4.6 Resumen evaluativo de las propuestas
4.6.3 Evaluación del plan de mantenimiento
A cipher suite defines a set of technologies to secure your SSL/TLS communications:
l Key exchange algorithm (how the secret key used to encrypt the data is
communicated from the client to the server). Examples: RSA key or Diffie-Hellman (DH)
l Authentication method (how hosts can authenticate the identity of remote hosts).
Examples: RSA certificate, DSS certificate, or no authentication
l Encryption cipher (how to encrypt data). Examples: AES (256 or 128 bits), RC4 (128
bits or 56 bits), 3DES (168 bits), DES (56 or 40 bits), or null encryption
l Hash algorithm (ensuring data by providing a way to determine if data has been
modified). Examples: SHA-1 or MD5
The supported cipher suites combine all these items. Default/Supported SSL/TLS cipher suites on VNX1 Control Station on page 92 lists the cipher suites supported by VNX1 for the Control Station. Default/Supported SSL/TLS cipher suites on VNX2 Control Station on page 93 lists the cipher suites supported by VNX2 for the Control Station. Default/ Supported SSL/TLS cipher suites on VNX1 Storage Processor on page 93 lists the cipher suites supported by VNX1 for the Storage Processor. Default/Supported SSL/TLS cipher suites on VNX2 Storage Processor on page 93 lists the cipher suites supported by VNX2 for the Storage Processor. Default SSL/TLS cipher suites on VNX1 and VNX2 Data Mover on page 93 lists the default cipher suites used by VNX1 and VNX2 for the Data Mover. The supported cipher suites for VNX1 and VNX2 for the Data Mover are listed in
Supported SSL/TLS cipher suites on VNX1 and VNX2 Data Mover on page 94. Default/ Supported SSL/TLS cipher suites on VNX1 and VNX2 related to Replication on page 95
lists the cipher suites supported by VNX1 and VNX2 for Replication.
The following lists give the OpenSSL names of the SSL or TLS cipher suites for the different VNX components and their associated ports.
The following restrictions apply:
l NULL ciphers and all ADH cipher suites (because they do not allow authentication)
are disabled by default.
l Some cipher suites will not be accepted by VNX for file because of certificate size (if
the certificate presented by the Data Mover has a 2048-bit key, ciphers with a smaller key will be rejected).
Table 9 Default/Supported SSL/TLS cipher suites on VNX1 Control Station
Cipher Suites Protocols Ports
AES128-SHA SSLv3 (non-FIPS mode only), TLSv1 443 AES256-SHA SSLv3 (non-FIPS mode only), TLSv1 443 DES-CBC3-SHA SSLv3 (non-FIPS mode only), TLSv1 443 DHE-RSA-AES128-SHA SSLv3 (non-FIPS mode only), TLSv1 443 DHE-RSA-AES256-SHA SSLv3 (non-FIPS mode only), TLSv1 443 EDH-RSA-DES-CBC3-SHA SSLv3 (non-FIPS mode only), TLSv1 443 AES128-SHA SSLv3 (non-FIPS mode only), TLSv1, TLSv1.1 5989 AES256-SHA SSLv3 (non-FIPS mode only), TLSv1, TLSv1.1 5989
Table 9 Default/Supported SSL/TLS cipher suites on VNX1 Control Station (continued)
Cipher Suites Protocols Ports
DES-CBC3-SHA SSLv3 (non-FIPS mode only), TLSv1, TLSv1.1 5989 Table 10 Default/Supported SSL/TLS cipher suites on VNX2 Control Station
Cipher Suites Protocols Ports
AES128-SHA SSLv3 (non-FIPS mode only), TLSv1 443 AES256-SHA SSLv3 (non-FIPS mode only), TLSv1 443 DES-CBC3-SHA SSLv3 (non-FIPS mode only), TLSv1 443 AES128-SHA SSLv3 (non-FIPS mode only), TLSv1, TLSv1.1 5989 AES256-SHA SSLv3 (non-FIPS mode only), TLSv1, TLSv1.1 5989 DES-CBC3-SHA SSLv3 (non-FIPS mode only), TLSv1, TLSv1.1 5989
Table 11 Default/Supported SSL/TLS cipher suites on VNX1 Storage Processor
Cipher Suites Protocols Ports
AES128-SHA SSLv3 (non-FIPS mode only), TLSv1, TLSv1.1 443 AES256-SHA SSLv3 (non-FIPS mode only), TLSv1, TLSv1.1 443 DES-CBC3-SHA SSLv3 (non-FIPS mode only), TLSv1, TLSv1.1 443
Table 12 Default/Supported SSL/TLS cipher suites on VNX2 Storage Processor
Cipher Suites Protocols Ports
AES128-SHA SSLv3 (non-FIPS mode only), TLSv1, TLSv1.1, TLSv1.2 443 AES256-SHA SSLv3 (non-FIPS mode only), TLSv1, TLSv1.1, TLSv1.2 443 DES-CBC3-SHA SSLv3 (non-FIPS mode only), TLSv1, TLSv1.1, TLSv1.2 443 Table 13 Default SSL/TLS cipher suites on VNX1 and VNX2 Data Mover
Cipher Suites Protocols Ports
AES128-SHA SSLv3, TLSv1 990, 5080 AES256-SHA SSLv3, TLSv1 990, 5080 CAMELLIA128-SHA SSLv3, TLSv1 990, 5080 CAMELLIA256-SHA SSLv3, TLSv1 990, 5080 DES-CBC-SHA SSLv3, TLSv1 990, 5080 DES-CBC3-SHA SSLv3, TLSv1 990, 5080 DHE-RSA-AES128-SHA SSLv3, TLSv1 990, 5080
Table 13 Default SSL/TLS cipher suites on VNX1 and VNX2 Data Mover (continued)
Cipher Suites Protocols Ports
DHE-RSA-AES256-SHA SSLv3, TLSv1 990, 5080 DHE-RSA-CAMELLIA128-SHA SSLv3, TLSv1 990, 5080 DHE-RSA-CAMELLIA256-SHA SSLv3, TLSv1 990, 5080 EDH-RSA-CBC-SHA SSLv3, TLSv1 990, 5080 EDH-RSA-DES-CBC3-SHA SSLv3, TLSv1 990, 5080
Table 14 Supported SSL/TLS cipher suites on VNX1 and VNX2 Data Mover
Cipher Suites Protocols
AES128-SHA SSLv3, TLSv1 AES256-SHA SSLv3, TLSv1 CAMELLIA128-SHA SSLv3, TLSv1 CAMELLIA256-SHA SSLv3, TLSv1 DES-CBC3-SHA SSLv3, TLSv1 DES_CBC_SHA SSLv3, TLSv1 DHE-DSS-AES128-SHA SSLv3, TLSv1 DHE-DSS-AES256-SHA SSLv3, TLSv1 DHE-DSS-CAMILLA128-SHA SSLv3, TLSv1 DHE-DSS-CAMILLA256-SHA SSLv3, TLSv1 DHE-RSA-AES128-SHA SSLv3, TLSv1 DHE-RSA-AES256-SHA SSLv3, TLSv1 DHE-RSA-CAMILLA128-SHA SSLv3, TLSv1 DHE-RSA-CAMILLA256-SHA SSLv3, TLSv1 EDH-DSS-DES-CBC3-SHA SSLv3, TLSv1 EDH-DSS-DES-CBC-SHA SSLv3, TLSv1 EDH-RSA-DES-CBC3-SHA SSLv3, TLSv1 EDH-RSA-DES-CBC-SHA SSLv3, TLSv1 EXP-DES-CBC-SHA SSLv3, TLSv1 EXP-EDH-DSS-DES-CBC-SHA SSLv3, TLSv1 EXP-EDH-RSA-DES-CBC-SHA SSLv3, TLSv1
If required, the Data Mover cipher parameter can be changed from the default setting either through Unisphere or through VNX CLI for File commands, server_ftp and
server_http. For more information about setting the Data Mover cipher parameter, refer to the Unisphere online help or the VNX Command Line Interface Reference for File.
Table 15 Default/Supported SSL/TLS cipher suites on VNX1 and VNX2 related to Replication
Cipher Suites Protocols Ports
ADH-AES128-SHA SSLv3, TLSv1 5085 ADH-AES256-SHA SSLv3, TLSv1 5085 ADH-CAMELLIA128-SHA SSLv3, TLSv1 5085 ADH-CAMELLIA256SHA SSLv3, TLSv1 5085 ADH-DES-CBC3-SHA SSLv3, TLSv1 5085 ADH-DES-CBC-SHA SSLv3, TLSv1 5085