default

Use the default entry in the [ssl-qop-mgmt-default] stanza to define the accepted encryption levels for access to WebSEAL over SSL.

default = {ALL|NONE|cipher_level|cipher_name}

Description

List of string values to specify the allowed encryption levels for HTTPS access.

Values specified in this stanza entry are used for all IP addresses that are not matched in the [ssl-qop-mgmt-networks] stanza entries. The cipher suite must be set to TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 or higher to support HTTP/2 client connections.

Options

Usage:

This stanza entry is required.

Default value

# AES-128
default = TLS_AES_128_GCM_SHA256
default = TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
default = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
default = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
default = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

# AES-256
default = TLS_AES_256_GCM_SHA384
default = TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
default = TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
default = TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
default = TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

The following aliases are default values prior to version 10.0.0.0:

default = AES-128
default = AES-256

The legacy cipher aliases AES-128 and AES-256 are equivalent to the following default values:

# AES-128
default = TLS_AES_128_CCM_8_SHA256
default = TLS_AES_128_CCM_SHA256
default = TLS_AES_128_GCM_SHA256
default = TLS_RSA_WITH_AES_128_CBC_SHA
default = TLS_RSA_WITH_AES_128_CBC_SHA256
default = TLS_RSA_WITH_AES_128_GCM_SHA256

# AES-256
default = TLS_AES_256_GCM_SHA384
default = TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
default = TLS_RSA_WITH_AES_256_CBC_SHA256
default = TLS_RSA_WITH_AES_256_GCM_SHA384

Example:

To specify a selected group of ciphers, create a separate entry for each cipher. For example:

default = RC4-128
default = RC2-128
default = DES-168

The following cipher is the minimum requirement for HTTP/2 over TLS and is not in the set of ciphers specified by the cipher alias "AES-128".

default = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   
default = AES-128   
default = AES-256    

Parent topic: [ssl-qop-mgmt-default] stanza