Product Documentation

ECDSA Cipher Suites support on MPX appliances with N3 chips

Sep 01, 2016

The NetScaler MPX appliances now support the elliptical curve digital signature algorithm (ECDSA) cipher group. In ECDHE_ECDSA, the server's certificate must contain an ECDSA-capable public key. For client authentication, an ECDSA CA certificate must be bound to the virtual server.

ECDSA cipher suites use elliptical curve cryptography (ECC). Because of its smaller size, it is particularly helpful in environments where processing power, storage space, bandwidth, and power consumption are constrained.

메모

if you add an ECDSA certificate-key pair, only the following curves are supported:

  • prime256v1
  • secp384r1

The following table lists the ECDSA ciphers that are supported on the NetScaler MPX appliances with N3 chips:

Cipher Name

Priority

Description

Key Exchange Algorithm

Authentication Algorithm

Encryption Algorithm (Key Size)

Message Authentication Code (MAC) Algorithm

HexCode

TLS1-ECDHE-ECDSA-AES128-SHA

1

SSLv3

ECC-DHE

ECDSA

AES(128) 

SHA1

0xc009

TLS1-ECDHE-ECDSA-AES256-SHA 

2

SSLv3

ECC-DHE 

ECDSA

AES(256) 

SHA1

0xc00a

TLS1.2-ECDHE-ECDSA-AES128-SHA256 

3

TLSv1.2

ECC-DHE 

ECDSA

AES(128)

SHA-256

0xc023

 

TLS1.2-ECDHE-ECDSA-AES256-SHA384

4

TLSv1.2

ECC-DHE 

ECDSA

AES(256) 

SHA-384  

0xc024

 

TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256 

5

TLSv1.2

ECC-DHE 

ECDSA

AES-GCM(128)

SHA-256  

0xc02b

 

TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384   

6

TLSv1.2

ECC-DHE

ECDSA

AES-GCM(256)

SHA-384

0xc02c

 

TLS1-ECDHE-ECDSA-RC4-SHA

7

SSLv3

ECC-DHE

ECDSA

RC4(128)

SHA1 

0xc007

 

TLS1-ECDHE-ECDSA-DES-CBC3-SHA 

8

SSLv3

ECC-DHE

ECDSA

3DES(168)

SHA1  

0xc008

 

Important

ECDSA Cipher group support is available only at the front end, on MPX appliances with N3 chips. Use the show ns hardware command to find out if your appliance has N3 chips.

Example 복사

> sh ns hardware

          Platform: NSMPX-22000 16*CPU+24*IX+12*E1K+2*E1K+4*CVM N3 2200100

          Manufactured on: 8/19/2013

          CPU: 2900MHZ

          Host Id: 1006665862

          Serial no: ENUK6298FT

          Encoded serial no: ENUK6298FT

 Done