Contents
- HTTPS--HTTP Server and Client with SSL 3.0
- Finding Feature Information
- Prerequisites for HTTPS—HTTP Server and Client with SSL 3.0
- Restrictions for HTTPS—HTTP Server and Client with SSL 3.0
- Information About HTTPS--HTTP Server and Client with SSL 3.0
- Secure HTTP Server and Secure HTTP Client
- Certificate Authority Trustpoints
- CipherSuites
- How to Configure the HTTPS--HTTP Server and Client with SSL 3.0
- Declaring a Certificate Authority Trustpoint
- Configuring the HTTPS Server with SSL 3.0
- Verifying the Configuration of the HTTPS Server
- Providing Additional Security and Efficiency
- Configuring the HTTPS Client with SSL 3.0
- Configuration Examples for the HTTPS--HTTP Server and Client with SSL 3.0 feature
- Additional References
- Feature Information for HTTPS--HTTP Server and Client with SSL 3.0
- Glossary
HTTPS--HTTP Server and Client with SSL 3.0
The HTTPS--HTTP Server and Client with SSL 3.0 feature provides Secure Socket Layer (SSL) version 3.0 support for the HTTP 1.1 server and HTTP 1.1 client within Cisco IOS software. SSL provides server authentication, encryption, and message integrity to allow secure HTTP communications. SSL also provides HTTP client authentication. HTTP over SSL is abbreviated as HTTPS.
- Finding Feature Information
- Prerequisites for HTTPS—HTTP Server and Client with SSL 3.0
- Restrictions for HTTPS—HTTP Server and Client with SSL 3.0
- Information About HTTPS--HTTP Server and Client with SSL 3.0
- How to Configure the HTTPS--HTTP Server and Client with SSL 3.0
- Configuration Examples for the HTTPS--HTTP Server and Client with SSL 3.0 feature
- Additional References
- Feature Information for HTTPS--HTTP Server and Client with SSL 3.0
- Glossary
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for HTTPS—HTTP Server and Client with SSL 3.0
To enable secure HTTP connections, which are encrypted, without a configured certificate authority trustpoint, you must first ensure that each device has the key, such as a Rivest, Shamir, and Adleman (RSA) public key or a shared key, of the target device. In most cases, an RSA key pair is generated automatically. The RSA key pair is used for creating a self-signed certificate. A self-signed certificate is also generated automatically.
Restrictions for HTTPS—HTTP Server and Client with SSL 3.0
The HTTPS—HTTP Server and Client with SSL 3.0 feature is available only in Cisco software images that support Secure Socket Layer (SSL). SSL is supported in Internet Protocol Security (IPSec) 56 and IPSec Triple Data Encryption Standard (3DES) images. The following CipherSuites are supported in IPSec Data Encryption Standard (DES) images:
- SSL_RSA_WITH_RC4_128_MD5—Rivest, Shamir, and Adleman (RSA) key exchange (RSA Public Key Cryptography) with RC4 128-bit encryption and message digest algorithm 5 (MD5) for message digest
- SSL_RSA_WITH_RC4_128_SHA—RSA key exchange with RC4 128-bit encryption and Secure Hash Algorithm (SHA) for message digest
- SSL_RSA_WITH_3DES_EDE_CBC_SHA—RSA key exchange with 3DES and DES-EDE3-CBC for message encryption and SHA for message digest
- SSL_RSA_WITH_DES_CBC_SHA—RSA key exchange with DES-CBC for message encryption and SHA for message digest
Only the SSL_RSA_WITH_DES_CBC_SHA CipherSuite is supported in IPSec 56 images. For further details on CipherSuites, see the SSL Protocol Version 3.0 Internet-Draft document.
RSA, in conjunction with the specified encryption and digest algorithm combinations, is used for both key generation and authentication on SSL connections. This usage is independent of whether a certificate authority (CA) trustpoint is configured or not.
Information About HTTPS--HTTP Server and Client with SSL 3.0
Secure HTTP Server and Secure HTTP Client
A secure HTTP connection means that data sent to and received from an HTTP server are encrypted before being sent out over the Internet. HTTP with SSL encryption provides a secure connection to allow such functions as configuring a router from a web browser. Cisco’s implementation of the secure HTTP server and secure HTTP client uses an implementation of the SSL version 3.0. Application layer encryption provides an alternative to older methods such as having to set up a tunnel to the HTTP server for remote management. HTTP over SSL is abbreviated as HTTPS; the URL of a secure connection will begin with https:// instead of http://.
The Cisco IOS HTTP secure server’s primary role is to listen for HTTPS requests on a designated port (the default HTTPS port is 443) and to pass the request to the HTTP 1.1 web server. The HTTP 1.1 server processes requests and passes responses (served pages) back to the HTTP secure server, which, in turn, responds to the original request.
The Cisco IOS HTTP secure client’s primary role is to respond to Cisco IOS application requests for HTTPS User Agent services, perform HTTPS User Agent services on the application’s behalf, and pass the response back to the application.
Certificate Authority Trustpoints
Certificate authorities (CAs) are responsible for managing certificate requests and issuing certificates to participating IPSec network devices. These services provide centralized security key and certificate management for the participating devices. Specific CA servers are referred to as “trustpoints.”
The HTTPS server provides a secure connection by providing a certified X.509v3 certificate to the client when a connection attempt is made. The certified X.509v3 certificate is obtained from a specified CA trustpoint. The client (usually a web browser), in turn, has a public key that allows it to authenticate the certificate.
Configuring a CA trustpoint is highly recommended for secure HTTP connections. However, if a CA trustpoint is not configured for the routing device running the HTTPS server, the server will certify itself and generate the needed RSA key pair. Because a self-certified (self-signed) certificate does not provide adequate security, the connecting client will generate a notification that the certificate is self-certified, and the user will have the opportunity to accept or reject the connection. This option is available for internal network topologies (such as testing).
The HTTPS--HTTP Server and Client with SSL 3.0 feature also provides an optional command (ip http secure-client-auth) that, when enabled, has the HTTPS server request an X.509v3 certificate from the client. Authenticating the client provides more security than server authentication by itself.
For additional information on certificate authorities, see the “Configuring Certification Authority Interoperability” chapter in the Cisco IOS Security Configuration Guide.
CipherSuites
A CipherSuite specifies the encryption algorithm and digest algorithm to use on an SSL connection. Web browsers offer a list of supported CipherSuites when connecting to the HTTPS server, and the client and server will negotiate the best encryption algorithm to use from those that are supported by both. For example, Netscape Communicator 4.76 supports U.S. security with RSA Public Key Cryptography, MD2, MD5, RC2-CBC, RC4, DES-CBC, and DES-EDE3-CBC.
For the best possible encryption, you should use a browser that supports 128-bit encryption, such as Microsoft Internet Explorer version 5.5 (or later), or Netscape Communicator version 4.76 (or later). The SSL_RSA_WITH_DES_CBC_SHA CipherSuite provides less security than the other CipherSuites, because it does not offer 128-bit encryption.
In terms of router processing load (speed), the following list ranks the CipherSuites from fastest to slowest (slightly more processing time is required for the more secure and more complex CipherSuites):
- SSL_RSA_WITH_DES_CBC_SHA
- SSL_RSA_WITH_RC4_128_MD5
- SSL_RSA_WITH_RC4_128_SHA
- SSL_RSA_WITH_3DES_EDE_CBC_SHA
How to Configure the HTTPS--HTTP Server and Client with SSL 3.0
- Declaring a Certificate Authority Trustpoint
- Configuring the HTTPS Server with SSL 3.0
- Providing Additional Security and Efficiency
- Configuring the HTTPS Client with SSL 3.0
Declaring a Certificate Authority Trustpoint
Configuring a CA trustpoint is highly recommended for secure HTTP connections. The certified X.509v3 certificate for the secure HTTP server (or client) is obtained from the specified CA trustpoint. If you do not declare a CA trustpoint, then a self-signed certificate will be used for secure HTTP connections. The self-signed certificate is generated automatically.
- copy running-config startup-config
- copy system:running-config nvram:startup-config
1.
enable
2.
configure
terminal
3.
hostname
name
4.
ip
domain-name
name
5.
crypto
key
generate
rsa
usage-keys
6.
crypto
ca
trustpoint
name
7.
enrollment
url
url
8.
enrollment
http-proxy
host-name
port-number
9.
crl
{query url | optional | best-effort}
10.
primary
11.
exit
12.
crypto
ca
authenticate
name
13.
crypto
ca
enrollment
name
14.
Do one of the following:
DETAILED STEPS
Configuring the HTTPS Server with SSL 3.0
To disable the standard HTTP server and configure the HTTPS server with SSL 3.0, complete the procedure in this section.
If a certificate authority is to be used for certification, you should declare the CA trustpoint on the routing device before enabling the secure HTTP server.
1.
enable
2. Router# show ip http server status
3.
configure
terminal
4.
no
ip
http
server
5.
ip
http
secure-server
6.
ip
http
secure-port
port-number
7.
ip
http
secure-ciphersuite
[3des-ede-cbc-sha] [rc4-128-sha] [rc4-128-md5] [des-cbc-sha]
8.
ip
http
secure-client-auth
9.
ip
http
secure-trustpoint
name
10.
end
11.
show
ip
http
server
secure
status
DETAILED STEPS
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 |
enable
Example: Router> enable |
Enables privileged EXEC mode.
| ||
Step 2 |
Router# show ip http server status Example: Router# show ip http server status Example: |
(Optional) Displays the status of the HTTP server.
| ||
Step 3 |
configure
terminal
Example: Router# configure terminal |
Enters global configuration mode. | ||
Step 4 |
no
ip
http
server
Example: Router(config)# no ip http server |
Disables the standard HTTP server.
| ||
Step 5 |
ip
http
secure-server
Example: Router(config)# ip http secure-server |
Enables the HTTPS server. | ||
Step 6 |
ip
http
secure-port
port-number
Example: Router(config)# ip http secure-port 1025 |
(Optional) Specifies the port number that should be used for the HTTPS server. The default port number is 443. Valid options are 443 or any number in the range 1025 to 65535. | ||
Step 7 |
ip
http
secure-ciphersuite
[3des-ede-cbc-sha] [rc4-128-sha] [rc4-128-md5] [des-cbc-sha] Example: Router(config)# ip http secure-ciphersuite rc4-128-sha rc4-128-md5 |
(Optional) Specifies the CipherSuites (encryption algorithms) that should be used for encryption over the HTTPS connection.
| ||
Step 8 |
ip
http
secure-client-auth
Example: Router(config)# ip http secure-client-auth |
(Optional) Configures the HTTP server to request an X.509v3 certificate from the client in order to authenticate the client during the connection process.
| ||
Step 9 |
ip
http
secure-trustpoint
name
Example: Router(config)# ip http secure-trustpoint trustpoint-01 |
Specifies the CA trustpoint that should be used to obtain an X.509v3 security certificate and to authenticate the connecting client’s certificate.
| ||
Step 10 |
end
Example: Router(config)# end |
Ends the current configuration session and returns you to privileged EXEC mode. | ||
Step 11 |
show
ip
http
server
secure
status
Example: Router# show ip http server secure status |
Displays the status of the HTTP secure server configuration. |
Verifying the Configuration of the HTTPS Server
To verify the configuration of the HTTPS server, connect to the router running the HTTPS server with a web browser by entering https://url , where url is the IP address or hostname of the router. Successful connection using the https prefix (instead of the standard http) indicates that the HTTPS server is configured properly. If a port other than the default port is configured (using the ip http secure-port command), you must also specify the port number after the URL. For example:
https://209.165.202.129:1026
or
https://host.domain.com:1026
Generally, you can verify that the HTTPS server is configured and that you have a secure connection by locating an image of a padlock at the bottom of your browser window. Also note that secure HTTP connections have a URL that starts with “https:” instead of “http:”.
Providing Additional Security and Efficiency
The configuration of the standard HTTP server applies to the secure HTTP server as well. To provide additional security and efficiency to both the standard HTTP server and the HTTPS server, complete the procedure in this section.
1.
enable
2.
configure
terminal
3.
ip
http
path
path-name
4.
ip
http
access-class
access-list-number
5.
ip
http
max-connections
value
6.
ip
http
timeout-policy
idle
seconds
life
seconds
requests
value
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable
Example: Router> enable |
Enables privileged EXEC mode.
|
Step 2 |
configure
terminal
Example: Router# configure terminal |
Enters global configuration mode. |
Step 3 |
ip
http
path
path-name
Example: Router(config)# ip http path slot1: |
(Optional) Sets the base HTTP path for HTML files.
|
Step 4 |
ip
http
access-class
access-list-number
Example: Router(config)# ip http access-class 20 |
(Optional) Specifies the access list that should be used to allow access to the HTTP server. |
Step 5 |
ip
http
max-connections
value
Example: Router(config)# ip http max-connections 10 |
(Optional) Sets the maximum number of concurrent connections to the HTTP server that will be allowed. The default value is 5. |
Step 6 |
ip
http
timeout-policy
idle
seconds
life
seconds
requests
value
Example: Router(config)# ip http timeout-policy idle 30 life 120 requests 100 |
(Optional) Sets the characteristics that determine how long a connection to the HTTP server should remain open. The characteristics are:
|
Configuring the HTTPS Client with SSL 3.0
To configure the HTTPS client with SSL 3.0, complete the procedure in this section.
The standard HTTP client and the secure HTTP client are always enabled.
A certificate authority is required for secure HTTP client certification; the following steps assume that you have previously declared a CA trustpoint on the routing device. If a CA trustpoint is not configured, and the remote HTTPS server requires client authentication, connections to the secure HTTP client will fail.
1.
enable
2.
configure
terminal
3.
ip
http
client
secure-trustpoint
trustpoint-name
4.
ip
http
client
secure-ciphersuite
[3des-ede-cbc-sha] [rc4-128-sha] [rc4-128-md5] [des-cbc-sha]
5.
end
6.
show
ip
http
client
secure
status
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable
Example: Router> enable |
Enables privileged EXEC mode.
|
Step 2 |
configure
terminal
Example: Router# configure terminal |
Enters global configuration mode. |
Step 3 |
ip
http
client
secure-trustpoint
trustpoint-name
Example: Router(config)# ip http client secure-trustpoint trustpoint01 |
(Optional) Specifies the CA trustpoint that should be used if the remote HTTP server requests client authentication.
|
Step 4 |
ip
http
client
secure-ciphersuite
[3des-ede-cbc-sha] [rc4-128-sha] [rc4-128-md5] [des-cbc-sha] Example: Router(config)# ip http client secure-ciphersuite rc4-128-sha rc4-128-md5 |
(Optional) Specifies the CipherSuites (encryption algorithms) that should be used for encryption over the HTTPS connection.
|
Step 5 |
end
Example: Router(config)# end |
Ends the current configuration session and returns to privileged EXEC mode. |
Step 6 |
show
ip
http
client
secure
status
Example: Router# show ip http client secure status |
Displays the status of the HTTP secure server configuration. |
Configuration Examples for the HTTPS--HTTP Server and Client with SSL 3.0 feature
The following example shows a configuration session in which the secure HTTP server is enabled, the port for the secure HTTP server is configured as 1025, and the remote CA trustpoint server “CA-trust-local” is used for certification.
Router# show ip http server status HTTP server status: Disabled HTTP server port: 80 HTTP server authentication method: enable HTTP server access class: 0 HTTP server base path: Maximum number of concurrent server connections allowed: 5 Server idle time-out: 600 seconds Server life time-out: 600 seconds Maximum number of requests allowed on a connection: 1 HTTP secure server capability: Present HTTP secure server status: Disabled HTTP secure server port: 443 HTTP secure server ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-md5 rc4-12a HTTP secure server client authentication: Disabled HTTP secure server trustpoint: Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# ip http secure-server Router(config)# ip http client secure-trustpoint CA-trust-local Router(config)# ip http secure-port 1024 Invalid secure port value. Router(config)# ip http secure-port 1025 Router(config)# ip http secure-ciphersuite rc4-128-sha rc4-128-md5 Router(config)# end
Router# show ip http server secure status
HTTP secure server status: Enabled
HTTP secure server port: 1025
HTTP secure server ciphersuite: rc4-128-md5 rc4-128-sha
HTTP secure server client authentication: Disabled
HTTP secure server trustpoint: CA-trust-local
In the following example, the CA trustpoint CA-trust-local is specified, and the HTTPS client is configured to use this trustpoint for client authentication requests:
Router# config terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# crypto ca trustpoint CA-trust-local Router(ca-trustpoint)# enrollment url http://example.com Router(ca-trustpoint)# crl query ldap://example.com Router(ca-trustpoint)# primary Router(ca-trustpoint)# exit Router(config)# ip http client secure-trustpoint CA-trust-local Router(config)# end Router# copy running-config startup-config
Additional References
The following sections provide references related to the HTTPS--HTTP Server and Client with SSL 3.0 feature.
Related Documents
Related Topic |
Document Title |
---|---|
SSL 3.0 |
The SSL Protocol Version 3.0 This document is available from various sources online. |
Standard Cisco Web Client |
HTTP 1.1 Web Server and Client |
Certification Authority Interoperability |
Cisco IOS Security Configuration Guide: Secure Connectivity |
Standards
Standard |
Title |
---|---|
No new or modified standards are supported by this feature. |
-- |
Related MIBs
MIBs |
MIBs Link |
---|---|
No new or modified MIBs are supported by this feature. |
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: |
Related RFCs
RFCs |
Description |
---|---|
RFC 2616 |
Cisco’s implementation of HTTP is based on RFC 2616: Hypertext Transfer Protocol -- HTTP/1.1 . |
Technical Assistance
Description |
Link |
---|---|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
Feature Information for HTTPS--HTTP Server and Client with SSL 3.0
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Information |
---|---|---|
HTTPS--HTTP Server and Client with SSL 3.0 |
12.2(15)T 12.2(33)SRA 12.2(33)SXH 12.2(33)SB Cisco IOS XE 3.1.0SG |
This feature provides Secure Socket Layer (SSL) version 3.0 support for the HTTP 1.1 server and HTTP 1.1 client within Cisco IOS software. SSL provides server authentication, encryption, and message integrity to allow secure HTTP communications. SSL also provides HTTP client authentication. This feature is supported only in Cisco software images that support SSL. Specifically, SSL is supported in “IPSec 56” and “IPSec 3DES” images (contains “k8” or “k9” in the image name). |
Glossary
RSA--RSA is a widely used Internet encryption and authentication system that uses public and private keys for encryption and decryption. The RSA algorithm was invented in 1978 by Ron Rivest, Adi Shamir, and Leonard Adleman. The abbreviation RSA comes from the first letter of the last names of the three original developers. The RSA algorithm is included in many applications, such as the web browsers from Microsoft and Netscape. The RSA encryption system is owned by RSA Security.
SHA --The Secure Hash Algorithm. SHA was developed by NIST and is specified in the Secure Hash Standard (SHS, FIPS 180). Often used as an alternative to Digest 5 algorithm.
signatures, digital --In the context of SSL, “signing” means to encrypt with a private key. In digital signing, one-way hash functions are used as input for a signing algorithm. In RSA signing, a 36-byte structure of two hashes (one SHA and one MD5) is signed (encrypted with the private key).
SSL 3.0 --Secure Socket Layer version 3.0. SSL is a security protocol that provides communications privacy over the Internet. The protocol allows client and server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. SSL uses a program layer located between the Internet’s HTTP and TCP layers. SSL is included as part of most web server products and as part of most Internet browsers. The SSL 3.0 specification can be found at http://home.netscape.com/eng/ssl3/ .