Features unavailable in Common Criteria mode

Some of the security features that are allowed in FIPS mode are disabled in Common Criteria mode: Though following three features are also not allowed in FIPS either.

• SSHv2: Host and client key generation methods using DSA and the RSA-1024 key size are not supported (only RSA 2048 and higher key sizes are supported). Therefore, the following commands are not supported:
  • crypto key generation dsa
  • crypto key client generation dsa
  • crypto key zero dsa
  • crypto key client zero dsa
  • crypto key gen rsa modulus 1024
  • crypto key zero rsa modulus 1024
• TLS and HTTPS: The RSA 1024 key size for SSL or TLS private key generation is not supported ( NetIron devices support only 2048 and above key sizes).
• SSH key exchange: The SSH key exchange method Diffie-Hellman-Group1-Sha1 is not supported. Only Diffie-Hellman-Group14-Sha1 is supported.
• Common Criteria specific Syslog: Logging to a host that uses UDP for transport is not supported. Only the TLS host is supported. Therefore, the logging host [ipv4 ] {ip-address } udp-port port command is not supported.
• Common Criteria specific: For authentication server RADIUS, UDP is not supported and for TACACS+, TCP is not supported.