Search FAQs
This FAQ has been written for NEAL (North East Africa and Levant) region. If you are looking for information for another region, please select the correct country from the top-left dropdown in the page and 'Navigate to Browse FAQs' in the Support menu.
How to select SSL/TLS cipher suites on Network Management Cards
Issue
Users may need to adjust the list of SSL/TLS ciphers in use for NMC web access on the NMC, to comply with local security policies, changes in browser compatibility, or to reflect ever-changing best practices.
Product Line
Network Management Card 2 – AP9630/CH, AP9631/CH, AP9635/CH
Devices with an embedded Network Management Card 2 include (but are not limited to): 2G Metered/Switched Rack PDUs (AP84XX, AP86XX, AP88XX, AP89XX), Rack Automatic Transfer Switches (AP44XX), Certain Audio/Video Network Management Enabled products, Smart-UPS Online (SRT).
Environment
AOS versions 6.6.4 onwards.
Resolution
Via the NMC command line:
Issue the “cipher” command to show the current enabled set, or “cipher help” for usage notes.
eg;
Prior to 6.8.0, each option (eg -rc4) toggled the current state; these are now explicitly deterministic.
Reboot to commit changes.
Example:
List current settings, showing that all available are enabled (as default):
Disable RC4 cipher and RSA key-exchange:
List new settings, confirming expected changes:
Using INI files (eg, for mass configuration):
Using the web interface:
These settings are not yet exposed via the web UI.
Troubleshooting:
Be aware that disabling ciphers may affect browser compatibility; SSL/TLS will be unusable to the user unless their browser and the NMC have at least one cipher suite in common. Browser errors such as "ssl_error_no_cypher_overlap" or "err_ssl_version_or_cipher_mismatch" would indicate such an incompatibility.
Users may need to adjust the list of SSL/TLS ciphers in use for NMC web access on the NMC, to comply with local security policies, changes in browser compatibility, or to reflect ever-changing best practices.
Product Line
Network Management Card 2 – AP9630/CH, AP9631/CH, AP9635/CH
Devices with an embedded Network Management Card 2 include (but are not limited to): 2G Metered/Switched Rack PDUs (AP84XX, AP86XX, AP88XX, AP89XX), Rack Automatic Transfer Switches (AP44XX), Certain Audio/Video Network Management Enabled products, Smart-UPS Online (SRT).
Environment
AOS versions 6.6.4 onwards.
Resolution
Via the NMC command line:
Issue the “cipher” command to show the current enabled set, or “cipher help” for usage notes.
eg;
apc>cipher help
Usage: cipher -- Configuration Options
Note: The minimal protocol setting is not considered when showing
the available ciphers.
cipher [-aes (enable | disable)] (AES)
[-dh (enable | disable)] (DH)
[-rsake (enable | disable)] (RSA Key Exchange)
[-rsaau (enable | disable)] (RSA Authentication)
[-sha1 (enable | disable)] (SHA)
[-sha2 (enable | disable)] (SHA256)
[-ecdhe (enable | disable)] (ECDHE)
Note:Prior to 6.8.0, each option (eg -rc4) toggled the current state; these are now explicitly deterministic.
Reboot to commit changes.
Example:
List current settings, showing that all available are enabled (as default):
>cipher
E000: Success
Key Exchange Algorithms
-----------------------
DH enabled
RSA Key Exchange enabled
Authentication Algorithms
-------------------------
(Warning: disabling the only algorithm in category
will block all SSL/TLS sessions)
RSA Authentication enabled
Block Cipher Algorithms
-----------------------
triple-DES enabled
RC4 enabled
AES enabled
MAC Algorithms
--------------
MD5 enabled
SHA enabled
SHA256 enabled
[...]
Disable RC4 cipher and RSA key-exchange:
>cipher -rc4 disable
E002: Success
>cipher -rsake disable
E002: Success
List new settings, confirming expected changes:
>cipher
E000: Success
Key Exchange Algorithms
-----------------------
DH enabled
RSA Key Exchange disabled
Authentication Algorithms
-------------------------
(Warning: disabling the only algorithm in category
will block all SSL/TLS sessions)
RSA Authentication enabled
Block Cipher Algorithms
-----------------------
triple-DES enabled
RC4 disabled
AES enabled
MAC Algorithms
--------------
MD5 enabled
SHA enabled
SHA256 enabled
[...]
Using INI files (eg, for mass configuration):
[CryptographicAlgorithms]
;Warning: Changing these values can affect system access.
TripleDES=enabled
RC4=disabled
AES=enabled
DH=enabled
RSA_KE=disabled
RSA_Auth=enabled
MD5=enabled
SHA=enabled
SHA256=enabled
Using the web interface:
These settings are not yet exposed via the web UI.
Troubleshooting:
Be aware that disabling ciphers may affect browser compatibility; SSL/TLS will be unusable to the user unless their browser and the NMC have at least one cipher suite in common. Browser errors such as "ssl_error_no_cypher_overlap" or "err_ssl_version_or_cipher_mismatch" would indicate such an incompatibility.