Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 09-SSL Commands | 53.75 KB |
Table of Contents
l Support of the H3C WA series WLAN access points (APs) for commands may vary by AP model. For more information, see Feature Matrix.
l The interface types and the number of interfaces vary by AP model.
l The models listed in this document are not applicable to all regions. Please consult your local sales office for the models applicable to your region.
SSL Configuration Commands
ciphersuite
Syntax
ciphersuite [ rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha ] *
View
SSL server policy view
Default Level
2: System level
Parameters
rsa_3des_ede_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 3DES_EDE_CBC, and the MAC algorithm of SHA.
rsa_aes_128_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit AES_CBC, and the MAC algorithm of SHA.
rsa_aes_256_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm 256-bit AES_CBC, and the MAC algorithm of SHA.
rsa_des_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of DES_CBC, and the MAC algorithm of SHA.
rsa_rc4_128_md5: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit RC4, and the MAC algorithm of MD5.
rsa_rc4_128_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit RC4, and the MAC algorithm of SHA.
Description
Use the ciphersuite command to specify the cipher suite(s) for an SSL server policy to support.
By default, an SSL server policy supports all cipher suites.
With no keyword specified, the command configures an SSL server policy to support all cipher suites.
If you execute the command repeatedly, the last one takes effect.
Related commands: display ssl server-policy.
Examples
# Specify the cipher suites for SSL server policy policy1 to support as rsa_rc4_128_md5 and rsa_rc4_128_sha.
<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1] ciphersuite rsa_rc4_128_md5 rsa_rc4_128_sha
client-verify enable
Syntax
client-verify enable
undo client-verify enable
View
SSL server policy view
Default Level
2: System level
Parameters
None
Description
Use the client-verify enable command to enable certificate-based SSL client authentication, that is, to enable the SSL server to perform certificate-based authentication of the client during the SSL handshake process.
Use the undo client-verify enable command to restore the default.
By default, certificate-based SSL client authentication is disabled.
Related commands: display ssl server-policy.
Examples
# Enable certificate-based client authentication.
<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1] client-verify enable
close-mode wait
Syntax
close-mode wait
undo close-mode wait
View
SSL server policy view
Default Level
2: System level
Parameters
None
Description
Use the close-mode wait command to set the SSL connection close mode to wait. In this mode, after sending a close-notify message to a client, the server does not close the connection until it receives a close-notify message from the client.
Use the undo close-mode wait command to restore the default.
By default, an SSL server sends a close-notify alert message to the client and close the connection without waiting for the close-notify alert message from the client.
Related commands: display ssl server-policy.
Examples
# Set the SSL connection close mode to wait mode.
<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1] close-mode wait
display ssl client-policy
Syntax
display ssl client-policy { policy-name | all }
View
Any view
Default Level
1: Monitor level
Parameters
policy-name: SSL client policy name, a case-insensitive string of 1 to 16 characters.
all: Displays information about all SSL client policies.
Description
Use the display ssl client-policy command to view information about a specified or all SSL client policies.
Examples
# Display information about SSL client policy policy1.
<Sysname> display ssl client-policy policy1
SSL Client Policy: policy1
SSL Version: SSL 3.0
PKI Domain: 1
Prefer Ciphersuite:
RSA_RC4_128_SHA
Table 1-1 display ssl client-policy command output description
|
Field |
Description |
|
SSL Client Policy |
SSL client policy name |
|
SSL Version |
Version of the protocol used by the SSL client policy, SSL 3.0 or TLS 1.0. |
|
PKI Domain |
PKI domain of the SSL client policy |
|
Prefer Ciphersuite |
Preferred cipher suite of the SSL client policy |
display ssl server-policy
Syntax
display ssl server-policy { policy-name | all }
View
Any view
Default Level
1: Monitor level
Parameters
policy-name: SSL server policy name, a case-insensitive string of 1 to 16 characters.
all: Displays information about all SSL server policies.
Description
Use the display ssl server-policy command to view information about a specified or all SSL server policies.
Examples
# Display information about SSL server policy policy1.
<Sysname> display ssl server-policy policy1
SSL Server Policy: policy1
PKI Domain: domain1
Ciphersuite:
RSA_RC4_128_MD5
RSA_RC4_128_SHA
RSA_DES_CBC_SHA
RSA_3DES_EDE_CBC_SHA
RSA_AES_128_CBC_SHA
RSA_AES_256_CBC_SHA
Handshake Timeout: 3600
Close-mode: wait disabled
Session Timeout: 3600
Session Cachesize: 500
Client-verify: disabled
Table 1-2 display ssl server-policy command output description
|
Field |
Description |
|
SSL Server Policy |
SSL server policy name |
|
PKI Domain |
PKI domain used by the SSL server policy |
|
Ciphersuite |
Cipher suite supported by the SSL server policy |
|
Handshake Timeout |
Handshake timeout time of the SSL server policy, in seconds |
|
Close-mode |
Close mode of the SSL server policy, which can be: l wait disabled: In this mode, the server sends a close-notify message to the client and then closes the connection immediately without waiting for the close-notify message of the client. l wait enabled: In this mode, the server sends a close-notify message to the client and then waits for the close-notify message of the client. Only after receiving the expected message, does the server close the connection. |
|
Session Timeout |
Session timeout time of the SSL server policy, in seconds |
|
Session Cachesize |
Maximum number of buffered sessions of the SSL server policy |
|
Client-verify |
Whether client authentication is enabled |
handshake timeout
Syntax
handshake timeout time
undo handshake timeout
View
SSL server policy view
Default Level
2: System level
Parameters
time: Handshake timeout time in seconds, in the range 180 to 7,200.
Description
Use the handshake timeout command to set the handshake timeout time for an SSL server policy.
Use the undo handshake timeout command to restore the default.
By default, the handshake timeout time is 3,600 seconds.
If the SSL server does not receive any packet from the SSL client before the handshake timeout time expires, the SSL server will terminate the handshake process.
Related commands: display ssl server-policy.
Examples
# Set the handshake timeout time of SSL server policy policy1 to 3,000 seconds.
<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1] handshake timeout 3000
pki-domain
Syntax
pki-domain domain-name
undo pki-domain
View
SSL server policy view, SSL client policy view
Default Level
2: System level
Parameters
domain-name: Name of a PKI domain, a case-insensitive string of 1 to 15 characters.
Description
Use the pki-domain command to specify a PKI domain for an SSL server policy or SSL client policy.
Use the undo pki-domain command to restore the default.
By default, no PKI domain is configured for an SSL server policy or SSL client policy.
Related commands: display ssl server-policy and display ssl client-policy.
Examples
# Configure SSL server policy policy1 to use the PKI domain named server-domain.
<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1] pki-domain server-domain
# Configure SSL client policy policy1 to use the PKI domain named client-domain.
<Sysname> system-view
[Sysname] ssl client-policy policy1
[Sysname-ssl-client-policy-policy1] pki-domain client-domain
prefer-cipher
Syntax
prefer-cipher { rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha }
undo prefer-cipher
View
SSL client policy view
Default Level
2: System level
Parameters
rsa_3des_ede_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 3DES_EDE_CBC, and the MAC algorithm of SHA.
rsa_aes_128_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit AES_CBC, and the MAC algorithm of SHA.
rsa_aes_256_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 256-bit AES_CBC, and the MAC algorithm of SHA.
rsa_des_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of DES_CBC, and the MAC algorithm of SHA.
rsa_rc4_128_md5: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit RC4, and the MAC algorithm of MD5.
rsa_rc4_128_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit RC4, and the MAC algorithm of SHA.
Description
Use the prefer-cipher command to specify the preferred cipher suite for an SSL client policy.
Use the undo prefer-cipher command to restore the default.
By default, the preferred cipher suite for an SSL client policy is rsa_rc4_128_md5.
Related commands: display ssl client-policy.
Examples
# Set the preferred cipher suite for SSL client policy policy1 to rsa_aes_128_cbc_sha.
<Sysname> system-view
[Sysname] ssl client-policy policy1
[Sysname-ssl-client-policy-policy1] prefer-cipher rsa_aes_128_cbc_sha
session
Syntax
session { cachesize size | timeout time } *
undo session { cachesize | timeout } *
View
SSL server policy view
Default Level
2: System level
Parameters
size: Maximum number of cached sessions, in the range 100 to 1,000.
time: Caching timeout time in seconds, in the range 1,800 to 72,000.
Description
Use the session command to set the maximum number of cached sessions and the caching timeout time.
Use the undo session command to restore the default.
By default, the maximum number of cached sessions is 500 and the caching timeout time is 3,600 seconds.
The process of the session parameters negotiation and session establishment by using the SSL handshake protocol is quite complicated. SSL allows reusing the negotiated session parameters to establish sessions. Therefore, the SSL server needs to maintain information about existing sessions. The number of sessions and the time that the session information will be maintained are limited:
l If the number of sessions in the cache reaches the maximum, SSL rejects to cache new sessions.
l If a session exists in the cache for a period equal to the caching timeout time, SSL will remove the information of the session.
Related commands: display ssl server-policy.
Examples
# Set the caching timeout time to 4,000 seconds and the maximum number of cached sessions to 600.
<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1] session timeout 4000 cachesize 600
ssl client-policy
Syntax
ssl client-policy policy-name
undo ssl client-policy { policy-name | all }
View
System view
Default Level
2: System level
Parameters
policy-name: SSL client policy name, a case-insensitive string of 1 to 16 characters, which cannot be “a”, “al” and “all”.
all: Specifies all SSL client policies.
Description
Use the ssl client-policy command to create an SSL policy and enter its view.
Use the undo ssl client-policy command to remove a specified or all SSL client policies.
Related commands: display ssl client-policy.
Examples
# Create an SSL client policy named policy1 and enter its view.
<Sysname> system-view
[Sysname] ssl client-policy policy1
[Sysname-ssl-client-policy-policy1]
ssl server-policy
Syntax
ssl server-policy policy-name
undo ssl server-policy { policy-name | all }
View
System view
Default Level
2: System level
Parameters
policy-name: SSL server policy name, a case-insensitive string of 1 to 16 characters, which cannot be “a”, “al” and “all”.
all: Specifies all SSL server policies.
Description
Use the ssl server-policy command to create an SSL server policy and enter its view.
Use the undo ssl server-policy command to remove a specified or all SSL server policies.
You cannot delete an SSL server policy that has been associated with one or more application layer protocols.
Related commands: display ssl server-policy.
Examples
# Create an SSL server policy named policy1 and enter its view.
<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1]
version
Syntax
version { ssl3.0 | tls1.0 }
undo version
View
SSL client policy view
Default Level
2: System level
Parameters
ssl3.0: Specifies SSL 3.0.
tls1.0: Specifies TLS 1.0.
Description
Use the version command to specify the SSL protocol version for an SSL client policy.
Use the undo version command to restore the default.
By default, the SSL protocol version for an SSL client policy is TLS 1.0.
Related commands: display ssl client-policy.
Examples
# Specify the SSL protocol version for SSL client policy policy1 as SSL 3.0.
<Sysname> system-view
[Sysname] ssl client-policy policy1
[Sysname-ssl-client-policy-policy1] version ssl3.0
