Chapter 1 SSL Configuration Commands
1.1 SSL Configuration Commands
Syntax
ciphersuite [
rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha
| rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha ] *
View
SSL server policy view
Parameter
rsa_3des_ede_cbc_sha: Specifies to adopt RSA for key exchange algorithm, 3DES_EDE_CBC for
data encryption algorithm and SHA for MAC algorithm.
rsa_aes_128_cbc_sha: Specifies to adopt RSA for key exchange algorithm, 128 bits AES_CBC
for data encryption algorithm and SHA for MAC(message authentication mode)
algorithm.
rsa_aes_256_cbc_sha: Specifies to adopt RSA for key exchange algorithm, 256 bits AES_CBC
for data encryption algorithm and SHA for MAC algorithm.
rsa_des_cbc_sha: Specifies to adopt RSA for key exchange algorithm, DES_CBC for data
encryption algorithm and SHA for MAC algorithm.
rsa_rc4_128_md5: Specifies to adopt RSA for key exchange algorithm, 128 bits RC4 for
data encryption algorithm and MD5 for MAC algorithm.
rsa_rc4_128_sha: Specifies to adopt RSA for key exchange algorithm, 128 bits RC4 for
data encryption algorithm and SHA for MAC algorithm.
Description
Use the ciphersuite command to
configure the cipher suites supported by an SSL server policy.
By default, an SSL server policy supports
the above-mentioned six types of cipher suite.
If no parameter is specified, an SSL server
policy supports the above-mentioned six types of cipher suite.
Example
# Specify the cipher suites supported by an
SSL server policy as rsa_rc4_128_md5 and rsa_rc4_128_sha.
<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1] ciphersuite
rsa_rc4_128_md5 rsa_rc4_128_sha
Syntax
client-verify enable
undo client-verify enable
View
SSL server policy view
Parameter
None
Description
Use the client-verify enable command
to enable certificate-based SSL client authentication, meaning in SSL handshake
process the server performs certificate-based authentication to the client.
Use the undo client-verify enable command
to restore the default.
By default, no certificate-based SSL client
authentication is available.
# Configure the server to perform
certificate-based authentication to the client in the process of handshake.
<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1] client-verify
enable
1.1.3 close-mode wait
Syntax
close-mode wait
undo close-mode wait
View
SSL server policy view
Parameter
None
Description
Use the close-mode wait command to
configure the close mode for SSL connection as wait, meaning after sending
a close-notify alert message to a client, the server does not close the session
until it receives a close-notify alert message from the client.
Use the undo close-mode wait command
to restore the default.
By default, the server sends a close-notify
alert message to the client and close the session without waiting for the
close-notify alert message from the client.
Example
# Set the close mode for an SSL connection
to wait.
<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1]
close-mode wait
Syntax
display ssl client-policy { policy-name | all }
View
Any view
Parameter
policy-name:
Displays information about the specified SSL client policy.
all:
Displays information about all SSL client policies.
Description
Use the display ssl client-policy
command to view information about one or all SSL client policies.
Example
# Display information about SSL client
policy policy1.
<Sysname> display ssl
client-policy policy1
SSL Client Policy: policy1
SSL Version: SSL 3.0
PKI Domain: 1
Prefer Ciphersuite:
RSA_RC4_128_SHA
Table 1-1 Description on the fields of
the display ssl client-policy command
|
Field
|
Description
|
|
SSL Client Policy
|
SSL client policy name
|
|
SSL Version
|
Version of the protocol adopted by the SSL
client policy
|
|
PKI Domain
|
PKI domain adopted by the SSL client
policy
|
|
Prefer Ciphersuite
|
Preferred cipher suite for the SSL client
policy
|
Syntax
display ssl server-policy { policy-name | all }
View
Any view
Parameter
policy-name:
Displays information for the specified SSL server policy, which is a string of
1 to 16 characters.
all:
Displays information about all SSL server policies.
Description
Use the display ssl server-policy
command to view information about a specified or all SSL server policies.
Example
# Display information about SSL server
policy policy1.
<Sysname> display ssl server-policy
policy1
SSL Server Policy: policy1
PKI Domain: domain1
Ciphersuite:
RSA_RC4_128_MD5
RSA_RC4_128_SHA
RSA_DES_CBC_SHA
RSA_3DES_EDE_CBC_SHA
RSA_AES_128_CBC_SHA
RSA_AES_256_CBC_SHA
Handshake
Timeout: 3600
Close-mode: wait disabled
Session Timeout: 3600
Session Cachesize: 500
Client-verify: disabled
Table 1-2 Description on the fields of
the display ssl server-policy command
|
Field
|
Description
|
|
SSL Server Policy
|
SSL server policy name
|
|
PKI Domain
|
PKI domain to which the SSL server policy
belongs
|
|
Ciphersuite
|
The cipher suite supported by the SSL
server policy
|
|
Handshake Timeout
|
Handshake timeout time specified in the SSL
server policy
|
|
Close-mode
|
Close mode specified in the SSL server
policy
|
|
Session Timeout
|
Session timeout time specified in the SSL
server policy
|
|
Session Cachesize
|
Maximum number of sessions that can be
buffered in the SSL server policy
|
|
Client-verify
|
Client authentication mode specified in the
SSL server policy
|
1.1.6 handshake
timeout
Syntax
handshake timeout time
undo handshake timeout
View
SSL server policy view
Parameter
time: Handshake
timeout time, in the range 180 to 7200 seconds.
Description
Use the handshake timeout command to
configure handshake timeout time in an SSL server policy.
Use the undo handshake timeout command
to restore the default.
By default, the handshake timeout time
specified in an SSL server policy is 3600 seconds.
Example
# Configure the handshake timeout time in
SSL server policy policy1 as 3000 seconds.
<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1]
handshake timeout 3000
Syntax
pki-domain domain-name
undo pki-domain
View
SSL server policy view/SSL client policy
view
Parameter
domain-name:
Name of a PKI domain, a string of 1 to 15 characters.
Description
Use the pki-domain command to
configure the PKI domain used for an SSL server policy or SSL client policy.
Use the undo pki-domain command to restore
the default.
No PKI domain is configured for an SSL
server policy or SSL client policy by default.
Example
# Configure the PKI domain used for SSL server
policy policy1 as server-domain.
<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1] pki-domain
server-domain
# Configure the PKI domain used for SSL
client policy policy1 as client-domain.
<Sysname> system-view
[Sysname] ssl client-policy policy1
[Sysname-ssl-client-policy-policy1] pki-domain
client-domain
1.1.8 prefer-cipher
Syntax
prefer-cipher { rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_des_cbc_sha
| rsa_rc4_128_md5 | rsa_rc4_128_sha }
undo prefer-cipher
View
SSL client policy view
Parameter
rsa_3des_ede_cbc_sha: Specifies to adopt RSA for key exchange algorithm, 3DES_EDE_CBC for
data encryption algorithm and SHA for MAC algorithm.
rsa_aes_128_cbc_sha: Specifies to adopt RSA for key exchange algorithm, 128 bits AES_CBC
for data encryption algorithm and SHA for MAC algorithm.
rsa_aes_256_cbc_sha: Specifies to adopt RSA for key exchange algorithm, 256 bits AES_CBC
for data encryption algorithm and SHA for MAC algorithm.
rsa_des_cbc_sha: Specifies to adopt RSA for key exchange algorithm, DES_CBC for data
encryption algorithm and SHA for MAC algorithm.
rsa_rc4_128_md5: Specifies to adopt RSA for key exchange algorithm, 128 bits RC4 for
data encryption algorithm and MD5 for MAC algorithm.
rsa_rc4_128_sha: Specifies to adopt RSA for key exchange algorithm, 128 bits RC4 for
data encryption algorithm and SHA for MAC algorithm.
Description
Use the prefer-cipher command to
configure the preferred cipher suite for the SSL client policy.
Use the undo prefer-cipher command
to restore the default.
By default, the preferred cipher suite for
the SSL client policy is rsa_rc4_128_md5.
Example
# Configure the preferred cipher suite for
SSL client policy policy1 as rsa_aes_256_cbc_sha.
<Sysname> system-view
[Sysname] ssl client-policy policy1
[Sysname-ssl-client-policy-policy1] prefer-cipher
rsa_aes_256_cbc_sha
Syntax
session {
cachesize size | timeout time } *
undo session { cachesize | timeout } *
View
SSL server policy view
Parameter
size:
Maximum number of sessions that can be buffered, in the range 100 to 1000.
time:
Session timeout time, in the range 1800 to 72000.
Description
Use the session command to configure
the maximum number of sessions that can be buffered and the session timeout
time.
Use the undo session command to
restore the default.
By default, the maximum number of sessions
that can be buffered is 500 and the session timeout time is 3600 seconds.
SSL stops buffering a new session if the
maximum session number is reached. SSL removes a buffered session if the session
is timed out.
Example
# Configure the timeout time for a session
that can be buffered as 4000 seconds, and the maximum session number as 600.
<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1] session
timeout 4000 cachesize 600
Syntax
ssl client -policy policy-name
undo ssl client-policy { policy-name | all }
View
System view
Parameter
policy-name: SSL client policy name, a string of 1 to 16 characters, which cannot
be “a”, “al” and “all” and is not case
sensitive.
all: All SSL
client policies.
Description
Use the ssl client-policy command to
create an SSL policy and enter its view.
Use the undo ssl client-policy
command to remove a specified or all SSL client policies.
Example
# Create an SSL client policy named policy1
and enter its view.
<Sysname> system-view
[Sysname] ssl client-policy policy1
[Sysname-ssl-client-policy-policy1]
Syntax
ssl server-policy policy-name
undo ssl server-policy { policy-name | all }
View
System view
Parameter
policy-name: SSL server policy name, a string of 1 to 16 characters, which cannot
be “a”, “al” and “all” and is not case
sensitive.
all: All SSL
server policies.
Description
Use the ssl server-policy command to
create an SSL server policy and enter its view.
Use the undo ssl server-policy command
to remove a specified or all SSL server policies.
Example
# Create an SSL server policy named policy1
and enter its view.
<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1]
Syntax
version {
ssl3.0 | tls1.0 }
undo version
View
SSL client policy view
Parameter
ssl3.0: SSL
version SSL3.0.
tls1.0: SSL
version TLS1.0.
Description
Use the version command to configure
the SSL protocol version adopted by an SSL client policy.
Use the undo version command to restore
the default.
By default, the SSL protocol version
adopted by an SSL client policy is TLS1.0.
Example
# Configure the SSL protocol version for
SSL client policy policy1 as SSL3.0.
<Sysname> system-view
[Sysname] ssl client-policy policy1
[Sysname-ssl-client-policy-policy1] version
ssl3.0
Chapter 2 HTTPS
Configuration Commands
Syntax
display ip https
View
Any view
Parameter
None
Description
Use the display ip https command to
display information about HTTPS.
Example
# Display information about HTTPS.
<Sysname> display ip https
SSL server policy: test
Certificate access-control-policy:
Basic ACL: 2222
Current connection: 0
Operation status: Running
Table 2-1 Description on the fields of
the display ip https command
|
Field
|
Description
|
|
SSL server policy
|
The SSL server policy associated with the
HTTPS service
|
|
Certificate access-control-policy
|
The certificate attribute access control
policy associated with the HTTPS service
|
|
Basic ACL
|
The basic ACL number associated with the
HTTPS service
|
|
Current connection
|
The number of current connections
|
|
Operation status
|
Operation status
|
Syntax
ip https acl acl-number
undo ip https acl
View
System view
Parameter
acl-number:
Basic ACL number, in the range 2000 to 2999.
Description
Use the ip https acl command to associate
the HTTPS service with an ACL.
Use the undo ip https acl command to
remove the association.
By default, the HTTPS service is not associated
with any ACL.
Example
# Configure the HTTPS service withOnly
allow the clients within the 10.10.0.0/16 network segment to access the HTTPS
server.
<Sysname> system-view
[Sysname] acl number 2001
[Sysname-acl-basic-2001] rule permit
source 10.10.0.0 0.0.255.255
[Sysname-acl-basic-2001] quit
[Sysname] ip https acl 2001
Syntax
ip https certificate
access-control-policy policy-name
undo ip https certificate
access-control-policy
View
System view
Parameter
policy-name:
Name of the certificate attribute access control policy, a string of 1 to 16
characters.
Description
Use the ip https certificate
access-control-policy command to associate the HTTPS service with a
certificate attribute access control policy.
Use the undo ip https certificate
access-control-policy command to remove the association.
By default, the HTTPS service is not
associated with any certificate attribute access control policy.
Example
# Associate the HTTPS server to certificate
attribute access control policy “myacl”.
<Sysname> system-view
[Sysname] ip https certificate
access-control-policy myacl
Syntax
ip https enable
undo ip https enable
View
System view
Parameter
None
Description
Use the ip https enable command to enable the HTTPS service.
Use the undo ip https enable command
to disable the HTTPS service.
By default, the HTTPS servcie is disabled.
To enable the HTTPS service, an SSL
handshake negotiation process will be triggered. During the process, if a local
certificate of the device already exists, the SSL negotiation is successfully
performed, and the HTTPS service can be started normally. If no local
certificate exists, a certificate application process will be triggered by the
SSL negotiation. Since the application process takes much time, the SSL
negotiation often fails and the HTTPS service cannot be started normally.
Therefore, the ip https enable command must be executed for multiple
times to ensure normal startup of the HTTPS service.
Example
# Enable the HTTPS service.
<Sysname> system-view
[Sysname] ip https enable
Syntax
ip https ssl-server-policy policy-name
View
System view
Parameter
policy-name:
Name of an SSL server policy, a string of 1 to 16 characters.
Description
Use the ip https ssl-server-policy
command to associate the HTTPS service with an SSL server-end policy.
By default, the HTTPS service is not
associated with any SSL server-end policy.
Note that the HTTPS service can be enabled
only after this command is configured successfully.
Example
# Configure the HTTPS service to use SSL
server-end policy “myssl”.
<Sysname> system-view
[Sysname] ip https ssl-server-policy myssl
