9-53
Catalyst 3750 SwitchSoftware Configuration Guide
OL-8550-09
Chapter9 Configuring Switch-Based Authentication
Configuring the Switch for Secure Socket Layer HTTP
The more secure and more complex CipherSuites require slightly more processing time. This list defines
the CipherSuites supported by the switch and ranks them from fastest to slowest in terms of router
processing load (speed):
1. SSL_RSA_WITH_DES_CBC_SHA—RSA key exchange (RSA Public Key Cryptography) with
DES-CBC for message encryption and SHA for message digest
2. SSL_RSA_WITH_RC4_128_MD5—RSA key exchange with RC4 128-bit encryption and MD5 for
message digest
3. SSL_RSA_WITH_RC4_128_SHA—RSA key exchange with RC4 128-bit encryption and SHA for
message digest
4. SSL_RSA_WITH_3DES_EDE_CBC_SHA—RSA key exchange with 3DES and DES-EDE3-CBC
for message encryption and SHA for message digest
RSA (in conjunction with the specified encryption and digest algorithm combinations) is used for both
key generation and authentication on SSL connections. This usage is independent of whether or not a
CA trustpoint is configured.
Configuring Secure HTTP Servers and Clients
These sections contain this configuration information:
Default SSL Configuration, page9-53
SSL Configuration Guidelines, page9-53
Configuring a CA Trustpoint, page9-54
Configuring the Secure HTTP Server, page9-55
Configuring the Secure HTTP Client, page9-56

Default SSL Configuration

The standard HTTP server is enabled.
SSL is enabled.
No CA trustpoints are configured.
No self-signed certificates are generated.

SSL Configuration Guidelines

When SSL is used in a switch cluster, the SSL session terminates at the cluster commander. Cluster
member switches must run standard HTTP.
Before you configure a CA trustpoint, you should ensure that the system clock is set. If the clock is not
set, the certificate is rejected due to an incorrect date.
In a switch stack, the SSL session terminates at the stack master.