ciphers

This command specifies the cipher suites that the SSL server profile uses to establish a secure connection.

Syntax

ciphers cipher_string

Parameters

cipher_string
Specifies the cipher suites. The following cipher suites are supported.
  • RSA_WITH_NULL_MD5
  • RSA_WITH_NULL_SHA
  • RSA_EXPORT_WITH_RC4_40_MD5
  • RSA_WITH_RC4_128_MD5
  • RSA_WITH_RC4_128_SHA
  • RSA_EXPORT_WITH_RC2_CBC_40_MD5
  • RSA_EXPORT_WITH_DES40_CBC_SHA
  • RSA_WITH_DES_CBC_SHA
  • RSA_WITH_3DES_EDE_CBC_SHA (default)
  • DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
  • DHE_DSS_WITH_DES_CBC_SHA
  • DHE_DSS_WITH_3DES_EDE_CBC_SHA (default)
  • DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (default)
  • DHE_RSA_WITH_DES_CBC_SHA
  • DHE_RSA_WITH_3DES_EDE_CBC_SHA (default)
  • RSA_WITH_AES_128_CBC_SHA
  • DHE_DSS_WITH_AES_128_CBC_SHA
  • DHE_RSA_WITH_AES_128_CBC_SHA (default)
  • RSA_WITH_AES_256_CBC_SHA (default)
  • DHE_DSS_WITH_AES_256_CBC_SHA
  • DHE_RSA_WITH_AES_256_CBC_SHA (default)
  • RSA_WITH_NULL_SHA256
  • RSA_WITH_AES_128_CBC_SHA256
  • RSA_WITH_AES_256_CBC_SHA256
  • DHE_DSS_WITH_AES_128_CBC_SHA256
  • DHE_RSA_WITH_AES_128_CBC_SHA256 (default)
  • DHE_DSS_WITH_AES_256_CBC_SHA256
  • DHE_RSA_WITH_AES_256_CBC_SHA256
  • RSA_WITH_AES_128_GCM_SHA256
  • RSA_WITH_AES_256_GCM_SHA384
  • DHE_RSA_WITH_AES_128_GCM_SHA256 (default)
  • DHE_RSA_WITH_AES_256_GCM_SHA384 (default)
  • DHE_DSS_WITH_AES_128_GCM_SHA256
  • DHE_DSS_WITH_AES_256_GCM_SHA384
  • ECDHE_RSA_WITH_NULL_SHA
  • ECDHE_RSA_WITH_RC4_128_SHA
  • ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (default)
  • ECDHE_RSA_WITH_AES_128_CBC_SHA
  • ECDHE_RSA_WITH_AES_256_CBC_SHA
  • ECDHE_RSA_WITH_AES_128_CBC_SHA256 (default)
  • ECDHE_RSA_WITH_AES_256_CBC_SHA384 (default)
  • ECDHE_RSA_WITH_AES_128_GCM_SHA256 (default)
  • ECDHE_RSA_WITH_AES_256_GCM_SHA384 (default)
  • ECDHE_ECDSA_WITH_NULL_SHA
  • ECDHE_ECDSA_WITH_RC4_128_SHA
  • ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (default)
  • ECDHE_ECDSA_WITH_AES_128_CBC_SHA (default)
  • ECDHE_ECDSA_WITH_AES_256_CBC_SHA (default)
  • ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (default)
  • ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (default)
  • ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (default)
  • ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (default)

Guidelines

The ciphers command specifies the cipher suites that the SSL server profile uses to establish a secure connection.

The cipher suites correspond to the RFC names without the TLS_ or SSL_ prefix. For example, RSA_WITH_3DES_EDE_CBC_SHA correspond to TLS_RSA_WITH_3DES_EDE_CBC_SHA or SSL_RSA_WITH_3DES_EDE_CBC_SHA in the relevant RFC.

The SSL server profile must include at least one cipher suite that matches the associated key material.
  • An RSA signing key requires ECDHE_RSA cipher suites.
  • An ECDSA signing key requires ECDHE_ECDSA cipher suites.
The SSL server profile must include at least one cipher suite that matches the identification credentials as specified by the idred command.
  • When the identification credentials contains RSA keys, you must specify at least one RSA cipher suite.
  • When the identification credentials contains ECDSA keys, you must specify at least one ECDSA cipher suite.

To specify multiple cipher suites, run this command for each cipher suite.