Parameter | Description |
---|
Name | The name assigned to this Transport Layer Security (TLS) profile. Must be 1 - 23 characters. For further details, refer to SBC Provisioning Limits
|
App Auth Timer | Specifies the higher layer authentication timer in seconds. Must be 1-60 seconds. The default value is 5. |
Handshake Timer | Specifies the time in which the TLS handshake must be completed. The timer starts when the TCP connection is established. Must be 1 - 60 seconds; default is 5. |
Session Resume Timer | Specifies the TLS session resumption period for which cached sessions are retained (in seconds). TLS allows successive connections to be created within one TLS session and the resumption of a session after a TLS connection is closed or after a server card failover, without repeating the entire authentication and other setup steps for each connection, except when the space must be reclaimed for a new session. Must be 0 - 86,400 seconds; default is 3600. |
Cipher Suite1 | Use this parameter to specify the first TLS Cipher Suite choice for this profile | .NosuiteRsa-with-aes-128-cbc-sha (default) – Confidentiality cipher and mode for the TLS Record protocol.Rsa-with-aes-128-cbc-sha-256 – Confidentiality cipher and mode for the TLS Record protocol with SHA-256 as the hash function.
Rsa-with-aes-256-cbc-sha – Confidentiality cipher and mode for the TLS Record protocol with AES 256 encryption. Rsa-with-aes-256-cbc-sha-256* – Confidentiality cipher and mode for the TLS Record protocol with AES 256 encryption and SHA-256 as the hash function.
Rsa-with-null-sha – The integrity cipher used for the TLS Record protocol | Tls_ecdh_ecdsa_with_aes_256_cbc_sha384** – Confidentiality cipher and mode for TLS Record with AES256 GCM and SHA384 as hash function.Tls_ecdh_ecdsa_with_aes_256_gcm_sha384** – Confidentiality cipher and mode for TLS Record with AES256 CBC and SHA384 as hash function.
Tls_ecdhe_rsa_with_aes_256_cbc_sha384* – Confidentiality cipher and mode for the TLS Record protocol using ECDHE (Elliptic Curve Diffie-Hellman key Exchange).
tls_ecdhe_rsa_with_aes_128_cbc_sha – Confidentiality cipher and mode for the TLS Record protocol using ECDHE (Elliptic Curve Diffie-Hellman key Exchange) with AES128 CBC and SHA as hash function.tls_ecdhe_rsa_with_aes_128_gcm_sha256 – Confidentiality cipher and mode for the TLS Record protocol using ECDHE (Elliptic Curve Diffie-Hellman key Exchange) with AES128 GCM and SHA as the hash function.
tls-ecdhe-rsa-with-aes-256-gcm-sha-384* – Confidentiality cipher and mode for the TLS Record protocol using ECDHE (Elliptic Curve Diffie-Hellman key Exchange) with AES256 GCM and SHA384 as the hash function.
tls_rsa_with_aes_128_gcm_sha256 – Confidentiality cipher and mode for the TLS Record protocol with AES 128 GCM encryption and SHA-256 as the hash function.tls_rsa_with_aes_256_gcm_sha384 – Confidentiality cipher and mode for the TLS Record protocol with AES 256 GCM encryption and SHA-384 as the hash function.
* To use this cipher, TLS version 1.2 must be enabled in the TLS Profile.
** To use this cipher, TLS version 1.2 must be enabled in the TLS Profile and SSL certificates must be created using ECC keys.
NOTE: When Fips-140-3 mode is enabled, you cannot use the Rsa-with-null-sha.
Include Page |
---|
_FIPS_Releases | _FIPS_Releases | (See Supported TLS/DTLS Crypto Suites table below for the list of cipher suites) |
Cipher Suite2 | Use this parameter to specify the second TLS Cipher Suite choice for this profile. | Nosuite | Rsa-with-aes-128-cbc-sha (default) – Confidentiality cipher and mode for the TLS Record protocol.Rsa-with-aes-128-cbc-sha-256 – Confidentiality cipher and mode for the TLS Record protocol with SHA-256 as the hash function.
Rsa-with-aes-256-cbc-sha – Confidentiality cipher and mode for the TLS Record protocol with AES 256 encryption. Rsa-with-aes-256-cbc-sha-256* – Confidentiality cipher and mode for the TLS Record protocol with AES 256 encryption and SHA-256 as the hash function.
Rsa-with-null-sha – The integrity cipher used for the TLS Record protocol.
Tls_ecdh_ecdsa_with_aes_256_cbc_sha384** – Confidentiality cipher and mode for TLS Record with AES256 GCM and SHA384 as hash function.Tls_ecdh_ecdsa_with_aes_256_gcm_sha384** – Confidentiality cipher and mode for TLS Record with AES256 CBC and SHA384 as hash function.
Tls_ecdhe_rsa_with_aes_256_cbc_sha384* – Confidentiality cipher and mode for the TLS Record protocol using ECDHE (Elliptic Curve Diffie-Hellman key Exchange).
tls_ecdhe_rsa_with_aes_128_cbc_sha – Confidentiality cipher and mode for the TLS Record protocol using ECDHE (Elliptic Curve Diffie-Hellman key Exchange) with AES128 CBC and SHA as hash function.tls_ecdhe_rsa_with_aes_128_gcm_sha256 – Confidentiality cipher and mode for the TLS Record protocol using ECDHE (Elliptic Curve Diffie-Hellman key Exchange) with AES128 GCM and SHA as the hash function.
tls-ecdhe-rsa-with-aes-256-gcm-sha-384* – Confidentiality cipher and mode for the TLS Record protocol using ECDHE (Elliptic Curve Diffie-Hellman key Exchange) with AES256 GCM and SHA384 as the hash function.
tls_rsa_with_aes_128_gcm_sha256 – Confidentiality cipher and mode for the TLS Record protocol with AES 128 GCM encryption and SHA-256 as the hash function.tls_rsa_with_aes_256_gcm_sha384 – Confidentiality cipher and mode for the TLS Record protocol with AES 256 GCM encryption and SHA-384 as the hash function.
* To use this cipher, TLS version 1.2 must be enabled in the TLS Profile.
** To use this cipher, TLS version 1.2 must be enabled in the TLS Profile and SSL certificates must be created using ECC keys.
(See Supported TLS/DTLS Crypto Suites table below for the list of cipher suites) |
NOTE: When Fips-140-3 mode is enabled, you cannot use the Rsa-with-null-sha.
Cipher Suite3 | Use this parameter to specify the third TLS Cipher Suite choice for this profile. | Nosuite | Rsa-with-aes-128-cbc-sha (default) –
Confidentiality cipher and mode for the TLS Record protocol.Rsa-with-aes-128-cbc-sha-256 – Confidentiality cipher and mode for the TLS Record protocol with SHA-256 as the hash function.
Rsa-with-aes-256-cbc-sha – Confidentiality cipher and mode for the TLS Record protocol with AES 256 encryption. Rsa-with-aes-256-cbc-sha-256* – Confidentiality cipher and mode for the TLS Record protocol with AES 256 encryption and SHA-256 as the hash function.
Rsa-with-null-sha – The integrity cipher used for the TLS Record protocol.
tls_ecdh_ecdsa_with_aes_256_cbc_sha384** – Confidentiality cipher and mode for TLS recode with AES256 GCM and SHA384 as hash function.tls_ecdh_ecdsa_with_aes_256_gcm_sha384** – Confidentiality cipher and mode for TLS recode with AES256 CBC and SHA384 as hash function.
Tls_ecdhe_rsa_with_aes_256_cbc_sha384* – Confidentiality cipher and mode for the TLS Record protocol using ECDHE (Elliptic Curve Diffie-Hellman key Exchange).
tls_ecdhe_rsa_with_aes_128_cbc_sha – Confidentiality cipher and mode for the TLS Record protocol using ECDHE (Elliptic Curve Diffie-Hellman key Exchange) with AES128 CBC and SHA as hash function.
tls_ecdhe_rsa_with_aes_128_gcm_sha256 – Confidentiality cipher and mode for the TLS Record protocol using ECDHE (Elliptic Curve Diffie-Hellman key Exchange) with AES128 GCM and SHA as the hash function.
tls-ecdhe-rsa-with-aes-256-gcm-sha-384* – Confidentiality cipher and mode for the TLS Record protocol using ECDHE (Elliptic Curve Diffie-Hellman key Exchange) with AES256 GCM and SHA384 as the hash function.
tls_rsa_with_aes_128_gcm_sha256 – Confidentiality cipher and mode for the TLS Record protocol with AES 128 GCM encryption and SHA-256 as the hash function.
tls_rsa_with_aes_256_gcm_sha384 – Confidentiality cipher and mode for the TLS Record protocol with AES 256 GCM encryption and SHA-384 as the hash function.
* To use this cipher, TLS version 1.2 must be enabled in the TLS Profile.
** To use this cipher, TLS version 1.2 must be enabled in the TLS Profile and SSL certificates must be created using ECC keys.
(See Supported TLS/DTLS Crypto Suites table below for the list of cipher suites) |
NOTE: When Fips-140-3 mode is enabled, you cannot use the Rsa-with-null-sha.
Allowed Roles | Specifies which role the will act in for this TLS profile: - clientandserver (default)
- server
|
Auth Client | Indicates whether or not a TLS client is forced to authenticate itself within TLS. |
Client Cert Name | Specifies the name of the default Client Certificate to be used by this TLS profile, created using the SECURITY PKI configuration object. Must be 1-23 characters or none. |
Server Cert Name | Specifies the name of the Server Certificate to be used by this TLS profile, created using the SECURITY PKI configuration object. Must be 1-23 characters or none. |
Acceptable Cert Validation Errors | Use this parameter to specify if certificate chain validation errors are acceptable while validating the peer certificate. - Invalid Purpose
- none (default)
|
Ocsp Profile Name | Specifies the name of OCSP profile object referenced by TLS profile. |
V1_0 | TLS protocol version 1.0. - Disabled
- Enabled (default)
|
V1_1 | TLS protocol version 1.1. - Disabled (default)
- Enabled
|
V1_2 | TLS protocol version 1.2. - Disabled (default)
- Enabled
|
V1_3 | TLS protocol version 1.3. - Disabled (default)
- Enabled
Multiexcerpt include |
---|
MultiExcerptName | TLS V1.3 - EMA |
---|
PageWithExcerpt | _v1_3 requires one TLS V1.3 cipher suite |
---|
|
|
Suppress Empty Fragments | If enabled, SBC will not insert empty fragments while sending packets on TLS over TCP connection. The options are: - Disabled (default)
- Enabled
|
Peer Name Verify | If enabled, the SBC verifies the value of the parameter TLS Peer Name . For details on TLS Peer Name, refer to Trunk Group - SIP Trunk Group. - Disabled (default)
- Enabled
|
Hash Type | Specifies the type of TLS hash function allowed for TLS sessions governed by the specified TLS profile. The options are: - Md5
- Sha1(default)
- Sha224
- Sha256
- Sha384
- Sha512
|
Peer Cert Validate | This flag indicates whether or not the received peer server certificates are validated. When set to False, unknown peer Root-CA/self-signed certificates are accepted without any validation. Available_since |
---|
Type | Available Since |
---|
Release | 12.1.2 |
---|
|
|