set cipher-suite

Function

The set cipher-suite command specifies encryption algorithms to be supported in an SSL cipher suite bound to an SSL policy.

The undo set cipher-suite command deletes encryption algorithms from an SSL cipher suite bound to an SSL policy.

By default, no encryption algorithms are supported in the SSL cipher suite bound to an SSL policy.

Format

set cipher-suite { tls1_ck_rsa_with_aes_256_sha | tls1_ck_rsa_with_aes_128_sha | tls1_ck_dhe_rsa_with_aes_256_sha | tls1_ck_dhe_dss_with_aes_256_sha | tls1_ck_dhe_rsa_with_aes_128_sha | tls1_ck_dhe_dss_with_aes_128_sha | tls12_ck_rsa_aes_128_cbc_sha | tls12_ck_rsa_aes_256_cbc_sha | tls12_ck_rsa_aes_128_cbc_sha256 | tls12_ck_rsa_aes_256_cbc_sha256 | tls12_ck_dhe_dss_aes_128_cbc_sha | tls12_ck_dhe_rsa_aes_128_cbc_sha | tls12_ck_dhe_dss_aes_256_cbc_sha | tls12_ck_dhe_rsa_aes_256_cbc_sha | tls12_ck_dhe_dss_aes_128_cbc_sha256 | tls12_ck_dhe_rsa_aes_128_cbc_sha256 | tls12_ck_dhe_dss_aes_256_cbc_sha256 | tls12_ck_dhe_rsa_aes_256_cbc_sha256 | tls12_ck_rsa_with_aes_128_gcm_sha256 | tls12_ck_rsa_with_aes_256_gcm_sha384 | tls12_ck_dhe_rsa_with_aes_128_gcm_sha256 | tls12_ck_dhe_rsa_with_aes_256_gcm_sha384 | tls12_ck_dhe_dss_with_aes_128_gcm_sha256 | tls12_ck_dhe_dss_with_aes_256_gcm_sha384 | tls12_ck_ecdhe_rsa_with_aes_128_gcm_sha256 | tls12_ck_ecdhe_rsa_with_aes_256_gcm_sha384 | tls13_aes_128_gcm_sha256 | tls13_aes_256_gcm_sha384 | tls13_chacha20_poly1305_sha256 | tls13_aes_128_ccm_sha256 }

undo set cipher-suite { tls1_ck_rsa_with_aes_256_sha | tls1_ck_rsa_with_aes_128_sha | tls1_ck_dhe_rsa_with_aes_256_sha | tls1_ck_dhe_dss_with_aes_256_sha | tls1_ck_dhe_rsa_with_aes_128_sha | tls1_ck_dhe_dss_with_aes_128_sha | tls12_ck_rsa_aes_128_cbc_sha | tls12_ck_rsa_aes_256_cbc_sha | tls12_ck_rsa_aes_128_cbc_sha256 | tls12_ck_rsa_aes_256_cbc_sha256 | tls12_ck_dhe_dss_aes_128_cbc_sha | tls12_ck_dhe_rsa_aes_128_cbc_sha | tls12_ck_dhe_dss_aes_256_cbc_sha | tls12_ck_dhe_rsa_aes_256_cbc_sha | tls12_ck_dhe_dss_aes_128_cbc_sha256 | tls12_ck_dhe_rsa_aes_128_cbc_sha256 | tls12_ck_dhe_dss_aes_256_cbc_sha256 | tls12_ck_dhe_rsa_aes_256_cbc_sha256 | tls12_ck_rsa_with_aes_128_gcm_sha256 | tls12_ck_rsa_with_aes_256_gcm_sha384 | tls12_ck_dhe_rsa_with_aes_128_gcm_sha256 | tls12_ck_dhe_rsa_with_aes_256_gcm_sha384 | tls12_ck_dhe_dss_with_aes_128_gcm_sha256 | tls12_ck_dhe_dss_with_aes_256_gcm_sha384 | tls12_ck_ecdhe_rsa_with_aes_128_gcm_sha256 | tls12_ck_ecdhe_rsa_with_aes_256_gcm_sha384 | tls13_aes_128_gcm_sha256 | tls13_aes_256_gcm_sha384 | tls13_chacha20_poly1305_sha256 | tls13_aes_128_ccm_sha256 }

Parameters

Parameter	Description	Value
tls1_ck_rsa_with_aes_256_sha	Supports the TLS1_CK_RSA_WITH_AES_256_SHA algorithm.	-
tls1_ck_rsa_with_aes_128_sha	Supports the TLS1_CK_RSA_WITH_AES_128_SHA algorithm.	-
tls1_ck_dhe_rsa_with_aes_256_sha	Supports the TLS1_CK_DHE_RSA_WITH_AES_256_SHA algorithm.	-
tls1_ck_dhe_dss_with_aes_256_sha	Supports the TLS1_CK_DHE_DSS_WITH_AES_256_SHA algorithm.	-
tls1_ck_dhe_rsa_with_aes_128_sha	Supports the TLS1_CK_DHE_RSA_WITH_AES_128_SHA algorithm.	-
tls1_ck_dhe_dss_with_aes_128_sha	Supports the TLS1_CK_DHE_DSS_WITH_AES_128_SHA algorithm.	-
tls12_ck_rsa_aes_128_cbc_sha	Supports the TLS12_CK_RSA_AES_128_CBC_SHA algorithm.	-
tls12_ck_rsa_aes_256_cbc_sha	Supports the TLS12_CK_RSA_AES_256_CBC_SHA algorithm.	-
tls12_ck_rsa_aes_128_cbc_sha256	Supports the TLS12_CK_RSA_AES_128_CBC_SHA256 algorithm.	-
tls12_ck_rsa_aes_256_cbc_sha256	Supports the TLS12_CK_RSA_AES_256_CBC_SHA256 algorithm.	-
tls12_ck_dhe_dss_aes_128_cbc_sha	Supports the TLS12_CK_DHE_DSS_AES_128_CBC_SHA algorithm.	-
tls12_ck_dhe_rsa_aes_128_cbc_sha	Supports the TLS12_CK_DHE_RSA_AES_128_CBC_SHA algorithm.	-
tls12_ck_dhe_dss_aes_256_cbc_sha	Supports the TLS12_CK_DHE_DSS_AES_256_CBC_SHA algorithm.	-
tls12_ck_dhe_rsa_aes_256_cbc_sha	Supports the TLS12_CK_DHE_RSA_AES_256_CBC_SHA algorithm.	-
tls12_ck_dhe_dss_aes_128_cbc_sha256	Supports the TLS12_CK_DHE_DSS_AES_128_CBC_SHA256 algorithm.	-
tls12_ck_dhe_rsa_aes_128_cbc_sha256	Supports the TLS12_CK_DHE_RSA_AES_128_CBC_SHA256 algorithm.	-
tls12_ck_dhe_dss_aes_256_cbc_sha256	Supports the TLS12_CK_DHE_DSS_AES_256_CBC_SHA256 algorithm.	-
tls12_ck_dhe_rsa_aes_256_cbc_sha256	Supports the TLS12_CK_DHE_RSA_AES_256_CBC_SHA256 algorithm.	-
tls12_ck_rsa_with_aes_128_gcm_sha256	Supports the TLS12_CK_RSA_WITH_AES_128_GCM_SHA256 algorithm.	-
tls12_ck_rsa_with_aes_256_gcm_sha384	Supports the TLS12_CK_RSA_WITH_AES_256_GCM_SHA384 algorithm.	-
tls12_ck_dhe_rsa_with_aes_128_gcm_sha256	Supports the TLS12_CK_DHE_RSA_WITH_AES_128_GCM_SHA256 algorithm.	-
tls12_ck_dhe_rsa_with_aes_256_gcm_sha384	Supports the TLS12_CK_DHE_RSA_WITH_AES_256_GCM_SHA384 algorithm.	-
tls12_ck_dhe_dss_with_aes_128_gcm_sha256	Supports the TLS12_CK_DHE_DSS_WITH_AES_128_GCM_SHA256 algorithm.	-
tls12_ck_dhe_dss_with_aes_256_gcm_sha384	Supports the TLS12_CK_DHE_DSS_WITH_AES_256_GCM_SHA384 algorithm.	-
tls12_ck_ecdhe_rsa_with_aes_128_gcm_sha256	Supports the TLS12_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256 algorithm.	-
tls12_ck_ecdhe_rsa_with_aes_256_gcm_sha384	Supports the TLS12_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384 algorithm.	-
tls13_aes_128_gcm_sha256	Supports the TLS1_3_RFC_AES_128_GCM_SHA256 algorithm.	-
tls13_aes_256_gcm_sha384	Supports the TLS1_3_RFC_AES_256_GCM_SHA384 algorithm.	-
tls13_chacha20_poly1305_sha256	Supports the TLS1_3_RFC_CHACHA20_POLY1305_SHA256 algorithm.	-
tls13_aes_128_ccm_sha256	Supports the TLS1_3_RFC_AES_128_CCM_SHA256 algorithm.	-

Views

SSL cipher suite view

Default Level

3: Management level

Task Name and Operations

Task Name	Operations
ssl	write

Usage Guidelines

Usage Scenario

When a server authenticates a client, an SSL cipher suite is provided for SSL algorithm negotiation. To specify encryption algorithms supported in an SSL cipher suite bound to an SSL policy, run the set cipher-suite command.

Prerequisites

An SSL cipher suite bound to an SSL policy has been created using the ssl cipher-suite-list command.

Precautions

If only the RSA algorithm is specified in an SSL cipher suite and the cipher-suit exclude key-exchange rsa command is run to exclude the RSA key exchange algorithm from an SSL policy, running the binding cipher-suite-customization customization-name command fails, because no available algorithm is specified in the SSL cipher suite. Before you run the cipher-suit exclude key-exchange rsa command, ensure that at least a non-RSA encryption algorithm has been specified in the SSL cipher suite.
A single algorithm can be added each time the cipher-suit exclude key-exchange rsa command is run. Repeat running this command to specify more algorithms in the SSL cipher suite bound to an SSL policy.
A single algorithm can be deleted each time the undo cipher-suit exclude key-exchange rsa command is run. Repeat running this command to delete multiple algorithms from the SSL cipher suite bound to an SSL policy.
The following algorithms are not secure and are not recommended: tls12_ck_dhe_dss_aes_128_cbc_sha, tls12_ck_dhe_dss_aes_128_cbc_sha256, tls12_ck_dhe_dss_aes_256_cbc_sha, tls12_ck_dhe_dss_aes_256_cbc_sha256, tls12_ck_dhe_rsa_aes_128_cbc_sha, tls12_ck_dhe_rsa_aes_128_cbc_sha256, tls12_ck_dhe_rsa_aes_256_cbc_sha, tls12_ck_dhe_rsa_aes_256_cbc_sha256, tls12_ck_rsa_aes_128_cbc_sha, tls12_ck_rsa_aes_128_cbc_sha256, tls12_ck_rsa_aes_256_cbc_sha, tls12_ck_rsa_aes_256_cbc_sha256, tls12_ck_rsa_with_aes_128_gcm_sha256, tls12_ck_rsa_with_aes_256_gcm_sha384, tls12_ck_ecdhe_rsa_with_aes_128_gcm_sha256, tls12_ck_ecdhe_rsa_with_aes_256_gcm_sha384, tls1_ck_dhe_dss_with_aes_128_sha, tls1_ck_dhe_dss_with_aes_256_sha, tls1_ck_dhe_rsa_with_aes_128_sha, tls1_ck_dhe_rsa_with_aes_256_sha, tls1_ck_rsa_with_aes_128_sha, tls1_ck_rsa_with_aes_256_sha.

Example

# Specify TLS12_CK_DHE_DSS_WITH_AES_128_GCM_SHA256 and TLS12_CK_DHE_DSS_WITH_AES_256_GCM_SHA384 in an SSL cipher suite named test bound to an SSL policy.

<HUAWEI> system-view
[~HUAWEI] ssl cipher-suite-list test
[*HUAWEI-ssl-cipher-suite-list-test] set cipher-suite tls12_ck_dhe_dss_with_aes_128_gcm_sha256
[*HUAWEI-ssl-cipher-suite-list-test] set cipher-suite tls12_ck_dhe_dss_with_aes_256_gcm_sha384