Home

 

Setting cipher specifications

This topic describes setting cipher specifications for secure transactions.

For each virtual host, set the cipher specification to use during secure transactions. The specified cipher specifications validate against the level of the Global Security Kit (GSK) toolkit that is installed on your system. Invalid cipher specifications cause an error to log in the error log. If the client issuing the request does not support the ciphers specified, the request fails and the connection closes to the client.

IHS has a built-in list of cipher specifications to use for communicating with clients over SSL (SSL).  The actual cipher specification used for a particular client connection is selected from those which are supported by both IHS and the client.

Some cipher specifications provide a weaker level of security than others, and might need to be avoided for security reasons. Some of the stronger cipher specifications are more computationally intensive than weaker cipher specifications and might be avoided if required for performance reasons. You can use the SSLCipherSpec directive to provide a customized list of cipher specifications that are supported by the Web server in order to avoid the selection of cipher specifications that are considered too weak or too computationally intensive.

1. Specify a value for each virtual host stanza in the configuration file that are on the SSLCipherSpec directive, as in the following examples: SSLCipherSpec short_name or SSLCipherSpec long_name, where short_name and long_name represent the name of SSL Version 2 cipher specifications or SSL Version 3 and TLS Version 1 cipher specifications.

2. Save the configuration file and restart the server.

 

What to do next

If IBM HTTP Server uses a Verisign Global Server ID for SSL transactions, a 40-bit encryption browser can get a connection to a server at 128-bit encryption. This connection does not work for someone using Internet Explorer 5.01x. You can fix this situation by adding the following directives to the IHS configuration file (add the directives in the order shown):

• SSLCipherSpec 34
• SSLCipherSpec 35
• SSLCipherSpec 3A
• SSLCipherSpec 33
• SSLCipherSpec 36
• SSLCipherSpec 39
• SSLCipherSpec 32
• SSLCipherSpec 31
• SSLCipherSpec 30

---

 

Subtopics

Viewing cipher specifications

SSL Version 2 cipher specifications

SSL Version 3 and TLS Version 1 cipher specifications

 

Related reference

SSL directives