| Home Prev |  cOS Core 14.00.17 Administration Guide
|
Next |
|---|
These global settings affect the operation of both SSL VPN and the TLS ALG (see Section 10.6, SSL VPN and Section 6.1.11, TLS ALG). In addition, the cOS Core management Web Interface is affected.
This selects the version of SSL that cOS Core will support. The options are the following:
TLSv1.0 - Either TLS version 1.0 or 1.2 is acceptable.
TLSv1.2 - Only TLS version 1.2 is acceptable.
cOS Core provides support for TLS version 1.2 as defined by RFC-5246. TLS version 1.1 is not supported.
Default: TLSv1.0
The maximum amount of CPU resources that SSL processing is allowed to use for opening new SSL connections. This setting affects all cOS Core subsystems that make use of SSL processing.If the proportion of CPU time allocated is not sufficient then some SSL connection setups may fail under a heavy SSL load and the following log message will be seen:
SSL Handshake: Disallow ClientKeyExchange. Closing down SSL connection
The solution to the problem is to increase the maximum CPU resources available from the default setting of Normal (about 17%) up to either High (about 25%) or Very High (about 50%). However, a higher CPU allocation may adversely affect the responsiveness of other cOS Core subsystems.
Lowering the priority is not normally needed unless there is a reason to reduce the CPU time allocated to SSL connection setup.
Default: Normal (about 17%)
Recommended SSL/TLS Cipher Suites
The following cipher-suites are the recommended suites to use because of their security.TLS ECDHE RSA WITH AES 128 CBC SHA256
Enable cipher TLS ECDHE RSA WITH AES 128 CBC SHA256.Default: Enabled
TLS ECDHE RSA WITH AES 256 CBC SHA1
Enable cipher TLS ECDHE RSA WITH AES 256 CBC SHA1.Default: Enabled
TLS ECDHE RSA WITH AES 128 CBC SHA1
Enable cipher TLS ECDHE RSA WITH AES 128 CBC SHA1.Default: Enabled
TLS RSA WITH AES 256 CBC SHA256
Enable cipher TLS_RSA_WITH_AES_256_CBC_SHA256.Default: Enabled
Enable cipher TLS_RSA_WITH_AES_256_CBC_SHA1.Default: Enabled
TLS RSA WITH AES 128 CBC SHA256
Enable cipher TLS_RSA_WITH_AES_128_CBC_SHA256.Default: Enabled
Enable cipher TLS_RSA_WITH_AES_128_CBC_SHA1.Default: Enabled
Deprecated SSL/TLS Cipher Suites
The following cipher-suites are deprecated because of poor security and disabled by default but can be enabled if required although this is not recommended.TLS RSA 3DES 168 SHA1
Enable cipher RSA_WITH_3DES_168_SHA1.Default: Disabled
TLS RSA RC4 128 SHA1
Enable cipher RSA_WITH_RC4_128_SHA1.Default: Disabled
TLS RSA RC4 128 MD5
Enable cipher TLS_RSA_WITH_RC4_128_MD5.Default: Disabled
TLS RSA EXPORT 1024 RC4 56 SHA1
Enable cipher TLS_RSA_EXPORT1024_WITH_RC4_56_SHA1.Default: Disabled
TLS RSA EXPORT 1024 RC4 40 MD5
Enable cipher TLS_RSA_EXPORT1024_WITH_RC4_40_MD5.Default: Disabled
TLS RSA EXPORT 1024 RC2 40 MD5
Enable cipher TLS_RSA_EXPORT1024_WITH_RC2_40_MD5.Default: Disabled
TLS RSA EXPORT NULL SHA1
Enable cipher TLS_RSA_EXPORT_WITH_NULL_SHA1 (no encryption, just message validation).Default: Disabled
TLS RSA EXPORT NULL MD5
Enable cipher TLS_RSA_EXPORT_WITH_NULL_MD5 (no encryption, just message validation).Default: Disabled
![[Important]](images/important.png) |
Important: AES and 3DES algorithms are recommended |
|---|---|
|
By default, all symmetric encryption algorithms except AES and 3DES are disabled. It is not recommended that this is changed. The algorithms disabled by default are considered to be insecure at the time this document was written. If the administrator does enable any of the weaker algorithms, cOS Core will issue a warning when the configuration is committed and will continue to display a warning in the system summary page of the Web Interface. |
