You are viewing an old version of this page. View the current version.
Compare with Current
View Page History
Version 1
Current »
Use DTLS Profile to configure various DTLS parameters attached to a SIP trunk group in support of WebRTC functionality.
Command Syntax
% set profiles security dtlsProfile <profile name>
CertName <cert name>
cipherSuite1 <cipher suite>
cipherSuite2 <cipher suite>
cipherSuite3 <cipher suite>
cookieExchange <disabled | enabled>
dtlsRole <client | server>
handshakeTimer <1-60 seconds>
hashType <md2 | md5 | sha1 | sha224 | sha256 | sha384 | sha512>
sessionResumpTimer <0-86400>
v1_0 <disabled | enabled>
v1_1 <disabled | enabled>
v1_2 <disabled | enabled>
Command Parameters
The DTLS Profile Parameters are as shown below:
Parameter | Length/Range | Description |
---|
dtlsProfile | 1-23 | <profile name> – Name of DTLS profile. |
CertName
| 1-23 | <profile name> – Name of the Certificate used by this DTLS profile (default = defaultDtlsSBCCert ).
|
cipherSuite1
| N/A | Use this parameter to specify the first TLS Cipher Suite choice for this profile (default = rsa-with-aes-128-cbc-sha ). See the table DTLS Profile - CLI#Supported DTLS Crypto Suites below for the list of cipher suites. |
cipherSuite2
| N/A | Use this optional parameter to specify the second TLS Cipher Suite choice for this profile (default = nosuite ). See the table DTLS Profile - CLI#Supported DTLS Crypto Suites below for the list of cipher suites. |
cipherSuite3
| N/A | Use this optional parameter to specify the third TLS Cipher Suite choice for this profile (default = nosuite ). See the table DTLS Profile - CLI#Supported DTLS Crypto Suites below for the list of cipher suites. |
cookieExchange | N/A | Use this flag to enable Cookie Exchange mechanism. disabled enabled (default)
|
dtlsRole | N/A | Specify DTLS role to use for this DTLS Profile. |
handshakeTimer
| 1-60 | The time (in seconds) in which the DTLS handshake must be completed. The timer starts when the TCP connection is established. (default = 5 ) |
hashType | N/A | The allowed DTLS hash function for the specified DTLS Profile (default = sha1 ) md2 | md5 | sha1 | sha224 | sha256 | sha384 | sha512
|
sessionResumpTimer
| 0-86400 | The DTLS session resumption period (in seconds) for which cached sessions are retained. DTLS protocol allows successive connections to be created within one DTLS session (and the resumption of a session after a DTLS connection is closed or after a server card failover) without repeating the entire authentication and other setup steps for each connection, except when the space must be reclaimed for a new session. (default = 300 ) |
v1_0 | N/A | DTLS protocol version 1.0 (see note below) disabled enabled (default)
|
v1_1 | N/A | DTLS protocol version 1.1 (see note below) disabled (default)
enabled
|
v1_2 | N/A | DTLS protocol version 1.2 (see note below) disabled (default)
enabled
|
Supported TLS/DTLS Crypto Suites
Authentication Mechanism | Public/Private Key Pair | Confidentiality Cipher and Mode | Integrity Cipher |
---|
RSA-WITH-NULL-SHA The integrity cipher used for the TLS Record protocol. | RSA | NULL | SHA-1 |
RSA-WITH-AES-128-CBC-SHA (default) Confidentiality cipher and mode for the TLS Record protocol. | RSA | AES-128-CBC | SHA-1 |
Confidentiality cipher and mode for the TLS Record protocol with SHA-256 as the hash function. | RSA | AES-128-CBC | SHA-256 |
RSA-WITH-AES-256-CBC-SHA Confidentiality cipher and mode for the TLS Record protocol with AES 256 encryption. | RSA | AES-256-CBC | SHA-1 |
RSA-WITH-AES-256-CBC-SHA-256* Confidentiality cipher and mode for the TLS Record protocol with AES 256 encryption and SHA-256 as the hash function. | RSA | AES-256-CBC | SHA-256 |
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384** Confidentiality cipher and mode for the TLS Record with AES256 CBC and SHA384 as the hash function. | ECDH-ECDSA | AES-256-CBC | SHA-384 |
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384** Confidentiality cipher and mode for the TLS Record with AES256 GCM and SHA384 as the hash function. | ECDH-ECDSA | AES-256-GCM | SHA-384 |
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384** Confidentiality cipher and mode for the TLS Record with AES256 GCM and SHA384 as the hash function. | ECDHE-ECDSA | AES-256-GCM | SHA-384 |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Confidentiality cipher and mode for the TLS Record protocol using ECDHE (Elliptic Curve Diffie-Hellman key Exchange) with AES128 CBC and SHA as the hash function. | ECDHE-RSA | AES-128-CBC | SHA-1 |
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA-384* Confidentiality cipher and mode for the TLS Record protocol using ECDHE (Elliptic Curve Diffie-Hellman key Exchange) with AES256 CBC and SHA384 as the hash function. | ECDHE-RSA | AES-256-CBC | SHA-384 |
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 Confidentiality cipher and mode for the TLS Record protocol using ECDHE (Elliptic Curve Diffie-Hellman key Exchange) with AES128 GCM and SHA as the hash function. | ECDHE-RSA | AES-128-GCM | SHA-256 |
TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA-384* Confidentiality cipher and mode for the TLS Record protocol using ECDHE (Elliptic Curve Diffie-Hellman key Exchange) with AES256 GCM and SHA384 as the hash function. | ECDHE-RSA | AES-256-GCM | SHA-384 |
TLS_RSA_WITH_AES_128_GCM_SHA256 Confidentiality cipher and mode for the TLS Record protocol with AES 128 GCM encryption and SHA-256 as the hash function. | RSA | AES_128_GCM | SHA256 |
TLS_RSA_WITH_AES_256_GCM_SHA384 Confidentiality cipher and mode for the TLS Record protocol with AES 256 GCM encryption and SHA-384 as the hash function. | RSA | AES_256_GCM | SHA384 |
* To use this cipher, TLS version 1.2 must be enabled in the TLS Profile.
** To use this cipher, TLS version 1.2 must be enabled in the TLS Profile and SSL certificates must be created using ECC keys.
Command Examples
% show profiles security dtlsProfile defaultDtlsProfile
handshakeTimer 5;
sessionResumpTimer 300;
cipherSuite1 rsa-with-aes-128-cbc-sha;
dtlsRole server;
hashType sha1;
CertName defaultDtlsSBCCert;
cookieExchange enabled;
v1_0 enabled;
v1_1 disabled;
v1_2 disabled;