When setting up SSL offloading on a Foundry ServerIron 4G-SSL the default installation allows weak (eg. DES, 56bit) ciphers and SSLv2. This is not a recommended setup, especially if you have to comply to certain security certifications, like PCI. The Foundry documentation does not give a lot of information on the ciphers that are supported. Below the commands to disable SSLv2 and allow only strong ciphers on an ssl accelerated host.
To change the ssl profile of a virtual server, always follow the following steps:
- Remove the ssl profile from the virtual server
- Change the ssl profile settings
- Enable the ssl profile on the virtual server
server virtual vservername
no port ssl ssl-terminate sslprofilename
exit
ssl profile sslprofilename
disable-ssl-v2
no cipher-suite all-cipher-suites
cipher-suite rsa-with-3des-ede-cbc-sha
cipher-suite rsa-with-aes-128-sha
cipher-suite rsa-with-aes-256-sha
cipher-suite rsa-with-rc4-128-md5
cipher-suite rsa-with-rc4-128-sha
exit
server virtual vservername
port ssl ssl-terminate sslprofilename