SSL support

The NAM Probe can analyze traffic encrypted with SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2. With the exception of compression, all other elements of the protocol are supported. Analysis can be performed using OpenSSL or any of a number of SSL accelerator cards.

SSL hardware support

The NAM Probe supports a number of SSL accelerator cards.

For the list of supported hardware accelerator cards see Tested Cards.

Supported SSL versions

  • SSL 3.0
  • TLS 1.0
  • TLS 1.1
  • TLS 1.2

Unsupported elements of the SSL protocol

  • Compression

Public key cryptography and key exchange algorithm support

Supported:

RSA

Conditionally supported:

RSA exported (depending on the key size. For more information, see Table 1. Cipher Suites Support on the NAM Probe.)

Unsupported:

DSA

Diffie-Hellman

Fortezza

Supported RSA keys

OpenSSL

1024, 2048, 4096, and 8192 bits in PEM format.

nFast accelerator

1024, 2048, and 4096 bits in PEM format.

nShield accelerator

1024, 2048, and 4096 bits embedded.

NITROX XL FIPS Acceleration Board

1024 and 2048 bits embedded.

Sun Crypto Accelerator 6000

1024 and 2048 bits embedded or in PEM format.

FIPS 140-2 level 3 support

FIPS 140-2 Level 3 is supported for the following cards:

  • NITROX XL FIPS Acceleration Board
  • nShield
  • Sun Crypto Accelerator 6000

Supported symmetric ciphers

  • RC2 (40, 56, 128)
  • RC4 (40, 56, 64, 128)
  • DES (40, 56)
  • 3DES (168)
  • AES (128, 256)

Supported hash functions

  • MD5
  • SHA1
  • SHA2 (RHEL6 required)

Cipher suite support on the NAM Probe

To see the list of all supported ciphers on your NAM Probe, go to rcon and run:

show ssldecr ciphers

Part of a sample output:

 + TLS1.0-RSA-RSA-SEED-CBC-128-SHA id=96 kex=RSA sig=RSA enc=SEED-CBC dig=SHA lib-supp=Y ref=10626
 + TLS1.0-RSA-RSA-AES-256-CBC-256-SHA id=35 kex=RSA sig=RSA enc=AES-256-CBC dig=SHA lib-supp=Y ref=6894
 - TLS1.0-DH-DSS-SEED-CBC-128-SHA id=97 kex=DH  sig=DSS enc=SEED-CBC dig=SHA lib-supp=Y ref=0

The + character indicates that the NAM Probe supports decoding of given SSL encoding algorithm.

The - character indicates that the NAM Probe does not support it.

The value of the ref attribute at the end of the line indicates the number of sessions encoded with a given SSL algorithm.

Cipher suites supported

OpenSSL Cipher Tag Key Exchange Symmetric Encryption Method Message Authentication Code AMD Support
EXP-RC4-MD5 RSA_EXP(512) RC4 MD5 Yes1
RC4-MD5 RSA RC4 MD5 Yes
RC4-SHA RSA RC4 SHA Yes
EXP-RC2-CBC-MD5 RSA_EXP(512) RC2 SHA No
IDEA-CBC-SHA RSA IDEA SHA No
EXP-DES-CBC-SHA RSA_EXP(512) DES SHA Yes1
DES-CBC-SHA RSA DES SHA Yes
DES-CBC3-SHA RSA DES3 SHA Yes
EXP-DH-DSS-DES-CBC-SHA DH DES SHA No
DH-DSS-DES-CBC-SHA DH DES SHA No
DH-DSS-DES-CBC3-SHA DH DES3 SHA No
EXP-DH-RSA-DES-CBC-SHA DH DES SHA No
DH-RSA-DES-CBC-SHA DH DES SHA No
DH-RSA-DES-CBC3-SHA DH DES3 SHA No
EXP-EDH-DSS-DES-CBC-SHA DH DES SHA No
EDH-DSS-DES-CBC-SHA DH DES SHA No
EDH-DSS-DES-CBC3-SHA DH DES3 SHA No
EXP-EDH-RSA-DES-CBC-SHA DH DES SHA No
EDH-RSA-DES-CBC-SHA DH DES SHA No
EDH-RSA-DES-CBC3-SHA DH DES3 SHA No
EXP-ADH-RC4-MD5 DH RC4 MD5 No
ADH-RC4-MD5 DH RC4 MD5 No
EXP-ADH-DES-CBC-SHA DH DES MD5 No
ADH-DES-CBC-SHA DH DES MD5 No
ADH-DES-CBC3-SHA DH DES3 MD5 No
EXP1024-RC4-MD5 RSA_EXP(1024) RC4 MD5 Yes1
EXP1024-RC2-CBC-MD5 RSA_EXP(1024) RC2 MD5 No
EXP1024-DES-CBC-SHA RSA_EXP(1024) DES SHA Yes1
EXP1024-DHE-DSS-DES-CBC-SHA DH DES SHA No
EXP1024-RC4-SHA RSA_EXP(1024) RC4 SHA Yes1
EXP1024-DHE-DSS-RC4-SHA DH RC2 SHA No
DHE-DSS-RC4-SHA DH RC4 SHA No
AES128-SHA RSA AES-128-CBC SHA Yes
AES128-SHA256 RSA AES-128-GCM SHA256 Yes3
AES128-SHA256 RSA AES-128-CBC SHA256 Yes
DH-DSS-AES128-SHA DH AES-128-CBC MD5 No
DH-RSA-AES128-SHA DH AES-128-CBC MD5 No
DHE-DSS-AES128-SHA DH AES-128-CBC MD5 No
DHE-RSA-AES128-SHA DH AES-128-CBC MD5 No
ADH-AES128-SHA DH AES-128-CBC MD5 No
AES256-SHA RSA AES-256-CBC SHA Yes
AES256-SHA256 RSA AES-256-CBC SHA256 Yes
AES256-SHA384 RSA AES-256-GCM SGA384 Yes3
DH-DSS-AES256-SHA DH AES-256-CBC MD5 No
DH-RSA-AES256-SHA DH AES-256-CBC MD5 No
DHE-DSS-AES256-SHA DH AES-256-CBC MD5 No
DHE-RSA-AES256-SHA DH AES-256-CBC MD5 No
ADH-AES256-SHA DH AES-256-CBC MD5 No
CAMELLIA128-SHA RSA CAM128-CBC SHA Yes2
CAMELLIA256-SHA RSA CAM256-CBC SHA Yes2
SEED-SHA RSA SEED-CBC SHA Yes2

1 Support for the key size within the imposed limit (see Key exchange column).

2 Supported on both RHEL 5 and 6, but for RHEL 5 it depends on the OpenSSL version: Camellia requires ver. 0.9.8c, SEED requires ver. 0.9.8f.

3 Requires OpenSSL 1.0.0h or later, bundled with RedHat 6.5. For releases RHEL5.x and RHEL6 earlier than RHEL6.5, update to RHEL6.7 or newer.