Configuring Secure Socket Layer (SSL)

General Operating Rules and Notes

Note

Note

Before enabling SSL on the switch you must generate the switch’s host certificate and key. If you have not already done so, refer to “2. Generate the Switch’s Server Host Certificate” on page 7-8.

When configured for SSL, the switch uses its host certificate to authenticate itself to SSL clients, however unless you disable the standard web browser interface with the no web-managementcommand it will be still available for unsecured transactions.

SSL Client Contact Behavior. At the first contact between the switch and an SSL client, if you have not copied the switch’s host certificate into the browser’s certificate folder, your browser’s first connection to the switch will question the connection and, for security reasons, give you the option of accepting or refusing. If a CA-signed certificate is used on the switch, for which a root certificate exists on the client browser side, then the browser will NOT prompt the user to ensure the validity of the certificate. The browser will be able to verify the certificate chain of the switch server certificate up to the root certificate installed in the browser, thus authenticating the switch unequivocally. As long as you are confident that an unauthorized device is not using the switch’s IP address in an attempt to gain access to your data or network, you can accept the connection.

When an SSL client connects to the switch for the first time, it is possible for a “man-in-the-middle” attack; that is, for an unauthorized device to pose undetected as the switch, and learn the usernames and passwords controlling access to the switch. When using self-signed certificates with the switch, there is a possibility for a “man-in-the-middle” attack when connecting for the first time; that is, an unauthorized device could pose undetected as a switch, and learn the usernames and passwords controlling access to the switch. Use caution when connecting for the first time to a switch using self-signed certificates. Before accepting the certificate, closely verify the contents of the certificate (see browser documentation for additional information on viewing contents of certificate).

The security concern described above does not exist when using CA-signed certificates that have been generated by certificate authorities that the web browser already trusts

7-18