vADC Forum

Reply
Occasional Contributor
Posts: 43
Registered: ‎11-26-2012

Configuring the SSL and TLS connections allowed by Zeus

(Originally posted June 12, 2006)

Frequent Contributor
Posts: 321
Registered: ‎11-29-2012

Re: Configuring the SSL and TLS connections allowed by Zeus

The Payment Card Industry, including Visa and Mastercard, require banks, merchants and Member Service Providers to protect cardholder information by adhering to a strict set of security standards. The Payment Card Industry security standard (PCI) includes MasterCard's Site Data Protection (SDP) program and Visa's Cardholder Information Security Program (CISP).


Selecting the SSL and TLS ciphers and protocols used

To fully comply with the security standards outlined by the Payment Card Industry you will need to restrict the SSL ciphers and protocol versions that ZXTM allows clients to use:

  • Disabling SSL version 2 in ZXTM
  • Enabling TLS 1.0 and 1.1 in ZXTM
  • Disabling SSL2 in the Zeus Admin Interface
  • Disabling Weak SSL3 Ciphers in the Zeus Admin Interface

Disabling Weak SSL3 Ciphers in ZXTM

Navigate to:

SYSTEM > GLOBAL SETTINGS > SSL CONFIGURATION

202i8D00FB8FB7AA3252.png

ZXTM's Cipher List

Enter the below ciphers:

SSL_RSA_WITH_RC4_128_SHASmiley FrustratedSL_RSA_WITH_RC4_128_MD5Smiley FrustratedSL_RSA_WITH_AES_256_CBC_SHA:
SSL_RSA_WITH_3DES_EDE_CBC_SHASmiley FrustratedSL_RSA_WITH_AES_128_CBC_SHA

Disabling SSL version 2 for client connections in ZXTM

Navigate to:

SYSTEM > GLOBAL SETTINGS > SSL CONFIGURATION

Disable the setting ssl!support_ssl2. SSL version 2 has known weaknesses. Enabling TLS 1.0 and 1.1 in ZXTM

Navigate to:

SYSTEM > GLOBAL SETTINGS > SSL CONFIGURATION

Enable the settings ssl!support_tls1 and ssl!support_tls1.1. Disabling SSL2 in the Zeus Admin Interface In $ZEUSHOME/admin/global.cfg enter:

tuning!support_ssl2 no

Disabling Weak SSL3 ciphers in the ZXTM Administrator Interface

In $ZEUSHOME/admin/global.cfg insert, on one continous line:

tuning!ssl3_ciphers
SSL_RSA_WITH_RC4_128_SHASmiley FrustratedSL_RSA_WITH_RC4_128_MD5Smiley FrustratedSL_RSA_WITH_AES_256_CBC_SHA:
SSL_RSA_WITH_3DES_EDE_CBC_SHASmiley FrustratedSL_RSA_WITH_AES_128_CBC_SHA

Please remember to re-start your admin server.

We recommend using:

$ZEUSHOME/admin/rc restart

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.