H3C S5120-SI Series Ethernet Switches Configuration Guide-Release 1101-6W105

DownLoad Chapters Download(104.88 KB)

23-SSL Configuration


This chapter includes these sections:

l          SSL Overview

l          SSL Configuration Task List

l          Displaying and Maintaining SSL

l          Troubleshooting SSL

SSL Overview

Secure Sockets Layer (SSL) is a security protocol that provides secure connection services for TCP-based application layer protocols, for example, HTTP protocol. It is widely used in E-business and online bank fields to ensure secure data transmission over the Internet.

SSL Security Mechanism

Secure connections provided by SSL have these features:

l          Confidentiality: SSL uses a symmetric encryption algorithm to encrypt data and uses the asymmetric key algorithm of Rivest, Shamir, and Adelman (RSA) to encrypt the key to be used by the symmetric encryption algorithm.

l          Authentication: SSL supports certificate-based identity authentication of the server and client by using the digital signatures. The SSL server and client obtain certificates from a certificate authority (CA) through the Public Key Infrastructure (PKI).

l          Reliability: SSL uses the key-based message authentication code (MAC) to verify message integrity. A MAC algorithm transforms a message of any length to a fixed-length message. Figure 1-1 illustrates how SSL uses a MAC algorithm to verify message integrity. With the key, the sender uses the MAC algorithm to compute the MAC value of a message. Then, the sender suffixes the MAC value to the message and sends the result to the receiver. The receiver uses the same key and MAC algorithm to compute the MAC value of the received message, and compares the locally computed MAC value with that received. If the two matches, the receiver considers the message intact; otherwise, the receiver considers that the message has been tampered with in transit and discards the message.

Figure 1-1 Message integrity verification by a MAC algorithm

 

l    For details about symmetric key algorithms, asymmetric key algorithm RSA and digital signature, see Public Key Configuration.

l    For details about PKI, certificate, and CA, see PKI Configuration.

 

SSL Protocol Stack

As shown in Figure 1-2, the SSL protocol consists of two layers of protocols: the SSL record protocol at the lower layer and the SSL handshake protocol, change cipher spec protocol, and alert protocol at the upper layer.

Figure 1-2 SSL protocol stack

 

l          SSL record protocol: Fragments data to be transmitted, computes and adds MAC to the data, and encrypts the data before transmitting it to the peer end.

l          SSL handshake protocol: A very important part of the SSL protocol stack, responsible for negotiating the cipher suite to be used for secure communication (including the symmetric encryption algorithm, key exchange algorithm, and MAC algorithm), securely exchanging the key between the server and client, and implementing identity authentication of the server and client. Through the SSL handshake protocol, a session is established between a client and the server. A session consists of a set of parameters, including the session ID, peer certificate, cipher suite, and master secret.

l          SSL change cipher spec protocol: Used for notification between the client and the server that the subsequent packets are to be protected and transmitted based on the newly negotiated cipher suite and key.

l          SSL alert protocol: Enables the SSL client and server to send alert messages to each other. An alert message contains the alert severity level and a description.

SSL Configuration Task List

Different parameters are required on the SSL server and the SSL client.

Complete the following tasks to configure SSL:

Task

Remarks

Configuring an SSL Server Policy

Required

Configuring an SSL Client Policy

Optional

 

Configuring an SSL Server Policy

An SSL server policy is a set of SSL parameters for a server to use when booting up. An SSL server policy takes effect only after it is associated with an application layer protocol, HTTP protocol, for example.

Configuration Prerequisites

When configuring an SSL server policy, you need to specify the PKI domain to be used for obtaining the server side certificate. Therefore, before configuring an SSL server policy, you must configure a PKI domain. For details about PKI domain configuration, see PKI Configuration.

Configuration Procedure

Follow these steps to configure an SSL server policy:

To do...

Use the command...

Remarks

Enter system view

system-view

Create an SSL server policy and enter its view

ssl server-policy policy-name

Required

Specify a PKI domain for the SSL server policy

pki-domain domain-name

Required

By default, no PKI domain is specified for an SSL server policy.

Specify the cipher suite(s) for the SSL server policy to support

ciphersuite [ rsa_aes_128_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha ] *

Optional

By default, an SSL server policy supports all cipher suites.

Set the handshake timeout time for the SSL server

handshake timeout time

Optional

3,600 seconds by default

Set the SSL connection close mode

close-mode wait

Optional

Not wait by default

Set the maximum number of cached sessions and the caching timeout time

session { cachesize size | timeout time } *

Optional

The defaults are as follows:

l      500 for the maximum number of cached sessions,

l      3600 seconds for the caching timeout time.

Enable certificate-based SSL client authentication

client-verify enable

Optional

Not enabled by default

 

l          If you enable client authentication here, you must request a local certificate for the client.

l          Currently, SSL mainly comes in these versions: SSL 2.0, SSL 3.0, and TLS 1.0, where TLS 1.0 corresponds to SSL 3.1. When the device acts as an SSL server, it can communicate with clients running SSL 3.0 or TLS 1.0, and can identify Hello packets from clients running SSL 2.0. If a client running SSL 2.0 also supports SSL 3.0 or TLS 1.0 (information about supported versions is carried in the packet that the client sends to the server), the server will notify the client to use SSL 3.0 or TLS 1.0 to communicate with the server.

 

SSL Server Policy Configuration Example

Network requirements

As shown in Figure 1-3, users can access and control Device through Web pages. For security of the device, it is required that users use HTTPS (HTTP Security, which uses SSL) to log in to the Web interface of the device and use SSL for identity authentication to ensure that data will not be eavesdropped or tampered with.

To achieve the goal, perform the following configurations:

l          Configure Device to work as the HTTPS server and request a certificate for Device.

l          Request a certificate for Host so that Device can authenticate the identity of Host.

l          Configure a CA server to issue certificates to Device and Host.

 

l          In this example, Windows Server works as the CA server and the Simple Certificate Enrollment Protocol (SCEP) plug-in is installed on the CA server.

l          Before performing the following configurations, ensure that Device, Host, and the CA server can reach each other.

 

Figure 1-3 Network diagram for SSL server policy configuration

 

Configuration procedure

1)        Configure the HTTPS server (Device)

# Create a PKI entity named en, and configure the common name as http-server1 and the FQDN as ssl.security.com.

<Device> system-view

[Device] pki entity en

[Device-pki-entity-en] common-name http-server1

[Device-pki-entity-en] fqdn ssl.security.com

[Device-pki-entity-en] quit

# Create PKI domain 1, specify the trusted CA as ca server, the URL of the registration server as http://10.1.2.2/certsrv/mscep/mscep.dll, the authority for certificate request as RA, and the entity for certificate request as en.

[Device] pki domain 1

[Device-pki-domain-1] ca identifier ca server

[Device-pki-domain-1] certificate request url http://10.1.2.2/certsrv/mscep/mscep.dll

[Device-pki-domain-1] certificate request from ra

[Device-pki-domain-1] certificate request entity en

[Device-pki-domain-1] quit

# Create the local RSA key pairs.

[Device] public-key local create rsa

# Retrieve the CA certificate.

[Device] pki retrieval-certificate ca domain 1

# Request a local certificate for Device.

[Device] pki request-certificate domain 1

# Create an SSL server policy named myssl.

[Device] ssl server-policy myssl

# Specify the PKI domain for the SSL server policy as 1.

[Device-ssl-server-policy-myssl] pki-domain 1

# Enable client authentication.

[Device-ssl-server-policy-myssl] client-verify enable

[Device-ssl-server-policy-myssl] quit

# Configure HTTPS service to use SSL server policy myssl.

[Device] ip https ssl-server-policy myssl

# Enable HTTPS service.

[Device] ip https enable

# Create a local user named usera, and set the password to 123 and service type to telnet.

[Device] local-user usera

[Device-luser-usera] password simple 123

[Device-luser-usera] service-type telnet

2)        Configure the HTTPS client (Host)

On Host, launch IE, enter http://10.1.2.2/certsrv in the address bar and request a certificate for Host as prompted.

3)        Verify your configuration

Launch IE on the host, enter https://10.1.1.1 in the address bar, and select the certificate issued by the CA server. The Web interface of Device should appear. After entering username usera and password 123, you should be able to log in to the Web interface to access and manage Device.

 

 

l          For details about PKI configuration commands, see PKI Commands.

l          For details about the public-key local create rsa command, see Public Key Commands.

l          For details about HTTPS, see HTTP Configuration.

 

Configuring an SSL Client Policy

An SSL client policy is a set of SSL parameters for a client to use when connecting to the server. An SSL client policy takes effect only after it is associated with an application layer protocol.

Configuration Prerequisites

If the SSL server is configured to authenticate the SSL client, when configuring the SSL client policy, you need to specify the PKI domain to be used for obtaining the certificate of the client. Therefore, before configuring an SSL client policy, you must configure a PKI domain. For details about PKI domain configuration, see PKI Configuration.

Configuration Procedure

Follow these steps to configure an SSL client policy:

To do

Use the command

Remarks

Enter system view

system-view

Create an SSL client policy and enter its view

ssl client-policy policy-name

Required

Specify a PKI domain for the SSL client policy

pki-domain domain-name

Optional

No PKI domain is configured by default.

Specify the preferred cipher suite for the SSL client policy

prefer-cipher { rsa_aes_128_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha }

Optional

rsa_rc4_128_md5 by default

Specify the SSL protocol version for the SSL client policy

version { ssl3.0 | tls1.0 }

Optional

TLS 1.0 by default

 

If you enable client authentication on the server, you must request a local certificate for the client.

 

Displaying and Maintaining SSL

To do…

Use the command…

Remarks

Display SSL server policy information

display ssl server-policy { policy-name | all }

Available in any view

Display SSL client policy information

display ssl client-policy { policy-name | all }

 

Troubleshooting SSL

SSL Handshake Failure

Symptom

As the SSL server, the device fails to handshake with the SSL client.

Analysis

SSL handshake failure may result from the following causes:

l          The SSL client is configured to authenticate the SSL server, but the SSL server has no certificate or the certificate is not trusted.

l          The SSL server is configured to authenticate the SSL client, but the SSL client has no certificate or the certificate is not trusted.

l          The server and the client have no matching cipher suite.

Solution

1)        You can issue the debugging ssl command and view the debugging information to locate the problem:

l          If the SSL client is configured to authenticate the SSL server but the SSL server has no certificate, request one for it.

l          If the server’s certificate cannot be trusted, install on the SSL client the root certificate of the CA that issues the local certificate to the SSL server, or let the server requests a certificate from the CA that the SSL client trusts.

l          If the SSL server is configured to authenticate the client, but the SSL client has no certificate or the certificate cannot be trusted, request and install a certificate for the client.

2)        You can use the display ssl server-policy command to view the cipher suites that the SSL server policy supports. If the server and the client have no matching cipher suite, use the ciphersuite command to modify the cipher suite configuration of the SSL server.

 

H3C reserves the right to modify its collaterals without any prior notice. For the latest information of the collaterals, please consult H3C sales or call 400 hotline.