Previous | Table of Contents | Next |
The configuration of transport-layer security mechanisms is specified in IORs. Support for CSI is indicated within an IOR
profile by the presence of at most one TAG_CSI_SEC_MECH_LIST tagged component that defines the mechanism configuration pertaining
to the profile. This component contains a list of one or more CompoundSecMech structures, each of which defines the layer-specific
security mechanisms that comprise a compound mechanism that is supported by the target. This specification does not define
support for CSI mechanisms in multiple-component IOR profiles.
Each CompoundSecMech structure contains a transport_mech field that defines the transport-layer security mechanism of the
compound mechanism. A compound mechanism that does not implement security functionality at the transport layer shall contain
the TAG_NULL_TAG component in its transport_mech field. Otherwise, the transport_mech field shall contain a tagged component
that defines a transport
protocol and its configuration. Section 24.5.1.3, “TAG_TLS_SEC_TRANS,? on
page 24-35 and Section 24.5.1.4, “TAG_SECIOP_SEC_TRANS,? on page 24-37
define valid transport-layer components that can be used in the transport_mech field.
24.4.2.1 Recommended SSL/TLS Ciphersuites
This specification recommends that implementations support the following ciphersuites
in addition to the mandatory ciphersuites identified in [IETF RFC 2246]. Of these
additional ciphersuites, those which use weak encryption keys are only recommended for use in environments where strong encryption
of SAS protocol elements (including GSSUP authenticators) and request arguments is not required. Some of the recommended ciphersuites
are known to be encumbered by licensing constraints.
• TLS_RSA_WITH_RC4_128_MD5
• SSL_RSA_WITH_RC4_128_MD5
• TLS_DHE_DSS_WITH_DES_CBC_SHA
• SSL_DHE_DSS_WITH_DES_CBC_SHA
• TLS_RSA_EXPORT_WITH_RC4_40_MD5
• SSL_RSA_EXPORT_WITH_RC4_40_MD5
• TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
• SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA