Page 68
Chapter 2 Commands for the Catalyst 6500 Series SSL Services Module
policy ssl
When you enter the close-notify strict command, the SSL Services Module sends a close-notify alert message to the SSL peer, and the SSL Services Module expects a close-notify alert message from the SSL peer. If the SSL Services Module does not receive a close-notify alert, SSL resumption is not allowed for that session.
When you enter the close-notify none command, the SSL Services Module does not send a close-notify alert message to the SSL peer, and the SSL Services Module does not expect a close-notify alert message from the SSL peer. The SSL Services Module preserves the session information so that SSL resumption can be used for future SSL connections.
When close-notify is disabled (default), the SSL Services Module sends a close-notify alert message to the SSL peer; however, the SSL peer does not expect a close-notify alert before removing the session. Whether the SSL peer sends the close-notify alert or not, the session information is preserved allowing session resumption for future SSL connections.
The cipher-suite names follow the same convention as the existing SSL stacks.
The cipher-suites that are acceptable to the proxy-server are as follows:
•all-export—All export ciphers
•all-strong—All strong ciphers (default)
•all—All supported ciphers
•RSA-WITH-3DES-EDE-CBC-SHA—RSA with 3des-sha
•RSA-WITH-DES-CBC-SHA—RSA with des-sha
•RSA-WITH-RC4-128-MD5—RSA with rc4-md5
•RSA-WITH-RC4-128-SHA—RSA with rc4-sha
•RSA-EXP-WITH-DES40-CBC-SHA—RSA export with des40-sha
•RSA-EXP-WITH-RC4-40-MD5—RSA export with rc4-md5
•RSA-EXP1024-WITH-DES-CBC-SHA—RSA export1024 with des-sha
•RSA-EXP1024-WITH-RC4-56-MD5—RSA export1024 with rc4-md5
•RSA-EXP1024-WITH-RC4-56-SHA—RSA export1024 with rc4-sha
•RSA-WITH-NULL-MD5—RSA with null-md5
If you enter the timeout session timeout absolute command, the session entry is kept in the session cache for the configured timeout before it is cleaned up. If the session cache is full, the timers are active for all the entries, the absolute keyword is configured, and all further new sessions are rejected.
If you enter the timeout session timeout command without the absolute keyword, the specified timeout is treated as the maximum timeout and a best-effort attempt is made to keep the session entry in the session cache. If the session cache runs out of session entries, the session entry that is currently being used is removed for incoming new connections.
When you enter the cert-req empty command, the SSL Services Module back-end service always returns the certificate associated with the trustpoint and does not look for a CA-name match. By default, the SSL Services Module always looks for a CA-name match before returning the certificate. If the SSL server does not include a CA-name list in the certificate request during client authentication, the handshake fails.
By default, the SSL Services Module uses the maximum supported SSL protocol version (SSL2.0, SSL3.0, or TLS1.0) in the ClientHello message. Enter the tls-rollback[current any] command if the SSL client uses the negotiated version instead of the maximum supported version (as specified in the ClientHello message).
Catalyst 6500 Series Switch SSL Services Module Command Reference
Contents
Corporate Headquarters
Text Part Number OL-9105-01
Page
N T E N T S
Iii
Natpool
Acronyms A-1
OL-9105-01
Audience
Organization
Related Documentation
Chapter Title Description
Conventions
Convention Description
Boldface font
Example, interface interface type
Obtaining Documentation
Cisco.com
Documentation Feedback
Cisco Product Security Overview
Reporting Security Problems in Cisco Products
Obtaining Technical Assistance
Submitting a Service Request
Xii
Obtaining Additional Publications and Information
Xiii
Xiv
Getting Help
This chapter includes the following sections
How to Find Command Options
Command Comment
Must enter next on the command line
Mode keyword
After you enter the mode keyword
Complete the command. If additional
Understanding Command Modes
Command Mode Access Method Prompt Exit Method
Configure terminal privileged Exec
Configure terminal
Using the No and Default Forms of Commands
Interface command
Image using the boot system flash filename
With an interface
Using the CLI String Search
Character Special Meaning
\$ \ \+
Aeiou
AbcdABCD
DA-D
Telebit 3107 v32bis
Character
Ba?b
This string matches any number of asterisks
Za-z0-9+
Codex telebit
Abcd
$\.12
For example
1300
1300$ 1300space space1300 1300, ,1300, 1300 ,1300
With
OL-9105-01
A P T E R
Defaults
Command Modes Command History
Clear ssl-proxy conn
Release Modification
Clear ssl-proxy content
Defaults Command Modes Command History
Clear ssl-proxy session
Usage Guidelines
Clear ssl-proxy stats
Ssl-proxy#clear ssl-proxy stats
Crypto pki export pem
Terminal
Des
3des
Related Commands
Crypto pki import pem
Defaults Command History
Crypto pki import pem
Exportable
Usage-keys
Crypto pki export pem
Crypto pki export pkcs12
This example shows how to export a PKCS12 file using SCP
Crypto pki import pkcs12
Crypto
This example shows how to import a PKCS12 file using SCP
Filename TP2? /users/admin-1/pkcs12/TP2.p12
Crypto key decrypt rsa
Name key-name
Passphrase passphrase
Crypto key encrypt rsa
Crypto key lock rsa
Crypto key encrypt rsa
Crypto key decrypt rsa
Optional Specifies that the key can be exported
Crypto key export rsa pem
Keylabel Name of the key
Key nametest-keys UsageGeneral Purpose Key
Crypto key import rsa pem
Instead of one general-purpose key pair
Null-Imports from the null file system
System-Imports from the system file system
PEM-formatted RSA key to the SSL Services Module
Crypto key lock rsa
Crypto key lock rsa name key-namepassphrase passphrase
Name key-name Optional Name of the key
Passphrase passphrase
Crypto key unlock rsa
Crypto key unlock rsa name key-namepassphrase passphrase
Debug ssl-proxy
Command History Release Modification
This example shows how to turn on App debugging
Configuration mode
Do command
Command EXEC-level command to be executed
Syntax Description
Syntax Description Defaults Command Modes Command History
Interface ssl-proxy
Standby authentication
Standby delay minimum reload
Standby timers
Standby ip
Ssl-proxy config# interface ssl-proxy
Ssl-proxyconfig-subif#ip address 208.59.100.18
Context subcommand mode
This example shows how to define a pool of IP addresses
Natpool
Natpool nat-pool-name startipaddr endipaddr netmask netmask
Syntax Description Defaults Command Modes
Policy health-probe tcp
Interval seconds
Failed-interval seconds
Open-timeout seconds
Ssl-proxyconfig#ssl-proxy context ssl
Ssl-proxyconfig-context#policy health-probe tcp probe1
Running on server IP address
Page
Policy http-header
Client-cert pem
Alias
Policy that is applied to the payload
Field To Insert Description
Client-cert pem
Client-ip-port
Custom custom-string
Inserts the custom-stringheader into the Http header
Prefix
Related Commands show ssl-proxy policy
SSL-OFFLOAD-SOFTWARE VERSION3.11
Close-protocol is disabled
Session-caching is enabled
Timeout session timeout absolute
Policy ssl
SSL-Policy Configuration Submode Command Descriptions
Renegotiation volume size
Timeout handshake timeout
Help
Renegotiation interval time
OL-9105-01
This example shows how to enable a session cache
This example shows how to disable a session cache
OL-9105-01
Policy tcp
Delayed-ack-threshold delay
Delayed-ack-timeout timer
No timeout fin-wait timeout-in-seconds
No timeout inactivity timeout-in-seconds
No timeout reassembly time
Form of this command to return to the default setting
No tos carryover
Server to client connection, the server connection must be
Ssl-proxy config-ctx-tcp-policy# mss
Policy url-rewrite
Ssl-proxyconfig-context#ssl-proxy policy url-rewrite test1
Redirectonly
Ca-pool-name Certificate authority pool name
Pool ca
Pool ca ca-pool-name
Service
Authenticate verify all signature-only
Default certificate inservice nat server
Inservice
Certificate rsa general-purpose trustpoint
Vlan vlan
Virtual policy ssl ssl-policy-name
Virtual policy tcp
Related Commands show ssl-proxy service
Service client
Policy health-probe tcp Policy http-header
Nat server client natpool-name
Virtual policy ssl ssl-policy-name
Virtual policy tcp
Vlan vlan
Ssl-proxy config-ctx-ssl-proxy# server policy tcp tcppl1
Show interfaces ssl-proxy
Show interfaces ssl-proxy 0.subinterface
Policy tcp
Show ionterfaces
This command has no default settings
Show ssl-proxy buffers
Show ssl-proxy buffers
Ssl-proxy#show ssl-proxy buffers
Show ssl-proxy certificate-history service name
Service name
Specific proxy service
Show ssl-proxy certificate-history
Ssl-proxy# show ssl-proxy certificate-history
Record 1, Timestamp000051, 163634 UTC Oct 31
Related Commands service
Show ssl-proxy conn
4tuple
Local
Remote
Context name Module module
Ssl-proxy#show ssl-proxy conn
200.200.1438814 58796
Context Default
Show ssl-proxy context
Show ssl-proxy context name
Name Optional Name of the context
Show ssl-proxy crash-info
Show ssl-proxy crash-info brief details
Brief
Details
Stack top Printing 1024 bytes from stack top
Ssl-proxy#show ssl-proxy crash-info brief
Ssl-proxy#show ssl-proxy mac address
Show ssl-proxy mac address
Show ssl-proxy mac address
Show ssl-proxy natpool
Show ssl-proxy natpool namecontext name
Context name
Natpool
Show ssl-proxy policy
Health-probe tcp
Http-header
Url-rewrite
Ssl-proxy#show ssl-proxy policy ssl ssl-policy1
Ssl-proxy#show ssl-proxy policy tcp tcp-policy1
Ssl-proxy#show ssl-proxy policy health-probe tcp tcp-health
Show ssl-proxy service
Show ssl-proxy service namecontext name
Ssl-proxy#show ssl-proxy service
Ssl-proxy#show ssl-proxy service S6
Service client
Show ssl-proxy stats type
Content
Show ssl-proxy stats
Stats
This example shows how to display the TCP statistics
This example shows how to display the PKI statistics
Ssl-proxy# show ssl-proxy stats hdr
This example shows how to display context statistics
Ssl-proxy#show ssl-proxy stats context Context name Default
This example shows how to display content statistics
Ssl-proxy#show ssl-proxy stats content
Show ssl-proxy status
Show ssl-proxy status
Show ssl-proxy status fdu ssl tcp
TCP cpu is alive
Ssl-proxy#show ssl-proxy version
Show ssl-proxy version
Show ssl-proxy version
Show ssl-proxy vlan
Show ssl-proxy vlan vlan-iddebugmodule module
Debug
Optional Displays debug information
Snmp-server enable
Defaults Command Modes Command History Examples
Command Purpose and Guidelines Defaults
Ssl-proxy context
Ssl-proxy context name No ssl-proxy context name
Description description
Policy ssl policy-name
Policy tcp policy-name
Policy url-rewrite policy-name
Pool ca name
Seconds Global configuration
This example shows how to start a cryptographic self-test
Ssl-proxy crypto selftest
Time-interval
This example shows how to configure a MAC address
Related Commands show ssl-proxy mac address
Ssl-proxy config# ssl-proxy mac address 00e0.b0ff.f232
Ssl-proxy mac address
Ssl-proxy pki
Related Commands show ssl-proxy stats
This example shows how to specify the cache size
This example shows how to enable PKI event-history
Ssl-proxy crypto key unlock rsa
Key-name Name of the key Passphrase Pass phrase
Time is 6 seconds Global configuration
Ssl-proxyconfig#ssl-proxy ip-frag-ttl
Ssl-proxy ip-frag-ttl
Ssl-proxy ip-frag-ttl time
Ssl-proxy config# ssl-proxy ssl ratelimit
Ssl-proxy config# no ssl-proxy ssl ratelimit
Ssl-proxy ssl ratelimit
Ssl-proxy ssl ratelimit No ssl-proxy ssl ratelimit
Standby authentication
Group-number is String is cisco
Standby delay minimum reload
Min-delay is 1 second Reload-delay is 5 seconds
Ssl-proxyconfig-subif#standby delay minimum 30 reload
Show standby delay
Ssl-proxyconfig#interface ssl-proxy
Defaults Command Modes Command History Usage Guidelines
Standby ip
Secondary
Group-number is
Used by the hot standby group is learned using Hsrp
100
Standby mac-address
Standby group-numbermac-addressmac-address
No standby group-numbermac-address
Mac-address MAC address
Ssl-proxyconfig-subif#standby 1 mac-address
That is used in the end nodes
Show standby
102
103
Standby mac-refresh
Standby mac-refresh seconds no standby mac-refresh
Hsrp is disabled
Standby name
Standby name group-name No standby name group-name
Group-name Name of the standby group
Standby preempt
105
Operation returns to the default behavior
Leaves any synchronization delay if it was configured
Clients
To become the active router
Standby priority
Standby group-numberpriority priority
No standby group-numberpriority priority
Group-number is Priority is
This example shows how to change the router priority
108
Standby redirects
109
Related Commands show standby
Ssl-proxyconfig-subif#standby redirects timers 90
Show standby redirect
110
Standby timers
Msec
Optional Specifies the interval in milliseconds
111
112
Standby track
Decrement priority
Or comes back up
113
Router a Configuration
Router B Configuration
Related Commands standby preempt
114
Standby use-bia
Standby use-bia scope interface no standby use-bia
Scope interface
On which it was entered, instead of the major interface
This example shows how to configure Hsrp version
Standby version
Standby version 1
Specifies Hsrp version
Acronym Expansion
Cbac
CCA
CDP
CEF
Dram
Dsap
Dscp
Dspu
ICD
Icmp
IDB
IDP
MD5
Mdix
Mdss
MFD
OSI
OSM
Ospf
PAE
Rmon
ROM
Rommon
RPC
STP
SVC
SVI
TACACS+
Weighted round-robin
WRR
XNS
Xerox Network System
OL-9105-01
Acknowledgments for Open-Source Software
OL-9105-01
# character privileged Exec mode prompt
Asterisk + plus sign Period ? command Caret
$ character
IN-1
IN-2
IN-3
IN-4
TCP
IN-5
Configuration submode User Exec mode, summary
IN-6