cc/td/doc/product/rtrmgmt/bac/bac30
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table Of Contents

CWMP Technology Commands

service cwmp

keystore import-pkcs12

service http


CWMP Technology Commands


This chapter contains information about the command line interface (CLI) commands that you can use to manage and monitor the CPE WAN Management Protocol (CWMP) technology on the Broadband Access Center (BAC) Device Provisioning Engine (DPE).

Using the commands described in this chapter, you can configure settings for the CWMP services and the HTTP file services on the DPE. Both services feature individual instances: service 1 and service 2, each of which you must configure separately.

BAC supports different instances so that you can configure different options for each service. For example, CWMP service 1 is, by default, configured to require HTTP digest authentication; but without supporting HTTP over SSL/TLS. This service is configured to run on port 7547 and is enabled by default. CWMP service 2 is configured on port 7547 with HTTP over SSL/TLS; but is disabled by default. You can reconfigure any of these defaults for each service to suit your requirements. See Table 4-1 for the default configuration for each service.

Table 4-1 Default Settings for CWMP Technology

 
CWMP Service
HTTP File Service
Service 1
Service 2
Service 1
Service 2

Mode

Enabled

Disabled

Enabled

Disabled

Authentication

Digest

Digest

Digest

Digest

Port Number

7547

7548

7549

7550

HTTP over SSL/TLS

Disabled

Enabled

Disabled

Enabled



Note You cannot globally enable or disable CWMP-related services. You can enable or disable CWMP features only individually.


The commands described in this chapter are:

service cwmp

service cwmp num allow-unknown-cpe

service cwmp num client-auth mode

service cwmp num enable {true | false}

service cwmp num port port

service cwmp session timeout value

service cwmp num ssl client-auth mode

service cwmp num ssl client-auth client-cert-css-ext

service cwmp num ssl cipher {all-cipher-suites | value}

service cwmp num ssl enable {true | false}

service cwmp num ssl keystore keystore-filename keystore-password key-password

keystore import-pkcs12

service http

service http num client-auth mode

service http num enable {true | false}

service http num port port

service http num ssl client-auth mode

service http num ssl client-auth client-cert-css-ext

service http num ssl cipher {all-cipher-suites | value}

service http num ssl enable {true | false}

service http num ssl keystore keystore-filename keystore-password key-pasword

service cwmp

This is the global syntax of the commands that you can use to configure various settings for the CWMP service running on the DPE. Using these commands, you can:

Enable the CWMP service

Specify the instance of the service,

Configure client authentication and client certificate authentication

Set the port number for the service

Configure the service to use HTTP over SSL/TLS.

Use service cwmp in conjunction with the commands listed in Table 4-2.


Note When using these commands, you must restart the DPE—unless specified otherwise—for the changes to take effect. To restart the DPE, run the dpe reload command (see dpe reload, page 3-5).


Table 4-2 List of service cwmp Commands 

Command Usage
Syntax Description
Examples

service cwmp num allow-unknown-cpe

no service cwmp num allow-unknown-cpe

Enables or disables the DPE to request configuration from the RDU for devices unknown to the DPE.

Note Enabling this feature may allow a Denial of Service attack on the RDU.
You need not restart the DPE for this command to take effect.

num—Identifies the CWMP service, which could be 1 or 2.

dpe# service cwmp 1 allow-unknown-cpe
% OK

service cwmp num client-auth mode

Enables or disables client authentication by using HTTP for the CWMP service on the DPE.

For a list of authentication options in BAC, refer to the Cisco Broadband Access Center Administrator's Guide, Release 3.0.

num—Identifies the CWMP service, which could be 1 or 2.

mode—Identifies the client authentication mode for the CWMP service. The client authentication mode could be:

basic—Enables Basic HTTP authentication.

digest—Enables Digest HTTP authentication. This is the default configuration.

none—Disables Basic and Digest authentication. In this mode, the CWMP service uses the Device ID in the Inform message to authenticate CPE.

Note To limit security risks during client authentication, Cisco recommends using the Digest mode (the default configuration). It is not advisable to allow client authentication in the Basic mode, or altogether disable Basic and Digest authentication.

dpe# service cwmp 1 client-auth digest
% OK (Digest authentication was enabled. Basic authentication was disabled. Requires DPE restart "# dpe reload")

service cwmp num enable {true | false}

Enables or disables the CWMP service running on the DPE.

num—Identifies the CWMP service, which could be 1 or 2.

By default, the CWMP service is:

Enabled on service 1.

Disabled on service 2.

true—Enables the CWMP service.

false—Disables the CWMP service.

dpe# service cwmp 2 enable true
% OK (Requires DPE restart "# dpe reload")

service cwmp num port port

Identifies the port on which the CWMP service communicates with the CPE. By specifying a different port number, this command enables the DPE to prevent potential sharing violations among ports used by other applications.

num—Identifies the CWMP service, which could be 1 or 2.

port—Identifies the port number that the service is to use.

By default, the CWMP service is configured to listen on:

Port 7547 for service 1.

Port 7548 for service 2.

dpe# service cwmp 1 port 7547
% OK (Requires DPE restart "# dpe reload")

service cwmp session timeout value

Sets the duration for timing out a CWMP session.

Note You need not restart the DPE for this command to take effect.

value—Identifies the timeout period for the CWMP session, in milliseconds (ms). The timeout period could be anything between 1000 ms (1 second) and 3000000 ms (50 minutes).

By default, the duration for a timeout is set as 60000 ms or 60 seconds.

dpe# service cwmp session timeout 60000
% OK

service cwmp num ssl client-auth mode

Enables or disables client certificate authentication using HTTP over SSL/TLS for the CWMP service running on the DPE.

For a list of authentication options in BAC, refer to the Cisco Broadband Access Center Administrator's Guide, Release 3.0.

num—Identifies the CWMP service, which could be 1 or 2.

By default, client certificate authentication with SSL/TLS is:

Disabled for service 1.

Disabled for service 2.

mode—Identifies the mode of client certificate authentication for the CWMP service. BAC supports:

client-cert-generic—Enables client certificate authentication through SSL/TLS by using a generic certificate common to all CPE or a large subset of CPE. The client certificate is validated by using the signing certificate authority's public key. This key is preconfigured in the DPE keystore. This certificate-validation process ensures that the certificate is valid, but does not establish the identity of a device. Therefore, the device identifier is not formed by using the data in the CN field of the client certificate. Instead, the device identifier is formed by using the data provided via Basic or Digest authentication, or by using the data in the CWMP Inform message.

client-cert-unique—Enables client certificate authentication through SSL/TLS by using the unique certificate that each CPE provides. After the client certificate is validated by using the signing certificate authority's public key, the device's unique identifier is formed by using the CN field of the client certificate.

none—Disables client certificate authentication by using HTTP over SSL/TLS for the CWMP service.

Example 1

dpe# service cwmp 1 ssl client-auth client-cert-generic
% OK (Requires DPE restart "# dpe reload")

Example 2

dpe# service cwmp 1 ssl client-auth client-cert-unique
% OK (Requires DPE restart "# dpe reload")

service cwmp num ssl client-auth client-cert-css-ext

Enables the authentication of CPE whose connection that used HTTP over SSL/TLS was terminated at a Cisco CSS 11500 Series Content Services Switch (CSS 11500). The downstream CSS extracts information about the SSL session, specifically client certificate fields, from the CPE device and inserts that data into various HTTP headers. BAC then retrieves the CN field from the CSS header ClientCert-Subject-CN to form the unique device identifier.

Note Before enabling this command, ensure that you configure CSS to insert the client certificate fields into the HTTP header. For detailed information, see the Cisco Content Services Switch SSL Configuration Guide (Software Version 7.40).

For a list of authentication options in BAC, refer to the Cisco Broadband Access Center Administrator's Guide, Release 3.0.

num—Identifies the CWMP service, which could be 1 or 2.

By default, client certificate authentication by using HTTP over SSL/TLS for the CWMP service is:

Disabled for service 1.

Disabled for service 2.

dpe# service cwmp ssl 1 client-auth client-cert-css-ext
% OK (Requires DPE restart "# dpe reload")

service cwmp num ssl cipher {all-cipher-suites | value}

no service cwmp num ssl cipher {all-cipher-suites | value}

Enables or disables authentication between the DPE server and CPE by using cryptographic algorithms, or ciphers, supported by HTTP over SSL/TLS for certificate management and session management. During an SSL handshake, the DPE server and a CPE device identify the strongest cipher suite enabled on both, and use that suite for the SSL session.

Note BAC supports a list of cipher suites that you can configure from the DPE command line interface. For a list of cipher suites supported in BAC, see Table 4-5.

num—Identifies the CWMP service, which could be 1 or 2.

all-cipher-suites—Enables all the cipher suites to authenticate a session by using HTTP over SSL/TLS for the CWMP service. This is the default configuration.

Note The service cwmp ssl cipher all-cipher-suites command works only if you have not configured any individual ciphers. To disable an individual cipher suite, use the no service cwmp ssl cipher value command. To disable all ciphers, use the no service cwmp ssl cipher all-cipher-suites command.

value—Identifies the individual cipher to be enabled for authenticating a session by using HTTP over SSL/TLS for the CWMP service. You can enable or disable any cipher suite.

Each cipher suite specifies a set of algorithms that are associated with a specific cryptography function. For a list of cryptography algorithms supported in BAC, see Table 4-4.

Example 1

dpe# service cwmp 1 ssl cipher all-cipher-suites
% OK (Requires DPE restart "# dpe reload")

Example 2

dpe# service cwmp 1 ssl cipher ssl_dh_anon_with_des_c bc_sha
% OK (Requires DPE restart "# dpe reload")

service cwmp num ssl enable {true | false}

Enables or disables use of HTTP over SSL/TLS for the CWMP service on the DPE.

Note The CWMP service will fail to start up if you do not configure the keystore file and the keystore passwords before restarting the DPE. For information on how to configure a keystore file and keystore passwords, see the Cisco Broadband Access Center Administrator's Guide, Release 3.0.

num—Identifies the CWMP service, which could be 1 or 2.

true—Enables SSL/TLS transport. This is the default configuration for service 2.

false—Disables SSL/TLS transport. This is the default configuration for service 1.

dpe# service cwmp 1 ssl enable true
% OK (Requires DPE restart "# dpe reload")

service cwmp num ssl keystore keystore-filename keystore-password key-password

Sets a keystore file, which contains the provisioning server certificate. This certificate is used to authenticate the provisioning server to the devices by using HTTP over SSL/TLS.

Note This setting is relevant only if the service instance is enabled (as in the case of service cwmp 2, which is by default disabled), and the SSL/TLS protocol is enabled for that service. To enable SSL/TLS transport, use the service cwmp num ssl enable true command.

num—Identifies the CWMP service, which could be 1 or 2.

keystore-filename—Identifies the keystore file that you created previously.

keystore-password—Identifies the keystore password that you used when you created your keystore file. The keystore password must be between 6 and 30 characters.

key-password—Identifies the private key password that you used when you created your keystore file. The private key password must be between 6 and 30 characters.

dpe# service cwmp 1 ssl keystore example.keystore changeme changeme
% OK (Requires DPE restart "# dpe reload")

The DPE ships with a default sample keystore, which contains a self-signed certificate. However, because a CWMP device does not trust a self-signed certificate, you cannot use this keystore to enable HTTP over SSL/TLS to provision a device; instead, you must obtain a signed service provider certificate and keystore. For detailed information, see the Cisco Broadband Access Center Administrator's Guide, Release 3.0.


keystore import-pkcs12

Use this command to import existing private key and certificates into a DPE-compatible file used in authenticating the DPE to SSL clients. The keystore import-pkcs12 command opens a PKCS#12 file, reads the contents, and writes a new keystore in the Sun-proprietary Java keystore format called JKS.

The PKCS#12 file format is a standard used for storing certificates and private keys; for example, an imported certificate from a Microsoft Windows 2000 IIS 5.0 server.


Note If your private key and certificate are stored in separate files, combine them into a single PKCS#12 file before running the keystore import-pkcs12 command.
You can use the syntax described in the following example, where the openssl command combines the keys in example.key and the certificate in the example.crt file into the example.pkcs12 file:
# openssl pkcs12 -inkey example.key -in example.crt -export -out example.pkcs12


Syntax Description

keystore import-pkcs12 keystore-filename pkcs12-filename keystore-password key-password export-password export-key-password

keystore-filename—Identifies the JKS keystore file that will be created. If it already exists, it will be overwritten.


Note Remember to specify the full path of the keystore file.


pkcs12-filename—Identifies the PKCS#12 file from which you intend to import the key and certificate.

keystore-password—Identifies the private key password and the keystore password that you used when you created your keystore file. This password must be between 6 and 30 characters.

key-password—Identifies the password used to access keys within DPE keystore. This password must be between 6 and 30 characters.

export-password—Identifies the password used to decrypt the key in the PKCS#12 file. The export password must be between 6 and 30 characters.

export-key-password—Identifies the password used to access keys within the PKCS#12 keystore. This password must be between 6 and 30 characters.

Examples

dpe# keystore import-pkcs12 example.keystore example.pkcs12 changeme changeme changeme changeme
% Reading alias [1]

% Reading alias [1]: key with format [PKCS8] algorithm [RSA]

% Reading alias [1]: cert type [X.509]

% Created JKS keystore: example.keystore

% OK

service http

This is the global syntax of the commands that you use to configure various settings for the HTTP service running on the DPE. Using these commands, you can:

Enable the service

Specify the instance of the service

Configure client authentication and client certificate authentication

Set the port number for the service

Configure the service to use HTTP over SSL/TLS

Use service http in conjunction with the list of commands described in Table 4-3.


Note When using these commands, you must restart the DPE—unless specified otherwise—for the changes to take effect. To restart the DPE, run the dpe reload command (see dpe reload, page 3-5).


Table 4-3 List of service http Commands 

Command Usage
Syntax Description
Examples

service http num client-auth mode

Enables or disables client authentication for the HTTP file service on the DPE.

For a list of authentication options in BAC, refer to the Cisco Broadband Access Center Administrator's Guide, Release 3.0

num—Identifies the HTTP file service, which could be 1 or 2.

mode—Identifies the client authentication mode for the HTTP file service. The client authentication mode could be:

basic—Enables Basic HTTP file service authentication.

digest—Enables Digest HTTP file service authentication. This is the default configuration.

none—Disables Basic and Digest authentication. In this mode, the HTTP file service uses the Device ID in the Inform message to authenticate CPE.

Note To limit security risks during client authentication, Cisco recommends using the Digest mode (the default configuration). It is not advisable to allow client authentication in the Basic mode, or disable Basic and Digest authentication.

dpe# service http 1 client-auth digest
% OK (Digest authentication was enabled. Basic authentication was disabled. Requires DPE restart "# dpe reload")

service http num enable {true | false}

Enables or disables the HTTP file service running on the DPE

num—Identifies the HTTP file service, which could be 1 or 2.

By default the HTTP file service is:

Enabled on service 1.

Disabled on service 2.

true—Enables the HTTP file service.

false—Disables the HTTP file service.

dpe# service http 2 enable true
% OK (Requires DPE restart "# dpe reload")

service http num port port

Identifies the port on which the HTTP file service communicates with a CPE device. By specifying a different port number, this command enables the DPE to prevent potential sharing violations among ports used by other applications.

num—Identifies the HTTP file service, which could be 1 or 2.

By default, the HTTP file service is configured to listen on:

Port 7549 for service 1.

Port 7550 for service 2.

port—Identifies the port number that the service is to use.

Note The service http port command does not check if the port number specified is being used by other applications or system utilities.

dpe# service http 1 port 7549
% OK (Requires DPE restart "# dpe reload")

service http num ssl client-auth mode

Enables or disables client certificate authentication by using HTTP over SSL/TLS for the HTTP file service running on the DPE.

For a list of authentication options in BAC, refer to the Cisco Broadband Access Center Administrator's Guide, Release 3.0.

num—Identifies the HTTP file service, which could be 1 or 2.

By default, client certificate authentication by using HTTP over SSL/TLS for the HTTP file service is:

Disabled for service 1.

Disabled for service 2.

mode—Identifies the mode of client certificate authentication for the HTTP file service. BAC supports:

client-cert-generic—Enables client certificate authentication through SSL/TLS by using a generic certificate common to all CPE or a large subset of CPE. The public key of the signing certificate authority is used to validate the client certificate. This key is preconfigured in the DPE keystore. This certificate validation process ensures that the certificate is valid, but does not establish identity of a given device. Therefore, the device identifier is not formed by using the data in the CN field of the client certificate. Instead, the device identifier is formed by using the data provided via Basic or Digest authentication, or by using the data in the CWMP Inform message.

client-cert-unique—Enables client certificate authentication through SSL/TLS using the unique certificate provided by each CPE. After the client certificate is validated by using the signing certificate authority's public key, the device's unique identifier is formed by using the CN field of the client certificate.

none—Disables client certificate authentication by using HTTP over SSL/TLS.

Example 1

dpe# service http 1 ssl client-auth client-cert-generic
% OK (Requires DPE restart "# dpe reload")

Example 2

dpe# service http 1 ssl client-auth client-cert-unique
% OK (Requires DPE restart "# dpe reload")

service http num ssl client-auth client-cert-css-ext

Enables the authentication of CPE whose connection that uses HTTP over SSL/TLS was terminated at a Cisco CSS 11500 Series Content Services Switch (CSS 11500). The downstream CSS extracts information about the SSL session, specifically client certificate fields, from the CPE device, and inserts that data into various HTTP headers. BAC then retrieves the CN field from the CSS header ClientCert-Subject-CN to form the unique device identifier.

Note Before enabling this command, ensure that you configure CSS to insert the client certificate fields into the HTTP header. For detailed information, see the Cisco Content Services Switch SSL Configuration Guide (Software Version 7.40).

For a list of authentication options in BAC, refer to the Cisco Broadband Access Center Administrator's Guide, Release 3.0.

num—Identifies the HTTP file service, which could be 1 or 2.

By default, client certificate authentication by using HTTP over SSL/TLS for the HTTP file service is:

Disabled for service 1.

Disabled for service 2.

dpe# service http ssl 1 client-auth client-cert-css-ext
% OK (Requires DPE restart "# dpe reload")

service http num ssl cipher {all-cipher-suites | value}

no service http num ssl cipher {all-cipher-suites | value}

Enables or disables authentication between the DPE server and CPE by using cryptographic algorithms, or ciphers, that HTTP supports over SSL/TLS for certificate management and session management. During an SSL handshake, the DPE server and a CPE device identify the strongest cipher suite enabled on both, and use that suite for the SSL session.

Note BAC supports a list of cipher suites that you can configure from the DPE command line interface. For a list of cipher suites that BAC supports, see Table 4-5.

num—Identifies the HTTP file service, which could be 1 or 2.

all-cipher-suites—Enables all the cipher suites to authenticate a session by using HTTP over SSL/TLS for the HTTP file service. This is the default configuration.

Note The service http ssl cipher all-cipher-suites command works only if you have not configured any individual ciphers. To remove an individual cipher suite, use the no service http ssl cipher value command. To disable all ciphers, use the no service http ssl cipher all-cipher-suites command.

value—Identifies the individual cipher to be enabled for authenticating a session using HTTP over SSL/TLS for the HTTP file service. You can enable or disable any cipher suite.

Each cipher suite specifies a set of algorithms that are associated with a specific cryptography function. For a list of cryptography algorithms that BAC supports, see Table 4-4.

Example 1

dpe# service http 1 ssl cipher all-cipher-suites
% OK (Requires DPE restart "# dpe reload")

Example 2

dpe# service http 1 ssl cipher ssl_dh_anon_with_des_c bc_sha
% OK (Requires DPE restart "# dpe reload")

service http num ssl enable {true | false}

Enables or disables use of HTTP over SSL/TLS for the HTTP file service on the DPE.

Note The HTTP file service will fail to start up if you do not configure the keystore file and the the keystore passwords before restarting the DPE. For information on how to configure a keystore file and keystore passwords, see the Cisco Broadband Access Center Administrator's Guide, Release 3.0.

num—Identifies the HTTP file service, which could be 1 or 2.

true—Enables SSL/TLS transport. This is the default configuration for service 2.

false—Disables SSL/TLS transport. This is the default configuration for service 1.

dpe# service http 1 ssl enable true
% OK (Requires DPE restart "# dpe reload")

service http num ssl keystore keystore-filename keystore-password key-pasword

Sets a keystore file, which contains the provisioning server certificate. This certificate is used to authenticate the provisioning server to the devices by using HTTP over SSL/TLS.

Note This setting is only relevant if the service instance is enabled (as in the case of service http 2, which is by default disabled) and HTTP over SSL/TLS is enabled for the service. To enable SSL/TLS transport, use the service http num ssl enable true command.

num—Identifies the HTTP file service, which could be 1 or 2.

keystore-filename—Identifies the keystore file that you created previously.

keystore-password—Identifies the keystore password that you used when you created your keystore file. The keystore password must be between 6 and 30 characters.

key-password—Identifies the private key password that you used when you created your keystore file. The private key password must be between 6 and 30 characters.

dpe# service http 1 ssl keystore example.keystore changeme changeme
% OK (Requires DPE restart "# dpe reload")

The DPE ships with a default sample keystore, which contains a self-signed certificate. However, because a CWMP device does not trust a self-signed certificate, you cannot use this keystore to enable HTTP over SSL/TLS to provision a device; instead, you must obtain a signed service provider certificate and keystore. For detailed information on how to obtain a signed service provider certificate and keystore, see the Cisco Broadband Access Center Administrator's Guide, Release 3.0.


Selecting Cipher Suites

A typical SSL session requires encryption ciphers to establish and maintain the secure connection. Cipher suites provide the cryptographic algorithms that the SSL/TLS protocol requires to authenticate client/server exchanges, and establish and maintain secure connections.

Table 4-4 defines the cryptography algorithms supported in this release of BAC:

Table 4-4 Cryptography Algorithms Supported in BAC

Cryptography Function
Algorithms Supported in BAC

SSL versions

SSL version 3.0 and Transport Layer Security (TLS) version 1.0

Public key exchange and key agreement algorithms

RSA (key exchange and key agreement algorithm)
The Rivest, Shamir, and Adelman algorithm used for encryption and digital signatures.
- 512-bit, 768-bit, 1024-bit, and 2048-bit

DSA (certificate signing algorithm)
The Digital Signature Algorithm used as part of the Digital Signature Standard (DSS).
- 512-bit, 768-bit, and 1024-bit

Diffie-Hellman (key exchange algorithm)
- 512-bit, 768-bit, 1024-bit, and 2048-bit

Encryption types

DES
The Data Encryption Standard applies a 56-bit key to each 64-bit block of data. This key is used for encryption and decryption.

3DES or Triple DES
The Triple-Strength Data Encryption Standard in case DES is used with three keys.

RC4
The Rivest Cipher 4 which is a variable key-size stream cipher used for file encryption.

Message authentication algorithms

MD5 (Message Digest 5)
The algorithm used in digital signature applications to produce a 128-bit message digest, which is unique to the message and can be used to verify data integrity.

Secure Hash Algorithm (SHA)
The algorithm used in the Digital Signature Standard to produce a 160-bit hash value.



Note For detailed information on cipher suites, see the Cisco Content Services Switch SSL Configuration Guide (Software Version 7.40).



Caution The dh-anon series of cipher suites are intended for completely anonymous Diffie-Hellman communications in which neither party is authenticated. Note that this cipher suite is vulnerable to attacks.

Cipher suites with "export" in the title indicate that they are intended for use outside the United States, and that they have encryption algorithms with limited key sizes; for example, 3DES or RC4 with 128-bit encryption.

Table 4-5 Cipher Suites Supported in BAC 

Cipher Suite
Exportable
Key Exchange
Algorithm Used

all-cipher-suites

No

EDH *

ssl_dh_anon_export_with_des40_cbc_sha

Yes

DH **

ssl_dh_anon_with_des_cbc_sha

No

DH **

ssl_dh_anon_export_with_rc4_40_md5

Yes

DH **

ssl_dh_anon_with_3des_ede_cbc_sha

No

DH **

ssl_dhe_dss_with_des_cbc_sha

No

DH **

ssl_dh_anon_with_rc4_128_md5

No

DH **

ssl_dhe_dss_export_with_des40_cbc_sha

Yes

EDH *

ssl_dhe_dss_with_3des_ede_cbc_sha

No

EDH *

ssl_dhe_rsa_export_with_des40_cbc_sha

Yes

EDH *

ssl_dhe_rsa_with_3des_ede_cbc_sha

No

EDH *

ssl_dhe_rsa_with_des_cbc_sha

No

EDH *

ssl_rsa_export_with_des40_cbc_sha

Yes

RSA

ssl_rsa_export_with_rc4_40_md5

Yes

RSA

ssl_rsa_with_3des_ede_cbc_sha

No

RSA

ssl_rsa_with_des_cbc_sha

No

RSA

ssl_rsa_with_null_md5

No

RSA

ssl_rsa_with_null_sha

No

RSA

ssl_rsa_with_rc4_128_md5

No

RSA

ssl_rsa_with_rc4_128_sha

No

RSA

tls_dh_anon_with_aes_128_cbc_sha

No

DH **

tls_dhe_dss_with_aes_128_cbc_sha

No

EDH *

tls_dhe_rsa_with_aes_128_cbc_sha

No

EDH *

tls_rsa_with_aes_128_cbc_sha

No

RSA

* refers to the Ephemeral Diffie-Hellman algorithm
** refers to the Diffie-Hellman algorithm.


hometocprevnextglossaryfeedbacksearchhelp

Posted: Thu Aug 31 21:41:11 PDT 2006
All contents are Copyright © 1992--2006 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.