Specifications
Working with Virtual Clusters
Equalizer Installation and Administration Guide 73
cluster that the request was received in HTTPS and unencrypted on Equalizer before being
forwarded to the cluster; see “Specifying a Custom Header for HTTPS Clusters” on page 85
for more information.
• cipher suite applies to HTTPS clusters and is used to restrict cipher suites for incoming
HTTPS requests. If a client request comes into Equalizer that does not use a cipher in this list,
the connection is refused.
For an Equalizer with no Xcel SSL Accelerator Card installed, and for Xcel II (newer
generation) Cards, the following setting for cipher suite is used.
AES128-SHA:DES-CBC3-SHA:RC4-SHA:RC4-MD5:AES256-SHA
For an Xcel I (older generation) SSL Accelerator Card, this field will contain:
DES-CBC3-SHA:RC4-SHA:RC4-MD5:AES256-SHA
In previous releases, the EXP-RC4-MD5 ciphers were included in cipher suite for older
browsers that only support 40-bit encryption. If some clients for your web services support
only 40-bit encryption, you can add EXP-RC4-MD5 to the cipher suite list.
Besides its use with Xcel, this field can also be used to specify a custom cipher suite required
by the servers in a cluster. For example, if your servers are required to support medium and
high encryption using SSLv3 only, you could specify the following string for cipher suite,
which will cause all non-SSLv3 client requests to be refused:
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:+SSLv3:+EXP:+eNULL
This field requires a string in the format of the Apache mod_ssl directive SSLCipherSuite;
see http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslciphersuite for examples.
You can also clear out the contents of this field, and all client requests received that use a
cipher not supported by Xcel will still be accepted, but will be decrypted without using the
Xcel card. Requests using ciphers supported by Xcel will be processed by the Xcel card.
• sub-daemon max applies to HTTPS clusters and is the maximum number of sub-daemons
servicing the cluster.
• session cache timeout applies to HTTPS clusters and is number of seconds that Equalizer
waits before disposing of an SSL session cache entry.
• session cache kbytes applies to HTTPS clusters and maximum number of kilobytes allotted
to an SSL session cache.
• client certificate verification depth applies to HTTPS clusters and indicates the depth to
which certificate checking is done on the client certificate chain. The default of 2 indicates
that the client certificate (level 0) and two levels above it (levels 1 and 2) are checked; any
certificates above level 2 in the chain are ignored. You should only need to increase this value
if the Certificate Authority that issued your certificate provided you with more than 2 chained
certificates in addition to your client certificate. See Appendix D, ”HTTPS Cluster
Certificates”.
Note – EDH/DHA cipher suites which use ephemeral Diffie-Hellman keys are not
recommended. They will work, but if they are added to the cipher suite string, they will
have a major impact on performance. Cipher suites using eliptical curve (EC) cryptography
are not supported. Please see “Supported Cipher Suites” on page 185 in Appendix D,
”HTTPS Cluster Certificates”, for a list of cipher suites supported by Equalizer.