iTP Secure WebServer System Administrator's Guide (Version 7.0)
Configuring for Secure Transport
iTP Secure WebServer System Administrator’s Guide—523346-012
4-36
Constraints on Cipher Use
(SHA1), was developed by the U.S. government. For most applications, either cipher
provides sufficient security.
Negotiating Selection Among Available Ciphers
Use the -ciphers option to specify a Tcl list of ciphers that describe the bulk encryption
and hash algorithms the iTP Secure WebServer will use. If you specify no
-ciphers option, all the ciphers are set by default.
The cipher negotiated for the connection will be the first cipher on the Web client’s list
supported by the server. For example, if the Web client list (in order) is 1 2 3 4 and the
server list is 4 3 2, cipher 2 will be chosen because it is the first cipher present in the
Web client's list that is also present on the server list. This concept is illustrated in
Figure 4-1.
For a list of the cipher-hashing algorithms iTP Secure WebServer supports, see
AcceptSecureTransport on page A-6.
Constraints on Cipher Use
The iTP Secure WebServer imposes these constraints:
•
The nonexportable version of the iTP Secure WebServer supports the RC4/RC2
ciphers that have either 40-bit or 128-bit keys.
•
The exportable version of the iTP Secure WebServer supports the RC4/RC2
ciphers that have 40-bit keys only.
Figure 4-1. Cipher Negotiation Between Web Client and Server Lists
When this list... is compared to this list... This cypher is used
DEC-CBC3-SHA1
RC2-CBC-SHA1
EXP-RC4-MD5
RC4-MD5
Web Client List Server List
RC2-CBC-SHA1
RC2-CBC-SHA1
RC4-MD5
DES-CBC3-MD5
RC2-CBC-SHA1
RC2-CBC-SHA1
VST002.vsd