How to select SSL/TLS cipher suites on Network Management Cards
Published date:
30 March 2021
Issue Users may need to adjust the list of SSL/TLS ciphers in use for NMC web access on the NMC, to comply with local security policies, changes in browser compatibility, or to reflect ever-changing best practices.
Product Line Network Management Card 2 – AP9630/CH, AP9631/CH, AP9635/CH Devices with an embedded Network Management Card 2 include (but are not limited to): 2G Metered/Switched Rack PDUs (AP84XX, AP86XX, AP88XX, AP89XX), Rack Automatic Transfer Switches (AP44XX), Certain Audio/Video Network Management Enabled products, Smart-UPS Online (SRT).
Environment AOS versions 6.6.4 onwards.
Resolution
Via the NMC command line:
Issue the “cipher” command to show the current enabled set, or “cipher ?” for usage notes. eg;
>cipher ?
Usage: cipher -- Configuration Options
(toggle enabled/disabled for all options)
Note: The minimal protocol setting is not considered when showing
the available ciphers.
cipher [-3des] (triple-DES)
[-rc4] (RC4)
[-aes] (AES)
[-dh] (DH)
[-rsake] (RSA Key Exchange)
[-rsaau] (RSA Authentication)
[-md5] (MD5)
[-sha1] (SHA)
[-sha2] (SHA256)
Each option will toggle its current state; issue “cipher” again to verify, and “reboot” to commit changes.
Example: List current settings, showing that all available are enabled (as default):
>cipher
E000: Success
Key Exchange Algorithms
-----------------------
DH enabled
RSA Key Exchange enabled
Authentication Algorithms
-------------------------
(Warning: disabling the only algorithm in category
will block all SSL/TLS sessions)
RSA Authentication enabled
Block Cipher Algorithms
-----------------------
triple-DES enabled
RC4 enabled
AES enabled
MAC Algorithms
--------------
MD5 enabled
SHA enabled
SHA256 enabled
>cipher
E000: Success
Key Exchange Algorithms
-----------------------
DH enabled
RSA Key Exchange disabled
Authentication Algorithms
-------------------------
(Warning: disabling the only algorithm in category
will block all SSL/TLS sessions)
RSA Authentication enabled
Block Cipher Algorithms
-----------------------
triple-DES enabled
RC4 disabled
AES enabled
MAC Algorithms
--------------
MD5 enabled
SHA enabled
SHA256 enabled
[...]
Using INI files (eg, for mass configuration):
[CryptographicAlgorithms]
;Warning: Changing these values can affect system access.
TripleDES=enabled
RC4=disabled
AES=enabled
DH=enabled
RSA_KE=disabled
RSA_Auth=enabled
MD5=enabled
SHA=enabled
SHA256=enabled
Using the web interface:
These settings are not yet exposed via the web UI.
Troubleshooting:
Be aware that disabling ciphers may affect browser compatibility; SSL/TLS will be unusable to the user unless their browser and the NMC have at least one cipher suite in common. Browser errors such as "ssl_error_no_cypher_overlap" or "err_ssl_version_or_cipher_mismatch" would indicate such an incompatibility.
Can't find what you are looking for?
Reach out to our customer care team to receive information on technical support, assistance for complaints and more.