Oracle iPlanet Web Proxy Server 4.0.14 Administration Guide

Setting Stronger Ciphers

The Set Cipher Size option on the Server Manager Preferences tab presents a choice of 168-bit, 128-bit, or 56-bit secret key size for access or no restriction. You can specify a file to be served when the restriction is not met. If no file is specified, Proxy Server returns a Forbidden status.

If you select a key size for access that is not consistent with the current cipher settings under Security Preferences, Proxy Server displays a warning that you need to enable ciphers with larger secret key sizes.

The implementation of the key size restriction is based on an NSAPI PathCheck directive in obj.conf, rather than Service fn=key-toosmall. This directive is:

PathCheck fn="ssl-check" [secret-keysize=nbits] [bong-file=filename]

where nbits is the minimum number of bits required in the secret key, and filename is the name of a file to be served if the restriction is not met.

PathCheck returns REQ_NOACTION if SSL is not enabled, or if the secret-keysize parameter is not specified. If the secret key size for the current session is less than the specified secret-keysize, the function returns REQ_ABORTED with a status of PROTOCOL_FORBIDDEN if bong-file is not specified. If , bong-file is specified, the function returns REQ_PROCEED, and the path variable is set to the bong-file filename. Also, when a key size restriction is not met, the SSL session cache entry for the current session is invalidated, so that a full SSL handshake occurs the next time the same client connects to the server.


Note –

The Set Cipher Size form removes any Service fn=key-toosmall directives found in an object when it adds a PathCheck fn=ssl-check.


ProcedureTo Set Stronger Ciphers

  1. Access the Server Manager for a server instance and click the Preferences tab.

  2. Click the Set Cipher Size link.

  3. From the drop-down list, select the resource to which to apply stronger ciphers, and then click Select. You can also specify a regular expression.

    For more information, see Chapter 16, Managing Templates and Resources.

  4. Select the secret key size restriction:

    • 168 bits or larger

      • 128 bits or larger

      • 56 bits or larger

      • No restrictions

  5. Specify the file location of the message to reject access, and click OK.

    For more information about ciphers, see Introduction to SSL.