Scannex ip.buffer User Manual
© UK 2007-2021 Scannex Electronics Ltd. All rights reserved worldwide.
8.2.12. Ciphers override strings
Predefined sets:
•
“
def
…” = No DHE/RSA key exchange, no 3DES.
•
“
good
” = good and fast security. No RC4, no MD5, no 3DES
•
“
strong
” = strong and slow security. DHE-RSA key exchange (very slow), 256-bit
only, no RC4, no 3DES, no HMAC-MD5, no HMAC-SHA1
•
“
all
” = all available cipher-suites
•
“
128
…” = only 128-bit cipher suites
•
“
256
…” = only 256-bit cipher suites
•
“
rc4
…” = only RC4 based cipher suites (not recommended)
•
“
aes
…” = only AES based cipher suites
•
“
3des
…” = only triple-DES based cipher suites (not recommended)
•
“
none
” = no cipher suites – extend using modifiers
Modifiers should be prefixed with either “+” or “-”. A plus sign will add the modified set,
while a minus sign will remove the set from the list:
•
“±
ecdhe
” = ECDHE(elliptic curve) /RSA key exchange (strong & slow)
•
“±
ecdsa
” = ECDSE(elliptic curve) /ECDSA key exchange (strong & slow)
•
“±
ec
” = abbreviation for elliptic curves (ECDHE & ECDSA)
•
“±
dhe
” = DHE/RSA key exchange (strong & slow)
•
“±
rsa
” = RSA key exchange
•
“±
aes
” = AES based symmetric ciphers
•
“±
rc4
” = RC4 based symmetric ciphers (very weak - not recommended)
•
“±
3des
” = Triple-DES based symmetric ciphers (very weak – not recommended)
•
“±
256
” = 256-bit ciphers
•
“±
128
” = 128-bit ciphers
•
“±
cbc
” = Cipher Block Chain mode symmetric ciphers
•
“±
gcm
” = Galois Counter Mode symmetric ciphers
•
“±
md5
” = MD-5 HMAC (very weak)
•
“±
sha1
” = SHA-1 HMAC (weak)
•
“±
sha256
” = SHA-256bit HMAC
45
Windows XP machines running older Chrome browsers may fail to connect when attempting to use
SHA-256. Older machines and browsers may also need HMAC-SHA-1 to be enabled.
46
For ip.buffer-as-a-server: requires an ECDSA certificate and key to be pre-loaded.
For ip.buffer-as-client: requires your server to have an ECDSA certificate.
Normally, RSA keys are used.
Page 48
Scannex ip.buffer User Manual
© UK 2007-2021 Scannex Electronics Ltd. All rights reserved worldwide.
8.2.12. Ciphers override strings
Predefined sets:
•
“
def
…” = No DHE/RSA key exchange, no 3DES.
•
“
good
” = good and fast security. No RC4, no MD5, no 3DES
•
“
strong
” = strong and slow security. DHE-RSA key exchange (very slow), 256-bit
only, no RC4, no 3DES, no HMAC-MD5, no HMAC-SHA1
•
“
all
” = all available cipher-suites
•
“
128
…” = only 128-bit cipher suites
•
“
256
…” = only 256-bit cipher suites
•
“
rc4
…” = only RC4 based cipher suites (not recommended)
•
“
aes
…” = only AES based cipher suites
•
“
3des
…” = only triple-DES based cipher suites (not recommended)
•
“
none
” = no cipher suites – extend using modifiers
Modifiers should be prefixed with either “+” or “-”. A plus sign will add the modified set,
while a minus sign will remove the set from the list:
•
“±
ecdhe
” = ECDHE(elliptic curve) /RSA key exchange (strong & slow)
•
“±
ecdsa
” = ECDSE(elliptic curve) /ECDSA key exchange (strong & slow)
•
“±
ec
” = abbreviation for elliptic curves (ECDHE & ECDSA)
•
“±
dhe
” = DHE/RSA key exchange (strong & slow)
•
“±
rsa
” = RSA key exchange
•
“±
aes
” = AES based symmetric ciphers
•
“±
rc4
” = RC4 based symmetric ciphers (very weak - not recommended)
•
“±
3des
” = Triple-DES based symmetric ciphers (very weak – not recommended)
•
“±
256
” = 256-bit ciphers
•
“±
128
” = 128-bit ciphers
•
“±
cbc
” = Cipher Block Chain mode symmetric ciphers
•
“±
gcm
” = Galois Counter Mode symmetric ciphers
•
“±
md5
” = MD-5 HMAC (very weak)
•
“±
sha1
” = SHA-1 HMAC (weak)
•
“±
sha256
” = SHA-256bit HMAC
45
Windows XP machines running older Chrome browsers may fail to connect when attempting to use
SHA-256. Older machines and browsers may also need HMAC-SHA-1 to be enabled.
46
For ip.buffer-as-a-server: requires an ECDSA certificate and key to be pre-loaded.
For ip.buffer-as-client: requires your server to have an ECDSA certificate.
Normally, RSA keys are used.
Page 48
