Cisco Cisco Web Security Appliance S380 User Guide
B-13
AsyncOS 9.2 for Cisco Web Security Appliances User Guide
Appendix B Command Line Interface
Web Security Appliance CLI Commands
sslconfig
Commands for use of communications protocols TLS v1.x and SSL v3 with
Appliance Management Web User Interface, Proxy Services (includes
HTTPS Proxy and Credential Encryption for Secure Client), Secure LDAP
Services (includes Authentication, External Authentication and Secure
Mobility), as well as the Update Service.
Appliance Management Web User Interface, Proxy Services (includes
HTTPS Proxy and Credential Encryption for Secure Client), Secure LDAP
Services (includes Authentication, External Authentication and Secure
Mobility), as well as the Update Service.
VERSIONS
– View and change the protocols enabled for specific services.
COMPRESS
– Enable/disable TLS compression. Disabling is recommended for
best security.
CIPHERS
– Add/update cipher suites available to selected protocols.
The default cipher for AsyncOS versions 9.0 and earlier is
DEFAULT:+kEDH
. For AsyncOS versions 9.1 and later, it the default
cipher is
EECDH:DSS:RSA:!NULL:!eNULL:!EXPORT:!3DES:!RC4:!RC2:!DES:!SEED
:!CAMELLIA:!SRP:!IDEA:!ECDHE-ECDSA-AES256-SHA:!ECDHE-RSA-AES2
56-SHA:!DHE-DSS-AES256-SHA:!AES256-SHA:DHE-RSA-AES128-SHA
. In
both cases, this may change based on your ECDHE cipher selections.
Note
However, regardless of version, the default cipher does not change
when you upgrade to a newer AsyncOS version. For example, when
you upgrade from an earlier version to AsyncOS 9.1, the default
cipher is
when you upgrade to a newer AsyncOS version. For example, when
you upgrade from an earlier version to AsyncOS 9.1, the default
cipher is
DEFAULT:+kEDH
. In other words, following an upgrade, you
must update the current cipher suite yourself; Cisco recommends
updating to
updating to
EECDH:DSS:RSA:!NULL:!eNULL:!EXPORT:!3DES:!RC4:!RC2:!DES:!S
EED:!CAMELLIA:!SRP:!IDEA:!ECDHE-ECDSA-AES256-SHA:!ECDHE-RS
A-AES256-SHA:!DHE-DSS-AES256-SHA:!AES256-SHA:DHE-RSA-AES12
8-SHA
.
FALLBACK
– Enable/disable the SSL/TLS fall-back option. If enabled,
communications with remote servers will fall back to the lowest configured
protocol following a handshake failure.
protocol following a handshake failure.
After a protocol version is negotiated between client and server,
handshake failure is possible because of implementation issues. If this
option is enabled, the proxy attempts to connect using the lowest version
of the currently configured TLS/SSL protocols.
handshake failure is possible because of implementation issues. If this
option is enabled, the proxy attempts to connect using the lowest version
of the currently configured TLS/SSL protocols.
Note
On new AsyncOS 9.x installations, fall-back is disabled by default. For
upgrades from earlier versions on which the fall-back option exists, the
current setting is retained; otherwise, when upgrading from a version on
which the option did not exist, fall-back is enabled by default.
upgrades from earlier versions on which the fall-back option exists, the
current setting is retained; otherwise, when upgrading from a version on
which the option did not exist, fall-back is enabled by default.
ECDHE
– Enable/disable use of ECDHE ciphers for LDAP.
Additional ECDH ciphers are supported in successive releases; however,
certain named curves provided with some of the additional ciphers cause
the appliance to close a connection during secure LDAP authentication
and HTTPS traffic decryption. See
certain named curves provided with some of the additional ciphers cause
the appliance to close a connection during secure LDAP authentication
and HTTPS traffic decryption. See
for
more information about specifying additional ciphers.
If you experience these issues, use this option to disable or enable
ECDHE cipher use for either or both features.
ECDHE cipher use for either or both features.
status
Displays system status.