cipher-suite support

Function

The cipher-suite support command configures the supported cipher suite.

The undo cipher-suite support command deletes the supported cipher suite.

By default, the HTTPS redirection function does not support any cipher suite.

This command is supported only on the NetEngine 8000 F1A.

Format

cipher-suite support suite-code &<1-6>

undo cipher-suite support [ suite-code &<1-6> ]

Parameters

Parameter	Description	Value
support suite-code	Specifies the IANA code of the cipher suite.	The value can be: 002f:The suite is named TLS_RSA_WITH_AES_128_CBC_SHA(TLS1.2). The key exchange algorithm is RSA. The symmetric encryption algorithm is AES_128_CBC. The abstract algorithm is SHA. 0035:The suite is named TLS_RSA_WITH_AES_256_CBC_SHA(TLS1.2). The key exchange algorithm is RSA. The symmetric encryption algorithm is AES_256_CBC. The abstraction algorithm is SHA. c02b:The suite is named TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(TLS1.2). The key exchange algorithm is ECDHE_ECDSA. The symmetric encryption algorithm is AES_128_GCM. The abstract algorithm is SHA256. c02f:The suite is named TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(TLS1.2). The key exchange algorithm is ECDHE_RSA. The symmetric encryption algorithm is AES_128_GCM. The abstract algorithm is SHA256. 1301:The suite is named TLS_AES_128_GCM_SHA256(TLS1.3). The symmetric encryption algorithm is AES_128_GCM. The abstract algorithm is SHA256. 1302:The suite is named TLS_AES_256_GCM_SHA384(TLS1.3). The symmetric encryption algorithm is AES_256_GCM. The abstract algorithm is SHA384. Among them: RSA and ECDHE_RSA are key exchange algorithms. AES_128_CBC, AES_256_CBC, AES_128_GCM, AES_128_GCM, and AES_256_GCM are symmetric encryption algorithms. SHA, SHA256, and SHA384 are digest algorithms.

Parameter

Description

Value

support suite-code

Specifies the IANA code of the cipher suite.

The value can be:

002f:The suite is named TLS_RSA_WITH_AES_128_CBC_SHA(TLS1.2). The key exchange algorithm is RSA. The symmetric encryption algorithm is AES_128_CBC. The abstract algorithm is SHA.
0035:The suite is named TLS_RSA_WITH_AES_256_CBC_SHA(TLS1.2). The key exchange algorithm is RSA. The symmetric encryption algorithm is AES_256_CBC. The abstraction algorithm is SHA.
c02b:The suite is named TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(TLS1.2). The key exchange algorithm is ECDHE_ECDSA. The symmetric encryption algorithm is AES_128_GCM. The abstract algorithm is SHA256.
c02f:The suite is named TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(TLS1.2). The key exchange algorithm is ECDHE_RSA. The symmetric encryption algorithm is AES_128_GCM. The abstract algorithm is SHA256.
1301:The suite is named TLS_AES_128_GCM_SHA256(TLS1.3). The symmetric encryption algorithm is AES_128_GCM. The abstract algorithm is SHA256.
1302:The suite is named TLS_AES_256_GCM_SHA384(TLS1.3). The symmetric encryption algorithm is AES_256_GCM. The abstract algorithm is SHA384.

Among them:

RSA and ECDHE_RSA are key exchange algorithms.

AES_128_CBC, AES_256_CBC, AES_128_GCM, AES_128_GCM, and AES_256_GCM are symmetric encryption algorithms.

SHA, SHA256, and SHA384 are digest algorithms.

Views

HTTPS redirect view

Default Level

3: Management level

Task Name and Operations

Task Name	Operations
portal	write

Usage Guidelines

Usage Scenario

In HTTPS redirection scenarios, this command must be run to select a cipher suite. Otherwise, the HTTPS redirection function is unavailable.

The rule for selecting a cipher suite by priority is as follows: The protocol version is determined based on the packets sent by the user. In the version scope of the corresponding protocol, the cipher suite with earlier configuration is selected at a higher priority.

If multiple cipher suites are supported, for example, if the cipher-suite support 002f 0035 c02f 1301 1302 command is run, a cipher suite is selected by priority based on the following rules:

If the protocol version is TLS1.3, a cipher suite is selected among the ones supported only in TLS1.3. In this case, the cipher suites that take effect on the device are TLS_AES_128_GCM_SHA256 and TLS_AES_256_GCM_SHA384 in order (from high priority to low priority). If TLS1.3 does not match, the cipher suites of degraded TLS versions can be selected based on the supported_versions extension option carried in packets.
If the protocol version is TLS1.2, a cipher suite is selected among the ones supported only in TLS1.2. In this case, the cipher suites that take effect on the device are TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, and TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (from high priority to low priority).

Precautions

In VS mode, this command applies only to the admin VS.
The cipher suites 002f and 0035 provide low security levels. Other cipher suites are recommended.
TLS1.2 cipher suites:
Cipher suites are selected in the following priority sequence based on security stength: c02f > 0035 > 002f
Cipher suites are selected in the following priority sequence based on redirection performance: 002f > 0035 > c02f.
TLS1.3 cipher suite:
Cipher suites are selected in the following priority sequence based on security stength: 1302 > 1301
Cipher suites are selected in the following priority sequence based on redirection performance: 1301 > 1302.

Example

# Configure the cipher suite supported by HTTPS redirection as c02f.

<HUAWEI> system-view
[~HUAWEI] access https-redirect
[~HUAWEI-access-https-redirect] cipher-suite support c02f