This section describes the use of ciphers for SSL connections with the Server. For the procedure for configuring SSL on EFT Server, refer to Configuring SSL.
In the administration interface, you can specify symmetric key cipher(s) and the ordering of those ciphers for establishing SSL sessions. EFT Server validates inbound SSL sessions, and allows or denies connections based on specified or approved ciphers.
If FIPS mode is enabled for SSL connections, only FIPS-approved SSL ciphers are available.
|
|
PCI DSS 4.1 states that you should use strong ciphers and protocol versions. On a PCI DSS Site, if you attempt to specify weak ciphers and protocol versions or to create a cipher manually, the Server prompts you to correct it, or continue with reason. When using the GSCM, the Server enforces the use of specific algorithms for FIPS mode. |
EFT Server provides two choices for specifying ciphers:
A point-and-click cipher selection list box interface (Option A)
A more powerful string-based cipher selection interface that uses the parameterized cipher string (Option B) for creating an ordered SSL cipher preference list per http://www.openssl.org/docs/apps/ciphers.html.
If Option A (below) is used to specify more than one approved cipher, and the connecting client has in its list one or more ciphers that are also on EFT Server’s approved list, EFT Server selects and uses the cipher based on ordering (priority) shown in the list box.
If Option B (below) is used, than the cipher negotiation will use the ordering defined by the user in the cipher string (for example @strength), or if no ordering was defined, the default ordering.
If Select from list is selected (selected by default), the user can choose from a multi-selection list box showing 128-bit and higher ciphers available from the OpenSSL library.
The default list, ordering, and enabled/disabled state are shown in the table below.
|
Name in the Cipher List |
OpenSSL Name |
Enabled by default |
|
AES 256 bit |
AES256-SHA |
Yes |
|
Camellia 256 bit |
CAMELLIA256-SHA |
Yes |
|
3DES 168 bit |
DES-CBC3-SHA |
Yes |
|
AES 128 bit |
AES128-SHA |
Yes |
|
IDEA 128 bit |
IDEA-CBC-SHA> |
Yes |
|
RC4 128 bit |
RC4-MD5 |
Yes |
|
Export (40-56 bit) |
EXP |
No |
At least one check box must be selected.
Refer to FIPS-Certified Library for SSL Connections for information about ciphers that you can use when FIPS is enabled for SSL.
The user may optionally enter ciphers in the cipher string field. When Manually specify ciphers is selected, the Select from list box is disabled, as the advanced ciphers-string based list takes precedence over ciphers in the Select from list box. In the Manually specify ciphers box, type a string that will be passed directly to the SSL library. For example:
ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH or ALL:!ADH:HIGH:@STRENGTH.
EFT Server validates the cipher string against the SSL library once when Apply is clicked or if the user clicks out of the Security tab. If the string is faulty, EFT Server returns an error indicating that it failed and the failure reason, if available.
After the prompt appears and you click OK or Cancel, the prompt closes but does not clear out the cipher in case you want to refine it, if needed. Changes cannot be applied until the string is valid or you have reverted to using the click/select cipher list rather than the advanced string list.
