prefer-server-ciphers
This command controls whether to use the server's cipher suite order instead of the client's during cipher suite negotiation.
Syntax
prefer-server-ciphers { on | off }
Parameters
- on
-
Uses the server's cipher suite order. This setting is the default value.
- off
-
Uses the client's cipher suite order.
Guidelines
The prefer-server-ciphers command controls whether to use the server's cipher suite order instead of the client's cipher suite order during cipher suite negotiation.
When the server and the client negotiate which cipher suites to use, the server compares the
client's ciphers suites list with the server's cipher suites list and select a shared one for
connection. For example:
- The client's cipher suite list in order of the client's preference: ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, DHE_RSA_WITH_AES_256_CBC_SHA256, RSA_WITH_AES_256_CBC_SHA256
- The server's cipher suite list in order of the server's preference: DHE_RSA_WITH_AES_256_CBC_SHA256, RSA_WITH_DES_CBC_SHA, ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
The following rules apply.
- When enabled, the server selects the first shared cipher suite based on the server's preference. In this case, DHE_RSA_WITH_AES_256_CBC_SHA256 is used.
- When disabled, the server selects the first shared cipher suite based on the client's preference. In this case, ECDHE_RSA_WITH_3DES_EDE_CBC_SHA is used.