ECDSA cipher suites support 编辑
ECDSA cipher suites use elliptical curve cryptography (ECC). Because of its smaller size, it is helpful in environments where processing power, storage space, bandwidth, and power consumption are constrained.
When the ECDHE_ECDSA cipher group is used, the server’s certificate must contain an ECDSA-capable public key.
The following table lists the ECDSA ciphers that are supported on the Citrix ADC MPX and SDX appliances with N3 chips, Citrix ADC VPX appliances, MPX 5900/26000, and MPX/SDX 8900/15000 appliances.
Cipher Name | Priority | Description | Key Exchange Algorithm | Authentication Algorithm | Encryption Algorithm (Key Size) | Message Authentication Code (MAC) Algorithm | HexCode |
---|---|---|---|---|---|---|---|
TLS1-ECDHE-ECDSA-AES128-SHA | 1 | SSLv3 | ECC-DHE | ECDSA | AES(128) | SHA1 | 0xc009 |
TLS1-ECDHE-ECDSA-AES256-SHA | 2 | SSLv3 | ECC-DHE | ECDSA | AES(256) | SHA1 | 0xc00a |
TLS1.2-ECDHE-ECDSA-AES128-SHA256 | 3 | TLSv1.2 | ECC-DHE | ECDSA | AES(128) | SHA-256 | 0xc023 |
TLS1.2-ECDHE-ECDSA-AES256-SHA384 | 4 | TLSv1.2 | ECC-DHE | ECDSA | AES(256) | SHA-384 | 0xc024 |
TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256 | 5 | TLSv1.2 | ECC-DHE | ECDSA | AES-GCM(128) | SHA-256 | 0xc02b |
TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384 | 6 | TLSv1.2 | ECC-DHE | ECDSA | AES-GCM(256) | SHA-384 | 0xc02c |
TLS1-ECDHE-ECDSA-RC4-SHA | 7 | SSLv3 | ECC-DHE | ECDSA | RC4(128) | SHA1 | 0xc007 |
TLS1-ECDHE-ECDSA-DES-CBC3-SHA | 8 | SSLv3 | ECC-DHE | ECDSA | 3DES(168) | SHA1 | 0xc008 |
TLS1.2-ECDHE-ECDSA-CHACHA20-POLY1305 | 9 | TLSv1.2 | ECC-DHE | ECDSA | CHACHA20/POLY1305(256) | AEAD | 0xcca9 |
ECDSA/RSA cipher and certificate selection
You can bind both ECDSA and RSA server certificates at the same time to an SSL virtual server. When both ECDSA and RSA certificates are bound to the virtual server, it automatically selects the appropriate server certificate to present to the client. If the client cipher list includes RSA ciphers, but does not include ECDSA ciphers, the virtual server presents the RSA server certificate. If both ciphers are present in the client’s list, then the server certificate presented depends on the cipher priority set on the virtual server. That is, if RSA has a higher priority, the RSA certificate is presented. If ECDSA has a higher priority, the ECDSA certificate is presented to the client.
Client authentication by using an ECDSA or an RSA certificate
For client authentication, the CA certificate bound to the virtual server can be ECDSA or RSA signed. The appliance supports a mixed certificate chain. For example, the following certificate chain is supported.
Client certificate (ECDSA) <-> CA certificate (RSA) <-> Intermediate certificate (RSA) <-> Root certificate (RSA)
The following table shows the elliptical curves supported on the different Citrix ADC appliances with ECDSA cipher groups and ECDSA certificates:
Elliptical curves | Platforms supported |
---|---|
prime256v1 | All platforms, including FIPS. |
secp384r1 | All platforms, including FIPS. |
secp521r1 | MPX 5900, MPX/SDX 8900, MPX/SDX 15000, MPX/SDX 26000, VPX |
secp224r1 | MPX 5900, MPX/SDX 8900. MPX/SDX 15000, MPX/SDX 26000, VPX |
Create an ECDSA certificate-key pair
You can create an ECDSA certificate-key pair directly on a Citrix ADC appliance by using the CLI or the GUI. Earlier, you were able to install and bind an ECC certificate-key pair on the appliance, but you had to use OpenSSL to create a certificate-key pair.
Only P_256 and P_384 curves are supported.
Note
This support is available on all platforms except MPX 9700/1050/12500/15500.
To create an ECDSA certificate-key pair by using the CLI:
At the command prompt, type:
create ssl ecdsaKey <keyFile> -curve ( P_256 | P_384 ) [-keyform ( DER | PEM )] [-des | -des3] {-password } [-pkcs8]
<!--NeedCopy-->
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论