ciphers
This command specifies the preference order of cipher suites that the TLS client profile uses to establish a secure connection.
Syntax
- Add a cipher.
- ciphers cipher
- Delete a cipher.
- no ciphers cipher
- Delete all ciphers.
- no ciphers
Parameters
- cipher
- Specifies the cipher suites. The following cipher suits are the default suites in preference
order.
AES_256_GCM_SHA384 CHACHA20_POLY1305_SHA256 AES_128_GCM_SHA256 ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 ECDHE_ECDSA_WITH_AES_256_CBC_SHA ECDHE_ECDSA_WITH_AES_128_CBC_SHA ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDHE_RSA_WITH_AES_256_CBC_SHA ECDHE_RSA_WITH_AES_128_CBC_SHA DHE_RSA_WITH_AES_256_GCM_SHA384 DHE_RSA_WITH_AES_256_CBC_SHA256 DHE_RSA_WITH_AES_128_GCM_SHA256 DHE_RSA_WITH_AES_128_CBC_SHA256 DHE_RSA_WITH_AES_256_CBC_SHA DHE_RSA_WITH_AES_128_CBC_SHA
Guidelines
The ciphers command specifies the preference order of cipher suites that the TLS profile uses to establish a secure connection. To change the sequence of cipher suites, use the GUI.
The cipher suites correspond to the RFC names without the TLS_ or
SSL_ prefix. For example, RSA_WITH_3DES_EDE_CBC_SHA correspond to
TLS_RSA_WITH_3DES_EDE_CBC_SHA or SSL_RSA_WITH_3DES_EDE_CBC_SHA in
the relevant RFC.
The TLS profile must include at least one cipher suite that matches the associated key material.
- An RSA signing key requires ECDHE_RSA cipher suites.
- An ECDSA signing key requires ECDHE_ECDSA cipher suites.
The TLS profile must include at least one cipher suite that matches the identification
credentials as specified by the idred command.
- When the identification credentials contain RSA keys, you must specify at least one RSA cipher suite.
- When the identification credentials contain ECDSA keys, you must specify at least one ECDSA cipher suite.
To add multiple cipher suites, run the ciphers cipher command for each cipher suite to add.
To remove a cipher suite, use the no ciphers cipher command.
To remove all cipher suites, use the no ciphers command. After you run this command to remove all cipher suites, run the ciphers cipher command to add each needed cipher suite.
The following table lists the supported cipher suites and whether each is a default suite.
| Value | Cipher | Default |
|---|---|---|
0x0001 |
RSA_WITH_NULL_MD5 |
No |
0x0002 |
RSA_WITH_NULL_SHA |
No |
0x0004 |
RSA_WITH_RC4_128_MD5 |
No |
0x0005 |
RSA_WITH_RC4_128_SHA |
No |
0x0009 |
RSA_WITH_DES_CBC_SHA |
No |
0x000A |
RSA_WITH_3DES_EDE_CBC_SHA |
No |
0x0012 |
DHE_DSS_WITH_DES_CBC_SHA |
No |
0x0013 |
DHE_DSS_WITH_3DES_EDE_CBC_SHA |
No |
0x0015 |
DHE_RSA_WITH_DES_CBC_SHA |
No |
0x0016 |
DHE_RSA_WITH_3DES_EDE_CBC_SHA |
No |
0x002F |
RSA_WITH_AES_128_CBC_SHA |
No |
0x0032 |
DHE_DSS_WITH_AES_128_CBC_SHA |
No |
0x0033 |
DHE_RSA_WITH_AES_128_CBC_SHA |
Yes |
0x0035 |
RSA_WITH_AES_256_CBC_SHA |
No |
0x0038 |
DHE_DSS_WITH_AES_256_CBC_SHA |
No |
0x0039 |
DHE_RSA_WITH_AES_256_CBC_SHA |
Yes |
0x003B |
RSA_WITH_NULL_SHA256 |
No |
0x003C |
RSA_WITH_AES_128_CBC_SHA256 |
No |
0x003D |
RSA_WITH_AES_256_CBC_SHA256 |
No |
0x0040 |
DHE_DSS_WITH_AES_128_CBC_SHA256 |
No |
0x0067 |
DHE_RSA_WITH_AES_128_CBC_SHA256 |
Yes |
0x006A |
DHE_DSS_WITH_AES_256_CBC_SHA256 |
No |
0x006B |
DHE_RSA_WITH_AES_256_CBC_SHA256 |
No |
0x009C |
RSA_WITH_AES_128_GCM_SHA256 |
No |
0x009D |
RSA_WITH_AES_256_GCM_SHA384 |
No |
0x009E |
DHE_RSA_WITH_AES_128_GCM_SHA256 |
Yes |
0x009F |
DHE_RSA_WITH_AES_256_GCM_SHA384 |
Yes |
0x00A2 |
DHE_DSS_WITH_AES_128_GCM_SHA256 |
No |
0x00A3 |
DHE_DSS_WITH_AES_256_GCM_SHA384 |
No |
0xC010 |
ECDHE_RSA_WITH_NULL_SHA |
No |
0xC011 |
ECDHE_RSA_WITH_RC4_128_SHA |
No |
0xC012 |
ECDHE_RSA_WITH_3DES_EDE_CBC_SHA |
No |
0xC013 |
ECDHE_RSA_WITH_AES_128_CBC_SHA |
Yes |
0xC014 |
ECDHE_RSA_WITH_AES_256_CBC_SHA |
Yes |
0xC027 |
ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
Yes |
0xC028 |
ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
Yes |
0xC02F |
ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
Yes |
0xC030 |
ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
Yes |
0xC006 |
ECDHE_ECDSA_WITH_NULL_SHA |
No |
0xC007 |
ECDHE_ECDSA_WITH_RC4_128_SHA |
No |
0xC008 |
ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA |
No |
0xC009 |
ECDHE_ECDSA_WITH_AES_128_CBC_SHA |
Yes |
0xC00A |
ECDHE_ECDSA_WITH_AES_256_CBC_SHA |
Yes |
0xC023 |
ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 |
Yes |
0xC024 |
ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 |
Yes |
0xC02B |
ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
Yes |
0xC02C |
ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
Yes |
0x1301 |
AES_128_GCM_SHA256 |
Yes |
0x1302 |
AES_256_GCM_SHA384 |
Yes |
0x1303 |
CHACHA20_POLY1305_SHA256 |
Yes |
0x1304 |
AES_128_CCM_SHA256 |
No |
0x1305 |
AES_128_CCM_8_SHA256 |
No |