/mcpTLS ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384: ECDHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256: ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA SSH Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com, aes256-gcm@openssh.com SSH MAC hmac-sha2-512,hmac-sha2-256,hmac-sha1 SSH KEX ecdh-sha2-nistp521, ecdh-sha2-nistp384, ecdh-sha2-nistp256, diffie-hellman-group14-sha1, diffie-hellman-group16-sha512, diffie-hellman-group14-sha256 SSH HostKey Algorithms rsa-sha2-512,rsa-sha2-256,ssh-rsa Configure Cipher String • Make sure you enter the cipher string in OpenSSL cipher string format in All TLS, SIP TLS, and HTTPS TLS fields. • Make sure that you also enter the ciphers or algorithms in OpenSSH format in SSH Ciphers,algorithms in SSH MAC, and SSH Key Exchange fields. • Review Recommended Ciphers, on page 115. To configure the cipher string on different secure interfaces, see the Cipher Restrictions section. Procedure Step 1 From Cisco Unified OS Administration, choose Security > Cipher Management. The Cipher Management page appears. Step 2 To configure the cipher string in All TLS, SIP TLS, or HTTPS TLS field, enter the cipher string in OpenSSL cipher string format in the Cipher String field. Step 3 If you don't configure the cipher string in the following fields: • All TLS or HTTPS TLS field—the HTTPS TLS interface port (8443) takes configuration from the Enterprise parameters (HTTPS ciphers) page. • All TLS or SIP TLS field—the SIP interface port (5061) takes configuration from the Enterprise parameters (TLS ciphers) page in encrypted mode and NULL-SHA ciphers in authenticated mode. Note If you don't configure the cipher string in the HTTPS TLS or SIP TLS field, the system takes the configuration from the All TLS field by default. Security Guide for Cisco Unified Communications Manager, Release 15 and SUs 116 Basic System Security Configure Cipher String