iTP Secure WebServer System Administrators Guide (Version 7.5+)
Using Ciphers With the AcceptSecureTransport Directive
The iTP Secure WebServer allows you to specify the ciphers that you want the WebServer to
support. Specifying a particular cipher mode ensures the maximum security for each connection.
Encryption and integrity checking are controlled through the AcceptSecureTransportdirective's
-ciphers argument. For details about the syntax and use of the -ciphers argument, See
“AcceptSecureTransport” (page 200).
In general, what ciphers you select depends on your use of the iTP Secure WebServer. For example,
for financial transactions and private personal data, the Camellia cipher provides the highest level
of security but limits the user base as not all clients support Camellia. AES Cipher provides high
level of security while maintaining compatibility with most clients. For basic level privacy, RC4
generally provides enough security while optimizing for speed.
Hashing Ciphers Used by iTP Secure WebServer Ciphers
The ciphers for secure transport ports within iTP Secure WebServer can use three different hashing
algorithms. The first, called MD5, has been in wide use for many years in various Internet
applications. The other, called Secure Hash Algorithm (SHA1), was developed by the U.S.
government. For most applications, either cipher provides sufficient security. Starting with iTP Secure
WebServer Release 7.5 onwards, the third hashing algorithm, SHA256 is supported.
Negotiating Selection Among Available Ciphers
Use the -ciphers option to specify a Tcl list of ciphers that describe the bulk encryption and hash
algorithms the iTP Secure WebServer will use. If you specify no -ciphers option, all the ciphers
are set by default.
The cipher negotiated for the connection will be the first cipher on the Web client's list supported
by the server. For example, if the Web client list (in order) is 1 2 3 4 and the server list is 4 3 2,
cipher 2 will be chosen because it is the first cipher present in the Web client's list that is also
present on the server list. This concept is illustrated in Figure 2 (page 76).
Figure 2 Cipher Negotiation Between Web Client and Server Lists
Web Client List
When this list...
3DES-CBC-SHA1
AES-128-CBC-SHA1
CAMELLIA-CBC-SHA1
RC4-MD5
Server List
is compared to this list...
RC4-MD5
3DES-CBC-SHA1
AES-128-CBC-SHA1
3DES-CBC-SHA1
This cipher is used
For a list of the cipher-hashing algorithms iTP Secure WebServer supports, See
“AcceptSecureTransport” (page 200).
Migrating the key database from iTP Secure WebServer 7.0 to 7.2 and
later
The iTP Secure WebServer version 7.0 key database is not compatible with iTP Secure WebServer
7.2 and later versions. To migrate the key database from version 7.0, you must use the dbmigrate
utility distributed with iTP Secure WebServer.
76 Configuring for Secure Transport