default
Use the default entry in the [ssl-qop-mgmt-default] stanza to define the accepted encryption levels for access to WebSEAL over SSL.
default = {ALL|NONE|cipher_level|cipher_name}Description
List of string values to specify the allowed encryption levels for HTTPS access.
Values specified in this stanza entry are used for all IP addresses that are not matched in the [ssl-qop-mgmt-networks] stanza entries. The cipher suite must be set to TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 or higher to support HTTP/2 client connections.
Options
ALL The value ALL allows all ciphers. NONE The value NONE disables all ciphers and uses an MD5 MAC check sum. cipher_level Legal cipher values are: NULL, DES-56, FIPS-DES-56, DES-168, FIPS-DES-168, RC2-40, RC2-128, RC4-40, RC4-56, RC4-128, AES-128, AES-256
Value Cipher name in GSKit NULL TLS_RSA_WITH_NULL_MD5 DES-56 TLS_RSA_WITH_DES_CBC_SHA FIPS-DES-56 SSL_RSA_FIPS_WITH_DES_CBC_SHA DES-168 SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA FIPS-DES-168 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA RC2-40 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 RC2-128 TLS_RC2_CBC_128_CBC_WITH_MD5 RC4-40 TLS_RSA_EXPORT_WITH_RC4_40_MD5 RC4-56 TLS_RSA_EXPORT1024_WITH_RC4_56_SHA RC4-128 TLS_RSA_WITH_RC4_128_MD5 AES-128 TLS_RSA_WITH_AES_128_CBC_SHA AES-256 TLS_RSA_WITH_AES_256_CBC_SHA
cipher_name Specific cipher names can also be used. This can be useful when the cipher_level above do not include a required cipher. When a cipher is enabled, it will be used with all enabled versions of SSL and TLS that support the cipher. The following is a list of available cipher names:
- SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
- SSL_RSA_FIPS_WITH_DES_CBC_SHA
- TLS_DHE_PSK_WITH_AES_128_CCM_8
- TLS_DHE_PSK_WITH_AES_128_CCM
- TLS_DHE_PSK_WITH_AES_256_CCM_8
- TLS_DHE_PSK_WITH_AES_256_CCM
- TLS_DHE_RSA_WITH_AES_128_CCM_8
- TLS_DHE_RSA_WITH_AES_128_CCM
- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_DHE_RSA_WITH_AES_256_CCM_8
- TLS_DHE_RSA_WITH_AES_256_CCM
- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_RC4_128_SHA
- TLS_PSK_WITH_AES_128_CCM_8
- TLS_PSK_WITH_AES_128_CCM
- TLS_PSK_WITH_AES_256_CCM_8
- TLS_PSK_WITH_AES_256_CCM
- TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
- TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
- TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
- TLS_RSA_EXPORT_WITH_RC4_40_MD5
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_128_CCM_8
- TLS_RSA_WITH_AES_128_CCM
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_256_CCM_8
- TLS_RSA_WITH_AES_256_CCM
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_RSA_WITH_DES_CBC_SHA
- TLS_RSA_WITH_NULL_MD5
- TLS_RSA_WITH_NULL_NULL
- TLS_RSA_WITH_NULL_SHA
- TLS_RSA_WITH_RC4_128_MD5
- TLS_RSA_WITH_RC4_128_SHA
- TLS_RSA_WITH_NULL_SHA256
- SSL_CK_RC4_128_WITH_MD5
- SSL_CK_RC4_128_EXPORT40_WITH_MD5
- SSL_CK_RC2_128_CBC_WITH_MD5
- SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5
- SSL_CK_DES_64_CBC_WITH_MD5
- SSL_CK_DES_192_EDE3_CBC_WITH_MD5
- TLS_ECDHE_ECDSA_WITH_NULL_SHA
- TLS_ECDHE_RSA_WITH_NULL_SHA
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_AES_128_CCM_SHA256
- TLS_AES_128_CCM_8_SHA256
Usage:
This stanza entry is required.
Default value
# AES-128 default = TLS_AES_128_GCM_SHA256 default = TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 default = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 default = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 default = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 # AES-256 default = TLS_AES_256_GCM_SHA384 default = TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 default = TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 default = TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 default = TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384The following aliases are default values prior to version 10.0.0.0:
default = AES-128 default = AES-256The legacy cipher aliases AES-128 and AES-256 are equivalent to the following default values:
# AES-128 default = TLS_AES_128_CCM_8_SHA256 default = TLS_AES_128_CCM_SHA256 default = TLS_AES_128_GCM_SHA256 default = TLS_RSA_WITH_AES_128_CBC_SHA default = TLS_RSA_WITH_AES_128_CBC_SHA256 default = TLS_RSA_WITH_AES_128_GCM_SHA256 # AES-256 default = TLS_AES_256_GCM_SHA384 default = TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 default = TLS_RSA_WITH_AES_256_CBC_SHA256 default = TLS_RSA_WITH_AES_256_GCM_SHA384
Example:
To specify a selected group of ciphers, create a separate entry for each cipher. For example:
default = RC4-128 default = RC2-128 default = DES-168
The following cipher is the minimum requirement for HTTP/2 over TLS and is not in the set of ciphers specified by the cipher alias "AES-128".
default = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 default = AES-128 default = AES-256Parent topic: [ssl-qop-mgmt-default] stanza