Product Documentation

ssl cipher

Sep 12, 2016

The following operations can be performed on "ssl cipher":

add | bind | set | unset | show | rm | unbind

add ssl cipher

Creates a user-defined cipher group, which you can bind to an SSL virtual server instead of binding ciphers individually. Although you cannot modify a built-in cipher group, you can add built-in cipher groups as well as individual ciphers to a user-defined cipher group.

Synopsys

add ssl cipher <cipherGroupName>

Arguments

cipherGroupName

Name for the user-defined cipher group. Must begin with an ASCII alphanumeric or underscore (_) character, and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters. Cannot be changed after the cipher group is created.

The following requirement applies only to the NetScaler CLI:

If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, "my ciphergroup" or 'my ciphergroup').

Example

1) add ssl cipher mygroup SSL2-RC4-MD5 SSL2-EXP-RC4-MD5      The above command creates a new cipher-group by the name: mygroup, with the two ciphers SSL2-RC4-MD5 and SSL2-EXP-RC4-MD5, as part of the cipher-group. If a cipher-group by the name: mygroup already exists in system, then the two ciphers is added to the list of ciphers contained in the group.  2)   add ssl cipher mygroup HIGH MEDIUM      The above command creates a new cipher-group by the name: mygroup, with the ciphers from the cipher alias "HIGH" and "MEDIUM" as part of the cipher group. If a cipher-group by the name, mygroup, already exists in system, then the ciphers from the two aliases is added to the list of ciphers contained in the group.  3)   add ssl cipher cipher_sha      The above command creates a new cipher-group by the name: cipher_sha and No ciphers added to the created cipher group. 

bind ssl cipher

Adds ciphers to a user-defined cipher group. You can add an existing cipher group to a user-defined cipher group but you cannot modify a built-in cipher group.

Synopsys

bind ssl cipher [<cipherGroupName>@ [-cipherPriority <positive_integer>]] [-cipherName <string>]

Arguments

cipherGroupName

Name of the user-defined cipher group.

cipherName

Name of the individual cipher, user-defined cipher group, or predefined (built-in) cipher alias to add to the cipher group.

cipherPriority

Priority of the cipher to be added

Minimum value: 1

Maximum value: 1000

Example

1) bind ssl cipher sslvip ADD SSL3-RC4-SHA The above example appends the cipher SSL3-RC4-SHA to the cipher-suite already configured for the SSL virtual server sslvip. 2)  bind ssl cipher sslvip REM NULL The above example removes the ciphers identified by the system's predefined cipher-alias -NULL from the cipher-suite already configured for the SSL virtual server sslvip. 3)  bind ssl cipher sslvip ORD HIGH The above example overrides the existing cipher-suite configured for the SSL virtual server with ciphers, having HIGH encryption strength (ciphers supporting 168-bit encryption). 4)  bind ssl cipher cipher_sha -cipherName TLS1.2-AES-128-SHA256 The above example adds the cipher TLS1.2-AES-128-SHA256 to the cipher group cipher_sha. Priority of added cipersuite will be next available maximum value in cipher group cipher_sha. 3i)  bind ssl cipher cipher_sha -cipherName TLS1.2-AES-128-SHA256 -cipherPriority 5 The above example adds the cipher TLS1.2-AES-128-SHA256 to the cipher group cipher_sha at priority 5. If cipher already bounded at higher priority in the cipher group, then cipher priority remains same.  Note: The individual ciphers contained in a system predefined cipher-alias can beviewed by using the following command: show ssl cipher <cipherAlaisName> 

Related Commands

set ssl cipher

Modifies the priority of the cipher within a cipher group.

Synopsys

set ssl cipher <cipherGroupName> (-cipherName <string> -cipherPriority <positive_integer>)

Arguments

cipherGroupName

Name of the cipher group.

cipherName

Cipher name.

cipherPriority

This indicates priority assigned to the particular cipher

Minimum value: 1

Example

1) set ssl cipher cipher_sha -cipher TLS1-AES-128-CBC-SHA -cipherpriority 1 The above example sets the priority of TLS1-AES-128-CBC-SHA to 1 within the cipher group cipher_sha. 

unset ssl cipher

Use this command to remove ssl cipher settings.Refer to the set ssl cipher command for meanings of the arguments.

Synopsys

unset ssl cipher <cipherGroupName> -cipherName -cipherPriority

show ssl cipher

Displays information about all the cipher groups defined on the appliance, or displays detailed information about the specified cipher group.

Synopsys

show ssl cipher [<cipherGroupName>] [-sslProfile <string>]

Arguments

cipherGroupName

Name of the cipher group for which to show detailed information.

sslProfile

Name of the profile to which cipher is attached.

Outputs

description

Cipher suite description.

cipherName

Cipher name.

flag

stateflag

cipherPriority

This indicates priority assigned to the particular cipher

peFlags

devno

count

Example

1) An example of the output of the show ssl cipher SSL3-RC4-MD5 command is as follows:         Cipher Name: SSL3-RC4-MD5         Description: SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5 2) This example displays the details of individual ciphers in the system predefinedcipher-alias: SSLv3 (the command show ssl cipher SSLv3 has been entered): 1)      Cipher Name: SSL3-RC4-MD5    Priority:1         Description: SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5 2)      Cipher Name: SSL3-RC4-SHA    Priority:2         Description: SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1 3)      Cipher Name: SSL3-DES-CBC3-SHA    Priority:3         Description: SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1 4)      Cipher Name: SSL3-DES-CBC-SHA    Priority:4         Description: SSLv3 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=SHA1 5)      Cipher Name: TLS1-AES-256-CBC-SHA    Priority:5         Description: SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1 6)      Cipher Name: TLS1-AES-128-CBC-SHA    Priority:6         Description: SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1 7)      Cipher Name: SSL3-EXP-RC4-MD5    Priority:7         Description: SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  Export 8)      Cipher Name: SSL3-EXP-DES-CBC-SHA    Priority:8         Description: SSLv3 Kx=RSA(512) Au=RSA  Enc=DES(40)   Mac=SHA1 Export 9)      Cipher Name: SSL3-EXP-RC2-CBC-MD5    Priority:9         Description: SSLv3 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  Export 10)     Cipher Name: SSL3-EDH-DSS-DES-CBC3-SHA    Priority:10         Description: SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1 

rm ssl cipher

Removes a user-defined cipher group from the appliance.

Synopsys

rm ssl cipher <cipherGroupName>

Arguments

cipherGroupName

Name of the user-defined cipher group to remove.

Example

1) rm ssl cipher mygroup SSL2-RC4-MD5 The above example removes the cipher SSL2-RC4-MD5 from the cipher group mygroup. 2) rm ssl cipher mygroup The above example will remove the cipher group 'mygroup' from the system.

unbind ssl cipher

Removes all the ciphers from a user-defined cipher group. You can only remove individual ciphers from a user-defined cipher group. Removing groups is not supported.

Synopsys

unbind ssl cipher <cipherGroupName> [-cipherName <string> ...]

Arguments

cipherGroupName

Name of the user-defined cipher group.

cipherName

Name(s) of the cipher(s) to be removed from the user-defined cipher group.

Example

1) rm ssl cipher mygroup SSL2-RC4-MD5 The above example removes the cipher SSL2-RC4-MD5 from the cipher group mygroup. 2)  rm ssl cipher mygroup The above example will remove the cipher group 'mygroup' from the system. 3)  unbind ssl cipher cipher_sha -cipherName TLS1.2-AES-256-SHA256 The above example will remove the cipher TLS1.2-AES-256-SHA256 from cipher_sha cipher group.