ciphers will be included for a given cipher string. Here are a few related posts:
- JRahmAdminPart 4 of the SSL Profiles series I'm writing summarizes a lot of this excellent information I've gleaned from the forums:
- nitassEmployeei usually set ciphers according to sol7815 which blocks anonymous ciphers and connections using 128-bit ciphers or less