H3C S5500-EI Series Switches Command Manual-Release 2102(V1.01)

HomeSupportSwitchesH3C S5500 Switch SeriesReference GuidesCommand ReferencesH3C S5500-EI Series Switches Command Manual-Release 2102(V1.01)
39-SSL-HTTPS Commands
Title Size Download
39-SSL-HTTPS Commands 53 KB

Chapter 1  SSL Configuration Commands

1.1  SSL Configuration Commands

1.1.1  ciphersuite

Syntax

ciphersuite [ rsa_aes_128_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha ] *

View

SSL server policy view

Parameters

rsa_aes_128_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit AES_CBC, and the MAC algorithm of SHA.

rsa_des_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of DES_CBC, and the MAC algorithm of SHA.

rsa_rc4_128_md5: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit RC4, and the MAC algorithm of MD5.

rsa_rc4_128_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit RC4, and the MAC algorithm of SHA.

Description

Use the ciphersuite command to specify the cipher suite(s) for an SSL server policy to support.

By default, an SSL server policy supports all cipher suites.

With no keyword specified, the command configures an SSL server policy to support all cipher suites.

Examples

# Specify the cipher suites for SSL server policy policy1 to support as rsa_rc4_128_md5 and rsa_rc4_128_sha.

<Sysname> system-view

[Sysname] ssl server-policy policy1

[Sysname-ssl-server-policy-policy1] ciphersuite rsa_rc4_128_md5 rsa_rc4_128_sha

1.1.2  client-verify enable

Syntax

client-verify enable

undo client-verify enable

View

SSL server policy view

Parameters

None

Description

Use the client-verify enable command to enable certificate-based SSL client authentication, that is, to enable the SSL server to perform certificate-based authentication of the client during the SSL handshake process.

Use the undo client-verify enable command to restore the default.

By default, certificate-based SSL client authentication is disabled.

Examples

# Enable certificate-based client authentication.

<Sysname> system-view

[Sysname] ssl server-policy policy1

[Sysname-ssl-server-policy-policy1] client-verify enable

1.1.3  close-mode wait

Syntax

close-mode wait

undo close-mode wait

View

SSL server policy view

Parameters

None

Description

Use the close-mode wait command to set the SSL connection close mode to wait. In this mode, after sending a close-notify message to a client, the server does not close the connection until it receives a close-notify message from the client.

Use the undo close-mode wait command to restore the default.

By default, an SSL server sends a close-notify alert message to the client and close the connection without waiting for the close-notify alert message from the client.

Examples

# Set the SSL connection close mode to wait mode.

<Sysname> system-view

[Sysname] ssl server-policy policy1

[Sysname-ssl-server-policy-policy1] close-mode wait

1.1.4  display ssl client-policy

Syntax

display ssl client-policy { policy-name | all }

View

Any view

Parameters

policy-name: SSL client policy name, a string of 1 to 16 characters.

all: Displays information about all SSL client policies.

Description

Use the display ssl client-policy command to view information about a specified or all SSL client policies.

Examples

# Display information about SSL client policy policy1.

<Sysname> display ssl client-policy policy1

 SSL Client Policy: policy1

     SSL Version: SSL 3.0

     PKI Domain: 1

     Prefer Ciphersuite:

         RSA_RC4_128_SHA

Table 1-1 Description on the fields of the display ssl client-policy command

Field

Description

SSL Client Policy

SSL client policy name

SSL Version

Version of the protocol used by the SSL client policy

PKI Domain

PKI domain of the SSL client policy

Prefer Ciphersuite

Preferred cipher suite of the SSL client policy

 

1.1.5  display ssl server-policy

Syntax

display ssl server-policy { policy-name | all }

View

Any view

Parameters

policy-name: SSL server policy name, a string of 1 to 16 characters.

all: Displays information about all SSL server policies.

Description

Use the display ssl server-policy command to view information about a specified or all SSL server policies.

Examples

# Display information about SSL server policy policy1.

<Sysname> display ssl server-policy policy1

 SSL Server Policy: policy1

     PKI Domain: domain1

     Ciphersuite:

         RSA_RC4_128_MD5

         RSA_RC4_128_SHA

         RSA_DES_CBC_SHA

         RSA_AES_128_CBC_SHA

     Handshake Timeout: 3600

     Close-mode: wait disabled

     Session Timeout: 3600

     Session Cachesize: 500

     Client-verify: disabled

Table 1-2 Description on the fields of the display ssl server-policy command

Field

Description

SSL Server Policy

SSL server policy name

PKI Domain

PKI domain to which the SSL server policy belongs

Ciphersuite

Cipher suites supported by the SSL server policy

Handshake Timeout

Handshake timeout time of the SSL server policy

Close-mode

Close mode of the SSL server policy

Session Timeout

Session timeout time of the SSL server policy

Session Cachesize

Maximum number of buffered sessions of the SSL server policy

Client-verify

Whether client authentication is enabled

 

1.1.6  handshake timeout

Syntax

handshake timeout time

undo handshake timeout

View

SSL server policy view

Parameters

time: Handshake timeout time in seconds, in the range 180 to 7,200.

Description

Use the handshake timeout command to set the handshake timeout time for an SSL server policy.

Use the undo handshake timeout command to restore the default.

By default, the handshake timeout time is 3,600 seconds.

Examples

# Set the handshake timeout time of SSL server policy policy1 to 3,000 seconds.

<Sysname> system-view

[Sysname] ssl server-policy policy1

[Sysname-ssl-server-policy-policy1] handshake timeout 3000

1.1.7  pki-domain

Syntax

pki-domain domain-name

undo pki-domain

View

SSL server policy view, SSL client policy view

Parameters

domain-name: Name of a PKI domain, a string of 1 to 15 characters.

Description

Use the pki-domain command to specify a PKI domain for an SSL server policy or SSL client policy.

Use the undo pki-domain command to restore the default.

By default, no PKI domain is configured for an SSL server policy or SSL client policy.

Examples

# Configure SSL server policy policy1 to use the PKI domain named server-domain.

<Sysname> system-view

[Sysname] ssl server-policy policy1

[Sysname-ssl-server-policy-policy1] pki-domain server-domain

# Configure SSL client policy policy1 to use the PKI domain named client-domain.

<Sysname> system-view

[Sysname] ssl client-policy policy1

[Sysname-ssl-client-policy-policy1] pki-domain client-domain

1.1.8  prefer-cipher

Syntax

prefer-cipher { rsa_aes_128_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha }

undo prefer-cipher

View

SSL client policy view

Parameters

rsa_aes_128_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit AES_CBC, and the MAC algorithm of SHA.

rsa_des_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of DES_CBC, and the MAC algorithm of SHA.

rsa_rc4_128_md5: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit RC4, and the MAC algorithm of MD5.

rsa_rc4_128_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit RC4, and the MAC algorithm of SHA.

Description

Use the prefer-cipher command to specify the preferred cipher suite for an SSL client policy.

Use the undo prefer-cipher command to restore the default.

By default, the preferred cipher suite for an SSL client policy is rsa_rc4_128_md5.

Examples

# Set the preferred cipher suite for SSL client policy policy1 to rsa_aes_128_cbc_sha.

<Sysname> system-view

[Sysname] ssl client-policy policy1

[Sysname-ssl-client-policy-policy1] prefer-cipher rsa_aes_128_cbc_sha

1.1.9  session

Syntax

session { cachesize size | timeout time } *

undo session { cachesize | timeout } *

View

SSL server policy view

Parameters

size: Maximum number of cached sessions, in the range 100 to 1,000.

time: Caching timeout time in seconds, in the range 1,800 to 72,000.

Description

Use the session command to set the maximum number of cached sessions and the caching timeout time.

Use the undo session command to restore the default.

By default, the maximum number of cached sessions is 500 and the caching timeout time is 3,600 seconds.

If the number of sessions in the cache reaches the maximum, SSL rejects to cache new sessions. If a session exists in the cache for a period equal to the caching timeout time, SSL removes it from the cache.

Examples

# Set the caching timeout time to 4,000 seconds and the maximum number of cached sessions to 600.

<Sysname> system-view

[Sysname] ssl server-policy policy1

[Sysname-ssl-server-policy-policy1] session timeout 4000 cachesize 600

1.1.10  ssl client-policy

Syntax

ssl client-policy policy-name

undo ssl client-policy { policy-name | all }

View

System view

Parameters

policy-name: SSL client policy name, a case-insensitive string of 1 to 16 characters, which cannot be “a”, “al” and “all”.

all: Specifies all SSL client policies.

Description

Use the ssl client-policy command to create an SSL policy and enter its view.

Use the undo ssl client-policy command to remove a specified or all SSL client policies.

Examples

# Create an SSL client policy named policy1 and enter its view.

<Sysname> system-view

[Sysname] ssl client-policy policy1

[Sysname-ssl-client-policy-policy1]

1.1.11  ssl server-policy

Syntax

ssl server-policy policy-name

undo ssl server-policy { policy-name | all }

View

System view

Parameters

policy-name: SSL server policy name, a case-insensitive string of 1 to 16 characters, which cannot be “a”, “al” and “all”.

all: Specifies all SSL server policies.

Description

Use the ssl server-policy command to create an SSL server policy and enter its view.

Use the undo ssl server-policy command to remove a specified or all SSL server policies.

Note that you cannot delete an SSL server policy that has been associated with one or more application layer protocols.

Examples

# Create an SSL server policy named policy1 and enter its view.

<Sysname> system-view

[Sysname] ssl server-policy policy1

[Sysname-ssl-server-policy-policy1]

1.1.12  version

Syntax

version { ssl3.0 | tls1.0 }

undo version

View

SSL client policy view

Parameters

ssl3.0: Specifies SSL 3.0.

tls1.0: Specifies TLS 1.0.

Description

Use the version command to specify the SSL protocol version for an SSL client policy.

Use the undo version command to restore the default.

By default, the SSL protocol version for an SSL client policy is TLS 1.0.

Examples

# Specify the SSL protocol version for SSL client policy policy1 as SSL 3.0.

<Sysname> system-view

[Sysname] ssl client-policy policy1

[Sysname-ssl-client-policy-policy1] version ssl3.0

 


Chapter 2  HTTPS Configuration Commands

2.1  HTTPS Configuration Commands

2.1.1  display ip https

Syntax

display ip https

View

Any view

Parameters

None

Description

Use the display ip https command to display information about HTTPS.

Examples

# Display information about HTTPS.

<Sysname> display ip https

SSL server policy: test

Certificate access-control-policy:

Basic ACL: 2222

Current connection: 0

Operation status: Running

Table 2-1 Description on the fields of the display ip https command

Field

Description

SSL server policy

The SSL server policy associated with the HTTPS service

Certificate access-control-policy

The certificate attribute access control policy associated with the HTTPS service

Basic ACL

The basic ACL number associated with the HTTPS service

Current connection

The number of current connections

Operation status

Operation status

 

2.1.2  ip https acl

Syntax

ip https acl acl-number

undo ip https acl

View

System view

Parameters

acl-number: Basic ACL number, in the range 2000 to 2999.

Description

Use the ip https acl command to associate the HTTPS service with an ACL.

Use the undo ip https acl command to remove the association.

By default, the HTTPS service is not associated with any ACL.

Examples

# Associate the HTTPS service with an ACL. Only allow the clients within the 10.10.0.0/16 network segment to access the HTTPS server.

<Sysname> system-view

[Sysname] acl number 2001

[Sysname-acl-basic-2001] rule permit source 10.10.0.0 0.0.255.255

[Sysname-acl-basic-2001] quit

[Sysname] ip https acl 2001

2.1.3  ip https certificate access-control-policy

Syntax

ip https certificate access-control-policy policy-name

undo ip https certificate access-control-policy

View

System view

Parameters

policy-name: Name of the certificate attribute access control policy, a string of 1 to 16 characters.

Description

Use the ip https certificate access-control-policy command to associate the HTTPS service with a certificate attribute access control policy.

Use the undo ip https certificate access-control-policy command to remove the association.

By default, the HTTPS service is not associated with any certificate attribute access control policy.

Examples

# Associate the HTTPS server to certificate attribute access control policy myacl.

<Sysname> system-view

[Sysname] ip https certificate access-control-policy myacl

2.1.4  ip https enable

Syntax

ip https enable

undo ip https enable

View

System view

Parameters

None

Description

Use the ip https enable command to enable the HTTPS service.

Use the undo ip https enable command to disable the HTTPS service.

By default, the HTTPS service is disabled.

Enabling of the HTTPS service triggers an SSL handshake negotiation process. During the process, if a local certificate of the device already exists, the SSL negotiation is successfully performed, and the HTTPS service can be started normally. If no local certificate exists, a certificate application process will be triggered by the SSL negotiation. Since the application process takes much time, the SSL negotiation often fails and the HTTPS service cannot be started normally. Therefore, the ip https enable command must be executed for multiple times to ensure normal startup of the HTTPS service.

Examples

# Enable the HTTPS service.

<Sysname> system-view

[Sysname] ip https enable

2.1.5  ip https ssl-server-policy

Syntax

ip https ssl-server-policy policy-name

View

System view

Parameters

policy-name: Name of an SSL server policy, a string of 1 to 16 characters.

Description

Use the ip https ssl-server-policy command to associate the HTTPS service with an SSL server-end policy.

By default, the HTTPS service is not associated with any SSL server-end policy.

Note that the HTTPS service can be enabled only after this command is configured successfully.

Examples

# Configure the HTTPS service to use SSL server-end policy myssl.

<Sysname> system-view

[Sysname] ip https ssl-server-policy myssl

 

  • Cloud & AI
  • InterConnect
  • Intelligent Computing
  • Security
  • SMB Products
  • Intelligent Terminal Products
  • Product Support Services
  • Technical Service Solutions
All Services
  • Resource Center
  • Policy
  • Online Help
All Support
  • Become a Partner
  • Partner Resources
  • Partner Business Management
All Partners
  • Profile
  • News & Events
  • Online Exhibition Center
  • Contact Us
All About Us
新华三官网