Cisco Cisco Web Security Appliance S390 Betriebsanweisung
22-24
AsyncOS 10.0 for Cisco Web Security Appliances User Guide
Chapter 22 Perform System Administration Tasks
SSL Configuration
Step 1
Choose System Administration > SSL Configuration.
Step 2
Click Edit Settings.
Step 3
Check the corresponding boxes to enable SSL v3 and TLS v1.x for these services:
•
Appliance Management Web User Interface – Changing this setting will disconnect all active
user connections.
user connections.
•
Proxy Services – Includes HTTPS Proxy and Credential Encryption for Secure Client. This section
also includes:
also includes:
–
Cipher(s) to Use – You can enter additional cipher suites to be used with Proxy Services
communications. Use colons (:) to separate the suites. To prevent use of a particular cipher, add
an exclamation point (!) to the front of that string. For example,
communications. Use colons (:) to separate the suites. To prevent use of a particular cipher, add
an exclamation point (!) to the front of that string. For example,
!EXP-DHE-RSA-DES-CBC-SHA
.
Be sure to enter only suites appropriate to the TLS/SSL versions you have checked. Refer to
for additional information, and
cipher lists.
The default cipher for AsyncOS versions 9.0 and earlier is
DEFAULT:+kEDH
. For AsyncOS
versions 9.1 and later, it the default cipher is
EECDH:DSS:RSA:!NULL:!eNULL:!EXPORT:!3DES:!RC4:!RC2:!DES:!SEED:!CAMELLIA:!SRP:!I
DEA:!ECDHE-ECDSA-AES256-SHA:!ECDHE-RSA-AES256-SHA:!DHE-DSS-AES256-SHA:!AES256-S
HA:DHE-RSA-AES128-SHA
. In both cases, this may change based on your ECDHE cipher
selections.
Note
However, regardless of version, the default cipher does not change when you upgrade to
a newer AsyncOS version. For example, when you upgrade from an earlier version to
AsyncOS 9.1, the default cipher is
a newer AsyncOS version. For example, when you upgrade from an earlier version to
AsyncOS 9.1, the default cipher is
DEFAULT:+kEDH
. In other words, following an
upgrade, you must update the current cipher suite yourself; Cisco recommends updating
to
to
EECDH:DSS:RSA:!NULL:!eNULL:!EXPORT:!3DES:!RC4:!RC2:!DES:!SEED:!CAMELLIA:!
SRP:!IDEA:!ECDHE-ECDSA-AES256-SHA:!ECDHE-RSA-AES256-SHA:!DHE-DSS-AES256-S
HA:!AES256-SHA:DHE-RSA-AES128-SHA
.
–
Disable TLS Compression (Recommended) – You can check this box to disable TLS
compression; this is recommended for best security.
compression; this is recommended for best security.
•
Secure LDAP Services – Includes Authentication, External Authentication and Secure Mobility.
•
Secure ICAP Services (External DLP) – Select the protocol(s) used to secure ICAP
communications between the appliance and external DLP (data loss prevention) servers. See
communications between the appliance and external DLP (data loss prevention) servers. See
for more information.
•
Update Service – Select the protocol(s) used for communications between the appliance and
available update servers. See
available update servers. See
information about update services.
Note
Cisco’s Update servers do not support SSL v3, therefore TLS 1.0 or above must be enabled for
the Cisco Update service. However, SSL v3 can still be used with a local update server, if it is
so configured—you must determine which versions of SSL/TLS are supported on that server.
the Cisco Update service. However, SSL v3 can still be used with a local update server, if it is
so configured—you must determine which versions of SSL/TLS are supported on that server.
Step 4
Click Submit.