When you log in to the NIOS appliance, your computer makes an HTTPS (Hypertext Transfer Protocol over Secure Sockets Layer protocol) connection to the NIOS appliance. HTTPS is the secure version of HTTP, the client-server protocol used to send and receive communications throughout the Web. HTTPS uses SSL (Secure Sockets Layer) and/or TLS (Transport Layer Security) protocols to secure the connection between a client and server. SSL/TLS provides server authentication and encryption. The NIOS appliance supports TLS versions 1.0, 1.1, and 1.2. TLS provides cipher suites that are used to negotiate the security settings for the secure connection. Infoblox has provided a few CLI commands so you can enable and disable specific cipher suites. For detailed information about these CLI commands, see Using the NIOS CLI.
Note that enabling or disabling the TLS ciphers will enable or disable the equivalent SSHd cipher. The following table lists the TLS suite name and the corresponding OpenSSL suite name, SSHd cipher name, and SSHd MAC name:
TLS Cipher Suites
TLS Suite Name | Open SSL Suite Name | SSHd Cipher | SSHd MAC |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA | DHE-RSA-AES256-SHA | aes256-cbc | hmac-sha1, |
TLS_DHE_DSS_WITH_AES_256_CBC_SHA | DHE-DSS-AES256-SHA | aes256-cbc | hmac-sha1, |
TLS_RSA_WITH_AES_256_CBC_SHA | AES256-SHA | aes256-cbc | hmac-sha1, |
TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA | EDH-RSA-DES-CBC3-SHA | 3des-cbc | hmac-sha1, |
TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA | EDH-DSS-DES-CBC3-SHA | 3des-cbc | hmac-sha1, |
TLS_RSA_WITH_3DES_EDE_CBC_SHA | DES-CBC3-SHA | 3des-cbc | hmac-sha1, |
TLS_DHE_DSS_WITH_AES_128_CBC_SHA | DHE-DSS-AES128-SHA | aes128-cbc | hmac-sha1, |
TLS_DHE_DSS_WITH_AES_128_CBC_SHA | DHE-DSS-AES128-SHA | aes128-cbc | hmac-sha1, hmac-sha1-etm@openssh.com |
TLS_RSA_WITH_AES_128_CBC_SHA | AES128-SHA | aes128-cbc | hmac-sha1, |
TLS_RSA_WITH_RC4_128_SHA | RC4-SHA | arcfour128 | hmac-sha1, |
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 | DHE-DSS-AES256-GCM-SHA384 | aes256-gcm@openssh.com | hmac-sha2-512, |
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | DHE-DSS-AES256-GCM-SHA384 | aes256-gcm@openssh.com | hmac-sha2-512, |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 | DHE-RSA-AES256-SHA256 | aes256-cbc | hmac-sha2-256, |
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 | DHE-DSS-AES256-SHA256 | aes256-cbc | hmac-sha2-256, |
TLS_RSA_WITH_AES_256_GCM_SHA384 | AES256-GCM-SHA384 | aes256-gcm@openssh.com | hmac-sha2-512, |
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 | DHE-DSS-AES128-GCM-SHA256 | aes128-gcm@openssh.com | hmac-sha2-256, |
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | DHE-RSA-AES128-GCM-SHA256 | aes128-gcm@openssh.com | hmac-sha2-256, |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 | DHE-RSA-AES128-SHA256 | aes128-cbc | hmac-sha2-256, |
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 | DHE-DSS-AES128-SHA256 | aes128-cbc | hmac-sha2-256, |
TLS_RSA_WITH_AES_128_GCM_SHA256 | AES128-GCM-SHA256 | aes128-gcm@openssh.com | hmac-sha2-256, hmac-sha2-256-etm@openssh.com |
TLS_RSA_WITH_AES_128_CBC_SHA256 | AES128-SHA256 | aes128-cbc | hmac-sha2-256, |
When a client first connects to a server, it starts a series of message exchanges, called the SSL/TLS handshake. During this exchange, the server authenticates itself to the client by sending its server certificate. A certificate is an electronic form that verifies the identity and public key of the subject of the certificate. (In SSL/TLS, the subject of the certificate is the server.) Certificates are typically issued and digitally signed by a trusted third party, the Certificate Authority (CA). A certificate contains the following information: the dates it is valid, the issuing CA, the server name, and the public key of the server. For information about certificates, see /wiki/spaces/~jkp/pages/26772302 Managing Certificates.
A server generates two distinct but related keys: a public key and a private key. During the SSL/TLS handshake, the server sends its public key to the client. Once the client validates the certificate, it encrypts a random value with the public key and sends it to the server. The server decrypts the random value with its private key.
The server and the client use the random value to generate the master secret, which they in turn use to generate symmetric keys. The client and server end the handshake when they exchange messages indicating that they are using the symmetric keys to encrypt further communications.
SSL/TLS Handshake
| Drawio | ||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
...