Cisco Systems 6500 2-42, all-export-All export ciphers all-strong-All strong ciphers default

Chapter 2 Commands for the Catalyst 6500 Series SSL Services Module

policy ssl

When you enter the close-notify strict command, the SSL Services Module sends a close-notify alert message to the SSL peer, and the SSL Services Module expects a close-notify alert message from the SSL peer. If the SSL Services Module does not receive a close-notify alert, SSL resumption is not allowed for that session.

When you enter the close-notify none command, the SSL Services Module does not send a close-notify alert message to the SSL peer, and the SSL Services Module does not expect a close-notify alert message from the SSL peer. The SSL Services Module preserves the session information so that SSL resumption can be used for future SSL connections.

When close-notify is disabled (default), the SSL Services Module sends a close-notify alert message to the SSL peer; however, the SSL peer does not expect a close-notify alert before removing the session. Whether the SSL peer sends the close-notify alert or not, the session information is preserved allowing session resumption for future SSL connections.

The cipher-suite names follow the same convention as the existing SSL stacks.

The cipher-suites that are acceptable to the proxy-server are as follows:

•all-export—All export ciphers

•all-strong—All strong ciphers (default)

•all—All supported ciphers

•RSA-WITH-3DES-EDE-CBC-SHA—RSA with 3des-sha

•RSA-WITH-DES-CBC-SHA—RSA with des-sha

•RSA-WITH-RC4-128-MD5—RSA with rc4-md5

•RSA-WITH-RC4-128-SHA—RSA with rc4-sha

•RSA-EXP-WITH-DES40-CBC-SHA—RSA export with des40-sha

•RSA-EXP-WITH-RC4-40-MD5—RSA export with rc4-md5

•RSA-EXP1024-WITH-DES-CBC-SHA—RSA export1024 with des-sha

•RSA-EXP1024-WITH-RC4-56-MD5—RSA export1024 with rc4-md5

•RSA-EXP1024-WITH-RC4-56-SHA—RSA export1024 with rc4-sha

•RSA-WITH-NULL-MD5—RSA with null-md5

If you enter the timeout session timeout absolute command, the session entry is kept in the session cache for the configured timeout before it is cleaned up. If the session cache is full, the timers are active for all the entries, the absolute keyword is configured, and all further new sessions are rejected.

If you enter the timeout session timeout command without the absolute keyword, the specified timeout is treated as the maximum timeout and a best-effort attempt is made to keep the session entry in the session cache. If the session cache runs out of session entries, the session entry that is currently being used is removed for incoming new connections.

When you enter the cert-req empty command, the SSL Services Module back-end service always returns the certificate associated with the trustpoint and does not look for a CA-name match. By default, the SSL Services Module always looks for a CA-name match before returning the certificate. If the SSL server does not include a CA-name list in the certificate request during client authentication, the handshake fails.

By default, the SSL Services Module uses the maximum supported SSL protocol version (SSL2.0, SSL3.0, or TLS1.0) in the ClientHello message. Enter the tls-rollback[current any] command if the SSL client uses the negotiated version instead of the maximum supported version (as specified in the ClientHello message).

Catalyst 6500 Series Switch SSL Services Module Command Reference