SSL configuration commands 1

ciphersuite· 1

client-verify enable· 2

client-verify weaken· 2

close-mode wait 3

display ssl client-policy· 4

display ssl server-policy· 5

handshake timeout 6

pki-domain· 7

prefer-cipher 7

server-verify enable· 8

session· 9

ssl client-policy· 10

ssl server-policy· 10

version· 11

 

ciphersuite

Syntax

ciphersuite [ rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha ] *

View

SSL server policy view

Default level

2: System level

Parameters

rsa_3des_ede_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 3DES_EDE_CBC, and the MAC algorithm of SHA.

rsa_aes_128_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit AES_CBC, and the MAC algorithm of SHA.

rsa_aes_256_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 256-bit AES_CBC, and the MAC algorithm of SHA.

rsa_des_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of DES_CBC, and the MAC algorithm of SHA.

rsa_rc4_128_md5: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit RC4, and the MAC algorithm of MD5.

rsa_rc4_128_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit RC4, and the MAC algorithm of SHA.

Description

Use the ciphersuite command to specify the cipher suites for an SSL server policy to support.

By default, an SSL server policy supports all cipher suites.

With no keyword specified, the command configures an SSL server policy to support all cipher suites.

If you execute the command repeatedly, the last one takes effect.

Related commands: display ssl server-policy.

Examples

# Configure SSL server policy policy1 to support cipher suites rsa_rc4_128_md5 and rsa_rc4_128_sha.

<Sysname> system-view

[Sysname] ssl server-policy policy1

[Sysname-ssl-server-policy-policy1] ciphersuite rsa_rc4_128_md5 rsa_rc4_128_sha

client-verify enable

Syntax

client-verify enable

undo client-verify enable

View

SSL server policy view

Default level

2: System level

Parameters

None

Description

Use the client-verify enable command to configure the SSL server to require the client to pass certificate-based authentication.

Use the undo client-verify enable command to restore the default.

By default, the SSL server does not require certificate-based SSL client authentication.

If you configure the client-verify enable command and enable the SSL client weak authentication function, whether the client must be authenticated is up to the client. If the client chooses to be authenticated, the client must pass authentication before accessing the SSL server; otherwise, the client can access the SSL server without authentication.

If you configure the client-verify enable command but disable the SSL client weak authentication function, the SSL client must pass authentication before accessing the SSL server.

Related commands: client-verify weaken and display ssl server-policy.

Examples

# Configure the SSL server to require certificate-based SSL client authentication.

<Sysname> system-view

[Sysname] ssl server-policy policy1

[Sysname-ssl-server-policy-policy1] client-verify enable

client-verify weaken

Syntax

client-verify weaken

undo client-verify weaken

View

SSL server policy view

Default level

2: System level

Parameters

None

Description

Use the client-verify weaken command to enable SSL client weak authentication.

Use the undo client-verify weaken command to restore the default.

By default, SSL client weak authentication is disabled.

If the SSL server requires certificate-based client authentication and the SSL client weak authentication function is enabled, whether the client must be authenticated is up to the client. If the client chooses to be authenticated, the client must pass authentication before accessing the SSL server; otherwise, the client can access the SSL server without authentication.

If the SSL server requires certificate-based client authentication and SSL client weak authentication is disabled, the SSL client must pass authentication before accessing the SSL server.

 

NOTE: The client-verify weaken command takes effect only when the SSL server requires certificate-based client authentication.

 

Related commands: client-verify enable and display ssl server-policy.

Examples

# Enable SSL client weak authentication.

<Sysname> system-view

[Sysname] ssl server-policy policy1

[Sysname-ssl-server-policy-policy1] client-verify enable

[Sysname-ssl-server-policy-policy1] client-verify weaken

close-mode wait

Syntax

close-mode wait

undo close-mode wait

View

SSL server policy view

Default level

2: System level

Parameters

None

Description

Use the close-mode wait command to set the SSL connection close mode to wait mode. In this mode, after sending a close-notify alert message to a client, the server does not close the connection until it receives a close-notify alert message from the client.

Use the undo close-mode wait command to restore the default.

By default, an SSL server sends a close-notify alert message to the client and closes the connection without waiting for the close-notify alert message from the client.

Related commands: display ssl server-policy.

Examples

# Set the SSL connection close mode to wait.

<Sysname> system-view

[Sysname] ssl server-policy policy1

[Sysname-ssl-server-policy-policy1] close-mode wait

display ssl client-policy

Syntax

display ssl client-policy { policy-name | all } [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

policy-name: SSL client policy name, a case-insensitive string of 1 to 16 characters.

all: Displays information about all SSL client policies.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display ssl client-policy command to view information about a specified SSL client policy or all SSL client policies.

Examples

# Display information about SSL client policy policy1.

<Sysname> display ssl client-policy policy1

 SSL Client Policy: policy1

     SSL Version: SSL 3.0

     PKI Domain: 1

     Prefer Ciphersuite:

         RSA_RC4_128_SHA

     Server-verify: enabled

Table 1 Output description

Field	Description
SSL Client Policy	SSL client policy name
SSL Version	Version of the protocol used by the SSL client policy, SSL 3.0 or TLS 1.0
PKI Domain	PKI domain of the SSL client policy
Prefer Ciphersuite	Preferred cipher suite of the SSL client policy
Server-verify	Whether server authentication is enabled for the SSL client policy

 

display ssl server-policy

Syntax

display ssl server-policy { policy-name | all } [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

policy-name: SSL server policy name, a case-insensitive string of 1 to 16 characters.

all: Displays information about all SSL server policies.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display ssl server-policy command to view information about a specified SSL server policy or all SSL server policies.

Examples

# Display information about SSL server policy policy1.

<Sysname> display ssl server-policy policy1

 SSL Server Policy: policy1

     PKI Domain: domain1

     Ciphersuite:

         RSA_RC4_128_MD5

         RSA_RC4_128_SHA

         RSA_DES_CBC_SHA

         RSA_3DES_EDE_CBC_SHA

         RSA_AES_128_CBC_SHA

         RSA_AES_256_CBC_SHA

     Handshake Timeout: 3600

     Close-mode: wait disabled

     Session Timeout: 3600

     Session Cachesize: 500

     Client-verify: disabled

     Client-verify weaken: disabled

Table 2 Output description

Field	Description
SSL Server Policy	SSL server policy name.
PKI Domain	PKI domain used by the SSL server policy.
Ciphersuite	Cipher suites supported by the SSL server policy.
Handshake Timeout	Handshake timeout time of the SSL server policy, in seconds.
Close-mode	Close mode of the SSL server policy: ·       wait disabled—In this mode, the server sends a close-notify alert message to the client and then closes the connection immediately without waiting for the close-notify alert message of the client. ·       wait enabled—In this mode, the server sends a close-notify alert message to the client and then waits for the close-notify alert message of the client. Only after receiving the expected message, does the server close the connection.
Session Timeout	Session timeout time of the SSL server policy, in seconds.
Session Cachesize	Maximum number of buffered sessions of the SSL server policy.
Client-verify	Whether the SSL server policy requires the client to be authenticated.

 

handshake timeout

Syntax

handshake timeout time

undo handshake timeout

View

SSL server policy view

Default level

2: System level

Parameters

time: Handshake timeout time in seconds, in the range of 180 to 7200.

Description

Use the handshake timeout command to set the handshake timeout time for an SSL server policy.

Use the undo handshake timeout command to restore the default.

By default, the handshake timeout time is 3600 seconds.

If the SSL server does not receive any packet from the SSL client before the handshake timeout time expires, the SSL server will terminate the handshake process.

Related commands: display ssl server-policy.

Examples

# Set the handshake timeout time of SSL server policy policy1 to 3000 seconds.

<Sysname> system-view

[Sysname] ssl server-policy policy1

[Sysname-ssl-server-policy-policy1] handshake timeout 3000

pki-domain

Syntax

pki-domain domain-name

undo pki-domain

View

SSL server policy view, SSL client policy view

Default level

2: System level

Parameters

domain-name: Name of a PKI domain, a case-insensitive string of 1 to 15 characters.

Description

Use the pki-domain command to specify a PKI domain for an SSL server policy or SSL client policy.

Use the undo pki-domain command to restore the default.

By default, no PKI domain is configured for an SSL server policy or SSL client policy.

Related commands: display ssl server-policy and display ssl client-policy.

Examples

# Configure SSL server policy policy1 to use PKI domain server-domain.

<Sysname> system-view

[Sysname] ssl server-policy policy1

[Sysname-ssl-server-policy-policy1] pki-domain server-domain

# Configure SSL client policy policy1 to use PKI domain client-domain.

<Sysname> system-view

[Sysname] ssl client-policy policy1

[Sysname-ssl-client-policy-policy1] pki-domain client-domain

prefer-cipher

Syntax

prefer-cipher { rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha }

undo prefer-cipher

View

SSL client policy view

Default level

2: System level

Parameters

rsa_3des_ede_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 3DES_EDE_CBC, and the MAC algorithm of SHA.

rsa_aes_128_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit AES_CBC, and the MAC algorithm of SHA.

rsa_aes_256_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 256-bit AES_CBC, and the MAC algorithm of SHA.

rsa_des_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of DES_CBC, and the MAC algorithm of SHA.

rsa_rc4_128_md5: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit RC4, and the MAC algorithm of MD5.

rsa_rc4_128_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit RC4, and the MAC algorithm of SHA.

Description

Use the prefer-cipher command to specify the preferred cipher suite for an SSL client policy.

Use the undo prefer-cipher command to restore the default.

By default, the preferred cipher suite for an SSL client policy is rsa_rc4_128_md5.

Related commands: display ssl client-policy.

Examples

# Set the preferred cipher suite for SSL client policy policy1 to rsa_aes_128_cbc_sha.

<Sysname> system-view

[Sysname] ssl client-policy policy1

[Sysname-ssl-client-policy-policy1] prefer-cipher rsa_aes_128_cbc_sha

server-verify enable

Syntax

server-verify enable

undo server-verify enable

View

SSL client policy view

Default level

2: System level

Parameters

None

Description

Use the server-verify enable command to enable certificate-based SSL server authentication so that the SSL client authenticates the server by the server’s certificate during the SSL handshake process.

Use the undo server-verify enable command to disable certificate-based SSL server authentication. When certificate-based SSL server authentication is disabled, it is assumed that the SSL server is valid.

By default, certificate-based SSL server authentication is enabled.

Related commands: display ssl client-policy.

Examples

# Enable certificate-based SSL server authentication.

<Sysname> system-view

[Sysname] ssl client-policy policy1

[Sysname-ssl-client-policy-policy1] server-verify enable

session

Syntax

session { cachesize size | timeout time } *

undo session { cachesize | timeout } *

View

SSL server policy view

Default level

2: System level

Parameters

cachesize size: Specifies the maximum number of cached sessions, in the range of 100 to 1000.

timeout time: Specifies the caching timeout time in seconds, in the range of 1800 to 72000.

Description

Use the session command to set the maximum number of cached sessions and the caching timeout time.

Use the undo session command to restore the default.

By default, the maximum number of cached sessions is 500 and the caching timeout time is 3600 seconds.

It is a complicated process to use the SSL handshake protocol to negotiate session parameters and establish sessions. To simplify the process, SSL allows reusing negotiated session parameters to establish sessions. This feature requires that the SSL server maintain information about existing sessions.

The number of cached sessions and the session information caching time are limited:

·           If the number of sessions in the cache reaches the maximum, SSL rejects to cache new sessions.

·           If a session has been cached for a period equal to the caching timeout time, SSL will remove the information of the session.

Related commands: display ssl server-policy.

Examples

# Set the caching timeout time to 4000 seconds and the maximum number of cached sessions to 600.

<Sysname> system-view

[Sysname] ssl server-policy policy1

[Sysname-ssl-server-policy-policy1] session timeout 4000 cachesize 600

ssl client-policy

Syntax

ssl client-policy policy-name

undo ssl client-policy { policy-name | all }

View

System view

Default level

2: System level

Parameters

policy-name: SSL client policy name, a case-insensitive string of 1 to 16 characters, which cannot be “a”, “al”, or “all”.

all: Specifies all SSL client policies.

Description

Use the ssl client-policy command to create an SSL policy and enter its view.

Use the undo ssl client-policy command to delete a specified SSL client policy or all SSL client policies.

Related commands: display ssl client-policy.

Examples

# Create SSL client policy policy1 and enter its view.

<Sysname> system-view

[Sysname] ssl client-policy policy1

[Sysname-ssl-client-policy-policy1]

ssl server-policy

Syntax

ssl server-policy policy-name

undo ssl server-policy { policy-name | all }

View

System view

Default level

2: System level

Parameters

policy-name: SSL server policy name, a case-insensitive string of 1 to 16 characters, which cannot be “a”, “al”, or “all”.

all: Specifies all SSL server policies.

Description

Use the ssl server-policy command to create an SSL server policy and enter its view.

Use the undo ssl server-policy command to delete a specified SSL server policy or all SSL server policies.

You cannot delete an SSL server policy that has been associated with one or more application layer protocols.

Related commands: display ssl server-policy.

Examples

# Create SSL server policy policy1 and enter its view.

<Sysname> system-view

[Sysname] ssl server-policy policy1

[Sysname-ssl-server-policy-policy1]

version

Syntax

version { ssl3.0 | tls1.0 }

undo version

View

SSL client policy view

Default level

2: System level

Parameters

ssl3.0: Specifies SSL 3.0.

tls1.0: Specifies TLS 1.0.

Description

Use the version command to specify the SSL protocol version for an SSL client policy.

Use the undo version command to restore the default.

By default, the SSL protocol version for an SSL client policy is TLS 1.0.

Related commands: display ssl client-policy.

Examples

# Specify the SSL protocol version for SSL client policy policy1 as SSL 3.0.

<Sysname> system-view

[Sysname] ssl client-policy policy1

[Sysname-ssl-client-policy-policy1] version ssl3.0