Cisco Systems 3130 CipherSuites

7-44

Cisco Catalyst Blade Switch 3130 for Dell Software Configuration Guide

OL-13270-01

Chapter7 Configuring Switch-Based Authentication

Configuring the Switch for Secure Socket Layer HTTP

You can remove this self-signed certificate by disabling the secure HTTP server and entering the no

crypto pki trustpoint TP-self-signed-30890755072 global configuration command. If you late r

re-enable a secure HTTP server, a new self-signed certificate is generated.

Note The values that follow TP self-signed depend on the serial number of the device.

You can use an optional command (ip http secure-client-auth) to allow the HTTPS server to request an

X.509v3 certificate from the client. Authenticating the client provides more security than server

authentication by itself.

For additional information on Certificate Authorities, see the “Configuring Certification Authority

Interoperability” chapter in the Cisco IOS Security Co nfiguration Gu ide, Rel ease 12. 2.

CipherSuites

A CipherSuite specifies the encryption algorithm and the digest algorithm to use on a SSL connection.

When connecting to the HTTPS server, the client Web browser offers a list of supported CipherSuites,

and the client and server negotiate the best encryption algorithm to use from those on the list that are

supported by both. For example, Netscape Communicator 4.76 supports U.S. secur ity with RSA Public

Key Cryptography, MD2, MD5, RC2-CBC, RC4, DES-CBC, and DES-EDE3-CBC.

For the best possible encryption, you should use a client browser that suppo rts 128-bit encryption, such

as Microsoft Internet Explorer Version 5.5 (or later) or Netscape Communicator Version 4.76 (or later).

The SSL_RSA_WITH_DES_CBC_SHA CipherSuite provides less security than the other CipherSuites,

as it does not offer 128-bit encryption.

The more secure and more complex CipherSuites require slightly more processing time. This list defines

the CipherSuites supported by the switch and ranks them from fastest to slowest in terms of router

processing load (speed):

1. SSL_RSA_WITH_DES_CBC_SHA—RSA key exchange (RSA Public Key Cryptography) with

DES-CBC for message encryption and SHA for message digest

2. SSL_RSA_WITH_RC4_128_MD5—RSA key exchange with RC4 128-bit encryption and MD5 for

message digest

3. SSL_RSA_WITH_RC4_128_SHA—RSA key exchange with RC4 128-bit encryption and SHA for

message digest

4. SSL_RSA_WITH_3DES_EDE_CBC_SHA—RSA key exchange with 3DES and DES-EDE3-CBC

for message encryption and SHA for message digest

RSA (in conjunction with the specified encryption and digest algorithm combinati on s) is use d f or b oth

key generation and authentication on SSL connections. This usage is independent of whether or not a

CA trustpoint is configured.