Table Of Contents
HTTPS—HTTP Server and Client with SSL 3.0
Prerequisites for HTTPS—HTTP Server and Client with SSL 3.0
Restrictions for HTTPS—HTTP Server and Client with SSL 3.0
Information About HTTPS—HTTP Server and Client with SSL 3.0
Secure HTTP Server and Secure HTTP Client
Certificate Authority Trustpoints
How to Configure the HTTPS—HTTP Server and Client with SSL 3.0
Declaring a Certificate Authority Trustpoint
Configuring the HTTPS Server with SSL 3.0
Configuring Standard and Secure HTTP Server Options
Configuring the HTTPS Client with SSL 3.0
Configuration Examples for the HTTPS—HTTP Server and Client with SSL 3.0 feature
ip http client secure-ciphersuite
ip http client secure-trustpoint
show ip http client secure status
show ip http server secure status
Feature Information for HTTPS—HTTP Server and Client with SSL 3.0
HTTPS—HTTP Server and Client with SSL 3.0
First Published: March 31, 2003Last Updated: August 6, 2007The HTTPS—HTTP Server and Client with SSL 3.0 feature provides Secure Socket Layer (SSL) version 3.0 support for the HTTP 1.1 server and HTTP 1.1 client within Cisco IOS software. SSL provides server authentication, encryption, and message integrity to allow secure HTTP communications. SSL also provides HTTP client authentication. HTTP over SSL is abbreviated as HTTPS.
Finding Feature Information in This Module
Your Cisco IOS software release may not support all of the features documented in this module. To reach links to specific feature documentation in this module and to see a list of the releases in which each feature is supported, use the "Feature Information for HTTPS—HTTP Server and Client with SSL 3.0" section.
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
Prerequisites for HTTPS—HTTP Server and Client with SSL 3.0
•
•
•
•
Prerequisites for HTTPS—HTTP Server and Client with SSL 3.0
To enable secure HTTP connections (encryption) without a configured certificate authority trustpoint, you must first ensure that each device has the key (such as a Rivest, Shamir, and Adleman [RSA] public key or a shared key) of the other device. In most cases, an RSA key pair will be generated automatically. The RSA key pair is used for creating a self-signed certificate (which is also generated automatically).
Restrictions for HTTPS—HTTP Server and Client with SSL 3.0
The HTTPS—HTTP Server and Client with SSL 3.0 feature is available only in Cisco IOS software images that support SSL. SSL is supported in "IPSec 56" (contains "k8" in the image name) and "IPSec 3DES" images (contains "k9" in the image name). "IPSec 56" images provide up to 64-bit encryption, "IPSec 3 DES" images provide greater than 64-bit encryption. The following CipherSuites are supported in IPSec Data Encryption Standard (DES) images:
•
•
•
•
For IPSec 56 images, only the SSL_RSA_WITH_DES_CBC_SHA CipherSuite is supported. For further details on these CipherSuites, see the SSL Protocol Version 3.0 Internet-Draft document (see the "Related Documents" section).
RSA (in conjunction with the specified encryption and digest algorithm combinations) is used for both key generation and authentication on SSL connections. This usage is independent of whether a certificate authority (CA) trustpoint is configured.
Information About HTTPS—HTTP Server and Client with SSL 3.0
To configure the HTTP with SSL 3.0 (HTTPS) feature, you should understand the following concepts:
•
•
Secure HTTP Server and Secure HTTP Client
A secure HTTP connection means that data sent to and received from an HTTP server are encrypted before being sent out over the Internet. HTTP with SSL encryption provides a secure connection to allow such functions as configuring a router from a web browser. Cisco's implementation of the secure HTTP server and secure HTTP client uses an implementation of the SSL version 3.0. Application layer encryption provides an alternative to older methods such as having to set up a tunnel to the HTTP server for remote management. HTTP over SSL is abbreviated as HTTPS; the URL of a secure connection will begin with https:// instead of http://.
The Cisco IOS HTTP secure server's primary role is to listen for HTTPS requests on a designated port (the default HTTPS port is 443) and to pass the request to the HTTP 1.1 web server. The HTTP 1.1 server processes requests and passes responses (served pages) back to the HTTP secure server, which, in turn, responds to the original request.
The Cisco IOS HTTP secure client's primary role is to respond to Cisco IOS application requests for HTTPS User Agent services, perform HTTPS User Agent services on the application's behalf, and pass the response back to the application.
Certificate Authority Trustpoints
Certificate authorities (CAs) are responsible for managing certificate requests and issuing certificates to participating IPSec network devices. These services provide centralized security key and certificate management for the participating devices. Specific CA servers are referred to as "trustpoints."
The HTTPS server provides a secure connection by providing a certified X.509v3 certificate to the client when a connection attempt is made. The certified X.509v3 certificate is obtained from a specified CA trustpoint. The client (usually a web browser), in turn, has a public key that allows it to authenticate the certificate.
Configuring a CA trustpoint is highly recommended for secure HTTP connections. However, if a CA trustpoint is not configured for the routing device running the HTTPS server, the server will certify itself and generate the needed RSA key pair. Because a self-certified (self-signed) certificate does not provide adequate security, the connecting client will generate a notification that the certificate is self-certified, and the user will have the opportunity to accept or reject the connection. This option is available for internal network topologies (such as testing).
The HTTPS—HTTP Server and Client with SSL 3.0 feature also provides an optional command (ip http secure-client-auth) that, when enabled, has the HTTPS server request an X.509v3 certificate from the client. Authenticating the client provides more security than server authentication by itself.
For additional information on certificate authorities, see the "Configuring Certification Authority Interoperability" chapter in the Cisco IOS Security Configuration Guide.
CipherSuites
A CipherSuite specifies the encryption algorithm and digest algorithm to use on an SSL connection. Web browsers offer a list of supported CipherSuites when connecting to the HTTPS server, and the client and server will negotiate the best encryption algorithm to use from those that are supported by both. For example, Netscape Communicator 4.76 supports U.S. security with RSA Public Key Cryptography, MD2, MD5, RC2-CBC, RC4, DES-CBC, and DES-EDE3-CBC.
For the best possible encryption, you should use a browser that supports 128-bit encryption, such as Microsoft Internet Explorer version 5.5 (or later), or Netscape Communicator version 4.76 (or later). The SSL_RSA_WITH_DES_CBC_SHA CipherSuite provides less security than the other CipherSuites, because it does not offer 128-bit encryption.
In terms of router processing load (speed), the following list ranks the CipherSuites from fastest to slowest (slightly more processing time is required for the more secure and more complex CipherSuites):
1.
2.
3.
4.
How to Configure the HTTPS—HTTP Server and Client with SSL 3.0
To configure the HTTPS—HTTP Server and Client with SSL 3.0 feature, complete the procedures in the following sections:
•
•
•
•
Declaring a Certificate Authority Trustpoint
Configuring a CA trustpoint is highly recommended for secure HTTP connections. The certified X.509v3 certificate for the secure HTTP server (or client) is obtained from the specified CA trustpoint. If you do not declare a CA trustpoint, then a self-signed certificate will be used for secure HTTP connections. The self-signed certificate is generated automatically.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
or
copy system:running-config nvram:startup-configDETAILED STEPS
Configuring the HTTPS Server with SSL 3.0
To disable the standard HTTP server and configure the HTTPS server with SSL 3.0, complete the procedures in this section.
Prerequisites
If a certificate authority is to be used for certification, you should declare the CA trustpoint on the routing device before enabling the secure HTTP server.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
DETAILED STEPS
What to Do Next
To verify the configuration of the HTTPS server, connect to the router running the HTTPS server with a web browser by entering https://url, where url is the IP address or hostname of the router. If a port other than the default port is configured (using the ip http secure-port command), you must also specify the port number after the URL. For example:
https://209.165.202.129:1026or
https://host.domain.com:1026Generally, you can verify that you have a secure connection to an HTTP server by looking for an image of a padlock at the bottom of your browser window. Also note that secure HTTP connections have a URL that starts with "https:" instead of "http:".
Configuring Standard and Secure HTTP Server Options
The configuration of the standard HTTP server applies to the secure HTTP server as well. The following optional commands are standard HTTP server commands that provide additional security and efficiency to both the standard HTTP server and the HTTPS server.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
Configuring the HTTPS Client with SSL 3.0
To configure the HTTPS client with SSL 3.0, complete the procedures in this section.
Prerequisites
The standard HTTP client and the secure HTTP client are always enabled.
A certificate authority is required for secure HTTP client certification; the following steps assume that you have previously declared a CA trustpoint on the routing device. If a CA trustpoint is not configured, and the remote HTTPS server requires client authentication, connections to the secure HTTP client will fail.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
Configuration Examples for the HTTPS—HTTP Server and Client with SSL 3.0 feature
The following example shows a configuration session in which the secure HTTP server is enabled, the port for the secure HTTP server is configured as 1025, and the remote CA trustpoint server "CA-trust-local" is used for certification.
Router# show ip http server statusHTTP server status: DisabledHTTP server port: 80HTTP server authentication method: enableHTTP server access class: 0HTTP server base path:Maximum number of concurrent server connections allowed: 5Server idle time-out: 600 secondsServer life time-out: 600 secondsMaximum number of requests allowed on a connection: 1HTTP secure server capability: PresentHTTP secure server status: DisabledHTTP secure server port: 443HTTP secure server ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-md5 rc4-12aHTTP secure server client authentication: DisabledHTTP secure server trustpoint:Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# ip http secure-serverRouter(config)# ip http client secure-trustpoint CA-trust-localRouter(config)# ip http secure-port 1024Invalid secure port value.Router(config)# ip http secure-port 1025Router(config)# ip http secure-ciphersuite rc4-128-sha rc4-128-md5Router(config)# endRouter# show ip http server secure status
HTTP secure server status: Enabled
HTTP secure server port: 1025
HTTP secure server ciphersuite: rc4-128-md5 rc4-128-sha
HTTP secure server client authentication: Disabled
HTTP secure server trustpoint: CA-trust-localIn the following example, the CA trustpoint CA-trust-local is specified, and the HTTPS client is configured to use this trustpoint for client authentication requests:
Router# config terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# crypto ca trustpoint CA-trust-localRouter(ca-trustpoint)# enrollment url http://example.comRouter(ca-trustpoint)# crl query ldap://example.comRouter(ca-trustpoint)# primaryRouter(ca-trustpoint)# exitRouter(config)# ip http client secure-trustpoint CA-trust-localRouter(config)# endRouter# copy running-config startup-configAdditional References
The following sections provide references related to the HTTPS—HTTP Server and Client with SSL 3.0 feature.
Related Documents
Standards
Related MIBs
Related RFCs
RFC 2616
Cisco's implementation of HTTP is based on RFC 2616: Hypertext Transfer Protocol -- HTTP/1.1.
Technical Assistance
Command Reference
This section documents only commands that are new or modified.
•
•
•
•
debug ip http ssl error
To enable debugging messages for the HTTPS web server and client, use the debug ip http ssl error command in privileged EXEC mode. To disable debugging messages for the secure HTTP web server and client, use the no form of this command.
debug ip http ssl error
no debug ip http ssl error
Syntax Description
This command has no arguments or keywords.
Command Default
Debugging message output is disabled.
Command Modes
Privileged EXEC
Command History
12.2(15)T
This command was introduced.
12.2(33)SRA
This command was integrated into the 12.2(33)SRA release.
12.2(33)SXH
This command was integrated into the 12.2(33)SXH release.
Usage Guidelines
This command displays output for debugging purposes related to the secure HTTP server and secure HTTP client. Secure HTTP services use the Secure Socket Layer (SSL) protocol, version 3.0, for encryption.
Examples
The following is sample debugging output from the debug ip http ssl error command:
000030:00:08:01:%HTTPS:Key pair generation failed000030:00:08:10:%HTTPS:Failed to generate self-signed cert000030:00:08:15:%HTTPS:SSL handshake fail000030:00:08:21:%HTTPS:SSL read fail, uninitialized hndshk ctxt000030:00:08:25:%HTTPS:SSL write fail, uninitialized hndshk ctxtTable 1 describes the significant fields shown in the display.
Related Commands
ip http client secure-ciphersuite
To specify the CipherSuite that should be used for encryption over the secure HTTP connection from the client to a remote server, use the ip http client secure-ciphersuite command in global configuration mode. To remove a previously configured CipherSuite specification for the client, use the no form of this command.
ip http client secure-ciphersuite [3des-ede-cbc-sha] [rc4-128-sha] [rc4-128-md5] [des-cbc-sha]
no ip http client secure-ciphersuite
Syntax Description
Command Default
The client and server negotiate the best CipherSuite that they both support from the list of available CipherSuites.
Command Modes
Global configuration
Command History
Usage Guidelines
This command allows you to restrict the list of CipherSuites (encryption algorithms) that the client offers when connecting to a secure HTTP server. For example, you may want to allow only the most secure CipherSuites to be used.
Unless you have a reason to specify the CipherSuites that should be used, or you are unfamiliar with the details of these CipherSuites, you should leave this command unconfigured and let the server and client negotiate the CipherSuite that they both support (this is the default). The no form of this command returns the list of available CipherSuites to the default (that is, all CipherSuites supported on your device are available for negotiation).
Examples
The following example shows how to configure the HTTPS client to use only the SSL_RSA_WITH_3DES_EDE_CBC_SHA CipherSuite:
Router(config)# ip http client secure-ciphersuite 3des-ede-cbc-shaRelated Commands
show ip http client secure status
Displays the configuration status of the secure HTTP client.
ip http client secure-trustpoint
To specify the remote certificate authority (CA) trustpoint that should be used if certification is needed for the secure HTTP client, use the ip http client secure-trustpoint command in global configuration mode. To remove a client trustpoint from the configuration, use the no form of this command.
ip http client secure-trustpoint trustpoint-name
no ip http client secure-trustpoint trustpoint-name
Syntax Description
trustpoint-name
Name of a configured trustpoint. Use the same trustpoint name that was used in the associated crypto ca trustpoint command.
Command Default
If the remote HTTPS server requests client certification, the secure HTTP client will use the trustpoint configured using the primary command in the CA trustpoint configuration. If a trustpoint is not configured, client certification will fail.
Command Modes
Global configuration
Command History
Usage Guidelines
This command specifies that the secure HTTP client should use the certificate associated with the trustpoint indicated by the trustpoint-name argument. Use the same trustpoint name that you used in the associated crypto ca trustpoint command.
The specified X.509v3 security certificate will be used by the HTTPS client for cases when the remote HTTPS server requires client authorization.
Use this command only if you have already declared a CA trustpoint using the crypto ca trustpoint command and associated submode commands. If the remote HTTPS server requires client authorization and a trustpoint is not configured for the client, the remote HTTPS server will reject the connection.
If this command is not used, the client attempts to use the certificate associated with the primary trustpoint. The primary trustpoint is configured using the primary command.
Examples
In the following example, the CA trustpoint is configured and referenced in the secure HTTP server configuration:
!The following commands specify a CA trustpoint that can be used!to obtain a X.509v3 security certificate.Router(config)# crypto ca trustpoint tp1Router(config-ca)# enrollment url http://host1:80Router(config-ca)# exit!The following command is used to actually obtain the security certificate.!A trustpoint NAME is used because there could be multiple trust points!configured for the router.Router(config)# crypto ca enrollment TP1!The following command specifies that the secure HTTP client!should use the certificate associated with the TP1 trustpoint for HTTPS connections.Router(config)# ip http client secure-trustpoint tp1Related Commands
ip http secure-ciphersuite
To specify the CipherSuites that should be used by the secure HTTP server when negotiating a connection with a remote client, use the ip http secure-ciphersuite command in global configuration mode. To return the configuration to the default set of CipherSuites, use the no form of this command.
ip http secure-ciphersuite [3des-ede-cbc-sha] [rc4-128-sha] [rc4-128-md5] [des-cbc-sha]
no ip http secure-ciphersuite
Syntax Description
Command Default
The HTTPS server negotiates the best CipherSuite using the list received from the connecting client.
Command Modes
Global configuration
Command History
Usage Guidelines
This command is used to restrict the list of CipherSuites (encryption algorithms) that should be used for encryption over the HTTPS connection. For example, you may want to allow only the most secure CipherSuites to be used.
Unless you have a reason to specify the CipherSuites that should be used, or you are unfamiliar with the details of these CipherSuites, you should leave this command unconfigured and let the server and client negotiate the CipherSuite that they both support (this is the default).
The supported CipherSuites vary by Cisco IOS software image. For example, "IP Sec56" ("k8") images support only the SSL_RSA_WITH_DES_CBC_SHA CipherSuite in Cisco IOS Release 12.2(15)T.
In terms of router processing load (speed), the following list ranks the CipherSuites from fastest to slowest (slightly more processing time is required for the more secure and more complex CipherSuites):
1.
2.
3.
4.
Additional information about these CipherSuites can be found online from sources that document the Secure Sockets Layer (SSL) 3.0 protocol.
Examples
The following exampleshows how to restrictsthe CipherSuites offered to a connecting secure web client:
Router(config)# ip http secure-ciphersuite rc4-128-sha rc4-128-md5Related Commands
ip http secure-server
Enables the HTTPS server.
show ip http server secure status
Displays the configuration status of the secure HTTP server.
ip http secure-client-auth
To configure the secure HTTP server to authenticate connecting clients, use the ip http secure-client-auth command in global configuration mode. To remove the requirement for client authorization, use the no form of this command.
ip http secure-client-auth
no ip http secure-client-auth
Syntax Description
This command has no arguments or keywords.
Command Default
Client authentication is not required for connections to the secure HTTP server.
Command Modes
Global configuration
Command History
Usage Guidelines
This command configures the HTTP server to request an X.509v3 certificate from the client in order to authenticate the client during the connection process.
In the default connection and authentication process, the client requests a certificate from the HTTP server, but the server does not attempt to authenticate the client. Authenticating the client provides more security than server authentication by itself, but not all web clients may be configured for certificate authority (CA) authentication.
Examples
In the following example the secure web server is enabled and the server is configured to accept connections only from clients with a signed security certificate:
Router(config)# no ip http serverRouter(config)# ip http secure-serverRouter(config)# ip http secure-client-authRelated Commands
ip http secure-server
Enables the HTTPS server.
show ip http server secure status
Displays the configuration status of the secure HTTP server.
ip http secure-port
To set the secure HTTP (HTTPS) server port number for listening, use the ip http secure-port command in global configuration mode. To return the HTTPS server port number to the default, use the no form of this command.
ip http secure-port port-number
no ip http secure-port
Syntax Description
port-number
Integer in the range of 0 to 65535 is accepted, but the port number must be higher than 1024 unless the default is used. The default is 443.
Command Default
The HTTPS server port number is not set for listening.
Command Modes
Global configuration
Command History
Usage Guidelines
An HTTP server and an HTTPS server cannot use the same port. If you try to configure both on the same port, the following message is displayed:
% Port port_number in use by HTTP.where port_number is the port number that is already assigned to the HTTP server.
If you change the HTTPS port number, clients attempting to connect to the HTTPS server must specify the port number in the URL, in this format:
https://device:port_number
where port_number is the HTTPS port number.
Examples
The following example shows how to assign port 1025 for HTTPS server connections:
Router(config)# ip http secure-port 1025Related Commands
ip http secure-server
To enable a secure HTTP (HTTPS) server, use the ip http secure-server command in global configuration mode. To disable an HTTPS server, use the no form of this command.
ip http secure-server
no ip http secure-server
Syntax Description
This command has no arguments or keywords.
Command Default
The HTTPS server is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
The HTTPS server uses the Secure Sockets Layer (SSL) version 3.0 protocol.
Note
If a certificate authority (CA) is used for certification, you should declare the CA trustpoint on the routing device before enabling the HTTPS server.
Examples
In the following example the HTTPS server is enabled, and the (previously configured) CA trustpoint CA-trust-local is specified:
Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# ip http secure-serverRouter(config)# ip http secure-trustpoint CA-trust-localRouter(config)# endRouter# show ip http server secure status
HTTP secure server status: Enabled
HTTP secure server port: 443
HTTP secure server ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-md5 rc4-12a
HTTP secure server client authentication: Disabled
HTTP secure server trustpoint: CA-trust-localRelated Commands
ip http secure-trustpoint
To specify the certificate authority (CA) trustpoint that should be used for obtaining signed certificates for a secure HTTP (HTTPS) server, use the ip http secure-trustpoint command in global configuration mode. To remove a previously specified CA trustpoint, use the no form of this command.
ip http secure-trustpoint trustpoint-name
no ip http secure-trustpoint trustpoint-name
Syntax Description
trustpoint-name
Name of a configured trustpoint. Use the same trustpoint name that was used in the associated crypto ca trustpoint command.
Command Default
The HTTPS server uses the trustpoint configured when you use the primary command. If a trustpoint is not configured, the HTTPS server uses a self-signed certificate.
Command Modes
Global configuration
Command History
Usage Guidelines
This command specifies that the HTTPS server should use the X.509v3 certificate associated with the trustpoint indicated by the trustpoint-name argument. Use the same trustpoint name that you used in the associated crypto ca trustpoint command.
The specified X.509v3 security certificate will be used to authenticate the server to connecting clients, and, if remote client authentication is enabled, to authenticate the connecting clients.
Use this command only if you have already declared a CA trustpoint using the crypto ca trustpoint command and associated submode commands. If a trustpoint is not configured, the HTTPS server will use a self-signed certificate.
If this command is not used, the server will attempt to use the certificate associated with the primary trustpoint. The primary trustpoint is configured using the primary command.
Examples
In the following example, the CA trustpoint is configured, a certificate is obtained, and the certificate is referenced in the HTTPS server configuration:
!The following commands specifies a CA trustpoint that can be used!to obtain a X.509v3 security certificate.!A trustpoint NAME is used because there could be multiple trustpoints!configured for the router.Router(config)# crypto ca trustpoint tp1Router(config-ca)# enrollment url http://host1:80Router(config-ca)# exitRouter(config)# crypto ca authenticate tp1!The following command is used to actually obtain the security certificate.Router(config)# crypto ca enrollment tp1Router(config)# ip http secure-server!The following command specifies that the secure HTTP server!should use a certificate associated with the TP1 trustpoint for HTTPS connections.Router(config)# ip http secure-trustpoint tp1Related Commands
show ip http client secure status
To display the status of the secure HTTP client configuration, use the show ip http client secure status command in privileged EXEC mode.
show ip http client secure status
Syntax Description
This command has no arguments or keywords.
Command Default
No default behavior or values.
Command Modes
Privileged EXEC
Command History
Examples
The following is sample output from the show ip http client secure status command:
Router# show ip http client secure statusHTTP secure client ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-md5 rc4-12aHTTP secure client trustpoint: TP-1Table 2 describes the significant fields shown in the display.
Related Commands
show ip http server secure status
To display the status of the HTTP secure server configuration, use the show ip http server secure status command in privileged EXEC mode.
show ip http server secure status
Syntax Description
This command has no arguments or keywords.
Command Default
No default behavior or values.
Command Modes
Privileged EXEC
Command History
Examples
The following is sample output from the show ip http server secure status command:
Router# show ip http server secure status
HTTP secure server status: Enabled
HTTP secure server port: 1025
HTTP secure server ciphersuite: rc4-128-sha rc4-128-md5
HTTP secure server client authentication: Disabled
HTTP secure server trustpoint: CA-trust-localTable 3 describes the significant fields shown in the display.
Related Commands
Feature Information for HTTPS—HTTP Server and Client with SSL 3.0
Table 4 lists the release history for this feature.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
Cisco IOS software images are specific to a Cisco IOS software release, a feature set, and a platform. Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Note
Glossary
RSA—RSA is a widely used Internet encryption and authentication system that uses public and private keys for encryption and decryption. The RSA algorithm was invented in 1978 by Ron Rivest, Adi Shamir, and Leonard Adleman. The abbreviation RSA comes from the first letter of the last names of the three original developers. The RSA algorithm is included in many applications, such as the web browsers from Microsoft and Netscape. The RSA encryption system is owned by RSA Security.
SHA—The Secure Hash Algorithm. SHA was developed by NIST and is specified in the Secure Hash Standard (SHS, FIPS 180). Often used as an alternative to Digest 5 algorithm.
signatures, digital—In the context of SSL, "signing" means to encrypt with a private key. In digital signing, one-way hash functions are used as input for a signing algorithm. In RSA signing, a 36-byte structure of two hashes (one SHA and one MD5) is signed (encrypted with the private key).
Note
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2003, 2006-2007 Cisco Systems, Inc. All rights reserved.
Guest
