This post is to provide an example about how to specify a custom level of Cipher Suite security for the Cisco UCS Manager. Cisco have provided a customer Cipher Suite Mode, which allows you to specify a user-defined Cipher Suite specification string.
Navigate to Communication Management > Communication Services, in the HTTPS area, choose “customer” and then the Cipher Suite field can be edited. Based on the Cisco document:
“cipher-suite-spec-string can contain up to 256 characters and must conform to the OpenSSL Cipher Suite specifications. You cannot use any spaces or special characters except ! (exclamation point), + (plus sign), – (hyphen), and : (colon). “
In this example, we will try to remove a weak cipher 3DES (Triple-DES encoding) from the Cipher Suite.
- Step 1, select the “High Strength” cipher suite and copy cipher suite string out, which looks like below:
ALL:!DH:!EDH:!ADH:!EXPORT40:!EXPORT56:!LOW:!MEDIUM:!eNULL:!RC4:+HIGH:+EXP
- Step 2, reference the link http:/?/?httpd.apache.org/?docs/?2.0/?mod/?mod_?ssl.html#sslciphersuite to find the tag for the desired cipher. In this example, the tag for 3DES cipher is just 3DES.
- Step 3, add “:!3DES” at the end of the string generated from step 1 as below and copy to the “cipher suite” field.
ALL:!DH:!EDH:!ADH:!EXPORT40:!EXPORT56:!LOW:!MEDIUM:!eNULL:!RC4:+HIGH:+EXP:!3DES
Apply the change and the new cipher suite will take place.
For the details, reference below Cisco document link: