Technical FAQs

Ask a Question

How to select SSL/TLS cipher suites on Network Management Cards

Issue
Users may need to adjust the list of SSL/TLS ciphers in use for NMC web access on the NMC, to comply with local security policies, changes in browser compatibility, or to reflect ever-changing best practices.

Product Line
Network Management Card 2 – AP9630/CH, AP9631/CH, AP9635/CH
Devices with an embedded Network Management Card 2 include (but are not limited to): 2G Metered/Switched Rack PDUs (AP84XX, AP86XX, AP88XX, AP89XX), Rack Automatic Transfer Switches (AP44XX), Certain Audio/Video Network Management Enabled products, Smart-UPS Online (SRT).

Environment
AOS versions 6.6.4 onwards.

Resolution

Via the NMC command line:

Issue the “cipher” command to show the current enabled set, or “cipher ?” for usage notes.
eg;
 
>cipher ?
Usage: cipher --  Configuration Options
                 (toggle enabled/disabled for all options)
    Note: The minimal protocol setting is not considered when showing
           the available ciphers.
 
    cipher [-3des] (triple-DES)
           [-rc4] (RC4)
           [-aes] (AES)
           [-dh] (DH)
           [-rsake] (RSA Key Exchange)
           [-rsaau] (RSA Authentication)
           [-md5] (MD5)
           [-sha1] (SHA)
           [-sha2] (SHA256)

Each option will toggle its current state; issue “cipher” again to verify, and “reboot” to commit changes.
 
Example:
List current settings, showing that all available are enabled (as default):
 
>cipher
E000: Success
Key Exchange Algorithms
-----------------------

        DH                   enabled
        RSA Key Exchange     enabled

Authentication Algorithms
-------------------------
(Warning: disabling the only algorithm in category
          will block all SSL/TLS sessions)

        RSA Authentication   enabled

Block Cipher Algorithms
-----------------------

        triple-DES           enabled
        RC4                  enabled
        AES                  enabled

MAC Algorithms
--------------

        MD5                  enabled
        SHA                  enabled
        SHA256               enabled
[...]
Disable RC4 cipher and RSA key-exchange:
 
>cipher -rc4
E002: Success

>cipher -rsake
E002: Success

List new settings, confirming expected changes:
 
>cipher
E000: Success
Key Exchange Algorithms
-----------------------

        DH                   enabled
        RSA Key Exchange     disabled

Authentication Algorithms
-------------------------
(Warning: disabling the only algorithm in category
          will block all SSL/TLS sessions)

        RSA Authentication   enabled

Block Cipher Algorithms
-----------------------

        triple-DES           enabled
        RC4                  disabled
        AES                  enabled

MAC Algorithms
--------------

        MD5                  enabled
        SHA                  enabled
        SHA256               enabled
[...]

Using INI files (eg, for mass configuration):
 
[CryptographicAlgorithms]
;Warning: Changing these values can affect system access.
TripleDES=enabled
RC4=disabled
AES=enabled
DH=enabled
RSA_KE=disabled
RSA_Auth=enabled
MD5=enabled
SHA=enabled
SHA256=enabled

Using the web interface:

These settings are not yet exposed via the web UI.

Troubleshooting:

Be aware that disabling ciphers may affect browser compatibility; SSL/TLS will be unusable to the user unless their browser and the NMC have at least one cipher suite in common. Browser errors such as "ssl_error_no_cypher_overlap" or "err_ssl_version_or_cipher_mismatch" would indicate such an incompatibility.
Was this helpful?
What can we do to improve the information ?