About Ciphers
A cipher is the algorithm used to encrypt and decrypt data in the encryption process. Some ciphers are stronger than others, meaning that a message they have scrambled is more difficult for an unauthorized person to unscramble.
A cipher operates on data by applying a key—a long number—to the data. Generally, the longer the key the cipher uses during encryption, the harder it is to decrypt the data without the proper decryption key.
When a client initiates an SSL connection with a Messaging Server, the client lets the server know what ciphers and key lengths it prefers to use for encryption. In any encrypted communication, both parties must use the same ciphers. Because there are a number of cipher-and-key combinations in common use, a server should be flexible in its support for encryption. Messaging Server can support up to 6 combinations of cipher and key length.
Table 19–2 lists the ciphers that Messaging Server supports for use with SSL 3.0. The table summarizes information that is available in more detail in the Introduction to SSL section of Managing Servers with iPlanet Console.
Table 19–2 SSL Ciphers for Messaging Server|
Cipher |
Description |
|---|---|
|
RC4 with 128-bit encryption and MD5 message authentication |
The fastest encryption cipher (by RSA) and a very high-strength combination of cipher and encryption key. |
|
Triple DES with 168-bit encryption and SHA message authentication |
A slower encryption cipher (a U.S. government-standard) but the highest-strength combination of cipher and encryption key. |
|
DES with 56-bit encryption and SHA message authentication |
A slower encryption cipher (a U.S. government-standard) and a moderate-strength combination of cipher and encryption key. |
|
RC4 with 40-bit encryption and MD5 message authentication |
The fastest encryption cipher (by RSA) and a lower-strength combination of cipher and encryption key. |
|
RC2 with 40-bit encryption and MD5 message authentication |
A slower encryption cipher (by RSA) and a lower-strength combination of cipher and encryption key. |
|
No encryption, only MD5 message authentication |
No encryption; use of a message digest for authentication alone. |
Unless you have a compelling reason for not using a specific cipher, you should support them all. However, note that export laws restrict the use of certain encryption ciphers in certain countries. Also, some client software produced before the relaxation of United States Export Control laws cannot use the higher strength encryption. Be aware that while the 40-bit ciphers might hinder the casual eavesdropper, they are not secure and therefore will not stop a motivated attack.
To enable SSL and select encryption ciphers, follow these command line steps:
To enable or disable SSL:
configutil -o nsserversecurity -v [ on | off ]
To enable or disable RSA ciphers:
configutil -o encryption.rsa.nssslactivation -v [ on | off ]
To specify a token:
configutil -o encryption.rsa.nsssltoken -v tokenname
To specify a certificate:
configutil -o encryption.rsa.nssslpersonalityssl -v certname
Note that if you enable RSA ciphers, you must also specify a token and a certificate.
To choose a cipher preference:
configutil -o encryption.nsssl3ciphers -v cipherlist
where cipherlist is a comma-separated list of ciphers.
Note –
To enable SSL encryption for outgoing messages, you must modify the channel definition to include the tls channel keywords, such as maytls, musttls, and so on. For more information, see the Transport Layer Security Manual.
- © 2010, Oracle Corporation and/or its affiliates