DTLS Profile - CLI

In this section:

Command Syntax

% set profiles security dtlsProfile <profile name> 
	CertName <cert name>
	cipherSuite1 <cipher suite> 
	cipherSuite2 <cipher suite> 
	cipherSuite3 <cipher suite>
	cookieExchange <disabled | enabled>
	dtlsRole <client | server>
	handshakeTimer <1-60 seconds> 
	hashType <md2 | md5 | sha1 | sha224 | sha256 | sha384 | sha512>
	sessionResumpTimer <0-86400>
	v1_0 <disabled | enabled>
    v1_1 <disabled | enabled>
    v1_2 <disabled | enabled>

Command Parameters

The DTLS Profile Parameters are as shown below:

DTLS Profile Parameters

Parameter	Length/Range	Description
`dtlsProfile`	1-23	`<profile name>` – Name of DTLS profile.
`CertName`	1-23	`<profile name>` – Name of the Certificate used by this DTLS profile (default = `defaultDtlsSBCCert`).
`cipherSuite1`	N/A	Use this parameter to specify the first TLS Cipher Suite choice for this profile (default = `rsa-with-aes-128-cbc-sha`). See the table Supported DTLS Crypto Suites below for the list of cipher suites.
`cipherSuite2`	N/A	Use this optional parameter to specify the second TLS Cipher Suite choice for this profile (default = `nosuite`). See the table Supported DTLS Crypto Suites below for the list of cipher suites.
`cipherSuite3`	N/A	Use this optional parameter to specify the third TLS Cipher Suite choice for this profile (default = `nosuite`). See the table Supported DTLS Crypto Suites below for the list of cipher suites.
`cookieExchange`	N/A	Use this flag to enable Cookie Exchange mechanism. `disabled` `enabled` (default)
`dtlsRole`	N/A	Specify DTLS role to use for this DTLS Profile. `client` `server` (default)
`handshakeTimer`	1-60	The time (in seconds) in which the DTLS handshake must be completed. The timer starts when the `TCP` connection is established. (default = `5`)
`hashType`	N/A	The allowed DTLS hash function for the specified DTLS Profile (default = `sha1`) `md2 \| md5 \| sha1 \| sha224 \| sha256 \| sha384 \| sha512`
`sessionResumpTimer`	0-86400	The DTLS session resumption period (in seconds) for which cached sessions are retained. DTLS protocol allows successive connections to be created within one DTLS session (and the resumption of a session after a DTLS connection is closed or after a server card failover) without repeating the entire authentication and other setup steps for each connection, except when the space must be reclaimed for a new session. (default = `300`)
`v1_0`	N/A	DTLS protocol version 1.0 (see note below) `disabled` `enabled` (default)
`v1_1`	N/A	DTLS protocol version 1.1 (see note below) `disabled` (default) `enabled`
`v1_2`	N/A	DTLS protocol version 1.2 (see note below) `disabled` (default) `enabled`

Supported DTLS Crypto Suites

Authentication Mechanism	Public/Private Key Pair	Confidentiality Cipher and Mode	Integrity Cipher
RSA-WITH-NULL-SHA The integrity cipher used for the TLS Record protocol.	RSA	NULL	SHA-1
RSA-WITH-AES-128-CBC-SHA (default) Confidentiality cipher and mode for the TLS Record protocol.	RSA	AES-128-CBC	SHA-1
RSA-WITH-AES-128-CBC-SHA-256 Confidentiality cipher and mode for the TLS Record protocol with SHA-256 as the hash function.	RSA	AES-128-CBC	SHA-256
RSA-WITH-AES-256-CBC-SHA Confidentiality cipher and mode for the TLS Record protocol with AES 256 encryption.	RSA	AES-256-CBC	SHA-1
RSA-WITH-AES-256-CBC-SHA-256* Confidentiality cipher and mode for the TLS Record protocol with AES 256 encryption and SHA-256 as the hash function.	RSA	AES-256-CBC	SHA-256
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384** Confidentiality cipher and mode for the TLS Record with AES256 CBC and SHA384 as the hash function.	ECDH-ECDSA	AES-256-CBC	SHA-384
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384** Confidentiality cipher and mode for the TLS Record with AES256 GCM and SHA384 as the hash function.	ECDH-ECDSA	AES-256-GCM	SHA-384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Confidentiality cipher and mode for the TLS Record protocol using ECDHE (Elliptic Curve Diffie-Hellman key Exchange) with AES128 CBC and SHA as the hash function.	ECDHE-RSA	AES-128-CBC	SHA-1
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA-384* Confidentiality cipher and mode for the TLS Record protocol using ECDHE (Elliptic Curve Diffie-Hellman key Exchange) with AES256 CBC and SHA384 as the hash function.	ECDHE-RSA	AES-256-CBC	SHA-384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 Confidentiality cipher and mode for the TLS Record protocol using ECDHE (Elliptic Curve Diffie-Hellman key Exchange) with AES128 GCM and SHA as the hash function.	ECDHE-RSA	AES-128-GCM	SHA-256
TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA-384* Confidentiality cipher and mode for the TLS Record protocol using ECDHE (Elliptic Curve Diffie-Hellman key Exchange) with AES256 GCM and SHA384 as the hash function.	ECDHE-RSA	AES-256-GCM	SHA-384
TLS_RSA_WITH_AES_128_GCM_SHA256 Confidentiality cipher and mode for the TLS Record protocol with AES 128 GCM encryption and SHA-256 as the hash function.	RSA	AES_128_GCM	SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384 Confidentiality cipher and mode for the TLS Record protocol with AES 256 GCM encryption and SHA-384 as the hash function.	RSA	AES_256_GCM	SHA384

* To use this cipher, TLS version 1.2 must be enabled in the TLS Profile.

** To use this cipher, TLS version 1.2 must be enabled in the TLS Profile and SSL certificates must be created using ECC keys.

Terms used in this table:

RSA – Authentication based on X.509 certificates using RSA public/private key pairs
AES-128 – Advanced Encryption Standard (128-bit key length)
CBC – Cipher Block Chaining
SHA – Secure Hash algorithm

Note

When FIPS-140-2 mode is enabled, do not use the rsa-with-null-sha option.

Note

SBC releases 5.1, 6.2 and 7.2 are officially FIPS-compliant.

Command Examples

% show profiles security dtlsProfile defaultDtlsProfile
handshakeTimer     5;
sessionResumpTimer 300;
cipherSuite1       rsa-with-aes-128-cbc-sha;
dtlsRole           server;
hashType           sha1;
CertName           defaultDtlsSBCCert;
cookieExchange     enabled;
v1_0               enabled;
v1_1               disabled;
v1_2               disabled;

Space shortcuts

Page tree

Command Syntax

Command Parameters

Command Examples