The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and command options might differ in FIPS mode and non-FIPS mode. For information about FIPS mode, see Security Configuration Guide.

ciphersuite

Syntax

View

SSL server policy view

Default level

2: System level

Parameters

dhe_rsa_aes_128_cbc_sha: Specifies the key exchange algorithm of DH_RSA, the data encryption algorithm of 128-bit AES_CBC, and the MAC algorithm of SHA. This keyword is available only for FIPS mode.

dhe_rsa_aes_256_cbc_sha: Specifies the key exchange algorithm of DH_RSA, the data encryption algorithm of 256-bit AES_CBC, and the MAC algorithm of SHA. This keyword is available only for FIPS mode.

rsa_3des_ede_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 3DES_EDE_CBC, and the MAC algorithm of SHA. This keyword is not available for FIPS mode.

rsa_aes_128_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit AES_CBC, and the MAC algorithm of SHA.

rsa_aes_256_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 256-bit AES_CBC, and the MAC algorithm of SHA.

rsa_des_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of DES_CBC, and the MAC algorithm of SHA. This keyword is not available for FIPS mode.

rsa_rc4_128_md5: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit RC4, and the MAC algorithm of MD5. This keyword is not available for FIPS mode.

rsa_rc4_128_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit RC4, and the MAC algorithm of SHA. This keyword is not available for FIPS mode.

Description

Use ciphersuite to specify the cipher suites for an SSL server policy to support.

By default, an SSL server policy supports all cipher suites.

With no keyword specified, the command configures an SSL server policy to support all cipher suites.

If you execute the command multiple times, the most recent configuration takes effect.

Related commands: display ssl server-policy.

Examples

# Configure SSL server policy policy1 to support cipher suites rsa_rc4_128_md5 and rsa_rc4_128_sha.

<Sysname> system-view

[Sysname] ssl server-policy policy1

[Sysname-ssl-server-policy-policy1] ciphersuite rsa_rc4_128_md5 rsa_rc4_128_sha

client-verify enable

Syntax

client-verify enable

undo client-verify enable

View

SSL server policy view

Default level

2: System level

Parameters

None

Description

Use client-verify enable to configure the SSL server to require the client to pass certificate-based authentication.

Use undo client-verify enable to restore the default.

By default, the SSL server does not require certificate-based SSL client authentication.

If you configure the client-verify enable command and enable the SSL client weak authentication function, whether the client must be authenticated is up to the client. If the client chooses to be authenticated, the client must pass authentication before accessing the SSL server; otherwise, the client can access the SSL server without authentication.

If you configure the client-verify enable command but disable the SSL client weak authentication function, the SSL client must pass authentication before accessing the SSL server.

Related commands: client-verify weaken and display ssl server-policy.

Examples

# Configure the SSL server to require certificate-based SSL client authentication.

<Sysname> system-view

[Sysname] ssl server-policy policy1

[Sysname-ssl-server-policy-policy1] client-verify enable

client-verify weaken

Syntax

client-verify weaken

undo client-verify weaken

View

SSL server policy view

Default level

2: System level

Parameters

None

Description

Use client-verify weaken to enable SSL client weak authentication.

Use undo client-verify weaken to restore the default.

By default, SSL client weak authentication is disabled.

If the SSL server requires certificate-based client authentication and the SSL client weak authentication function is enabled, whether the client must be authenticated is up to the client. If the client chooses to be authenticated, the client must pass authentication before accessing the SSL server; otherwise, the client can access the SSL server without authentication.

If the SSL server requires certificate-based client authentication and SSL client weak authentication is disabled, the SSL client must pass authentication before accessing the SSL server.

NOTE:

The client-verify weaken command takes effect only when the SSL server requires certificate-based client authentication.

Related commands: client-verify enable and display ssl server-policy.

Examples

# Enable SSL client weak authentication.

<Sysname> system-view

[Sysname] ssl server-policy policy1

[Sysname-ssl-server-policy-policy1] client-verify enable

[Sysname-ssl-server-policy-policy1] client-verify weaken

close-mode wait

Syntax

close-mode wait

undo close-mode wait

View

SSL server policy view

Default level

2: System level

Parameters

None

Description

Use close-mode wait to set the SSL connection close mode to wait mode. In this mode, after sending a close-notify alert message to a client, the server does not close the connection until it receives a close-notify alert message from the client.

Use undo close-mode wait to restore the default.

By default, an SSL server sends a close-notify alert message to the client and closes the connection without waiting for the close-notify alert message from the client.

Related commands: display ssl server-policy.

Examples

# Set the SSL connection close mode to wait.

<Sysname> system-view

[Sysname] ssl server-policy policy1

[Sysname-ssl-server-policy-policy1] close-mode wait

display ssl client-policy

Syntax

display ssl client-policy { policy-name | all } [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

policy-name: Specifies an SSL client policy by its name, a case-insensitive string of 1 to 16 characters.

all: Displays information about all SSL client policies.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display ssl client-policy to view information about a specified SSL client policy or all SSL client policies.

Examples

# Display information about SSL client policy policy1.

<Sysname> display ssl client-policy policy1

SSL Client Policy: policy1

SSL Version: SSL 3.0

PKI Domain: 1

Prefer Ciphersuite:

RSA_RC4_128_SHA

Server-verify: enabled

Table 1 Command output

Field	Description
SSL Client Policy	SSL client policy name.
SSL Version	Version of the protocol used by the SSL client policy, SSL 3.0 or TLS 1.0
PKI Domain	PKI domain of the SSL client policy.
Prefer Ciphersuite	Preferred cipher suite of the SSL client policy.
Server-verify	Whether server authentication is enabled for the SSL client policy.

display ssl server-policy

Syntax

display ssl server-policy { policy-name | all } [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

policy-name: Specifies an SSL server policy by its name, a case-insensitive string of 1 to 16 characters.

all: Displays information about all SSL server policies.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display ssl server-policy to view information about a specified SSL server policy or all SSL server policies.

Examples

# Display information about SSL server policy policy1.

<Sysname> display ssl server-policy policy1

SSL Server Policy: policy1

PKI Domain: domain1

Ciphersuite:

RSA_RC4_128_MD5

RSA_RC4_128_SHA

RSA_DES_CBC_SHA

RSA_3DES_EDE_CBC_SHA

RSA_AES_128_CBC_SHA

RSA_AES_256_CBC_SHA

Handshake Timeout: 3600

Close-mode: wait disabled

Session Timeout: 3600

Session Cachesize: 500

Client-verify: disabled

Client-verify weaken: disabled

Table 2 Command output

Field	Description
SSL Server Policy	SSL server policy name.
PKI Domain	PKI domain used by the SSL server policy.
Ciphersuite	Cipher suites supported by the SSL server policy.
Handshake Timeout	Handshake timeout time of the SSL server policy, in seconds.
Close-mode	Close mode of the SSL server policy: · wait disabled—In this mode, the server sends a close-notify alert message to the client and then closes the connection immediately without waiting for the close-notify alert message of the client. · wait enabled—In this mode, the server sends a close-notify alert message to the client and then waits for the close-notify alert message of the client. The server closes the connection only when it receives the expected message.
Session Timeout	Session timeout time of the SSL server policy, in seconds.
Session Cachesize	Maximum number of buffered sessions of the SSL server policy.
Client-verify	Whether the SSL server policy requires the client to be authenticated.

handshake timeout

Syntax

handshake timeout time

undo handshake timeout

View

SSL server policy view

Default level

2: System level

Parameters

time: Specifies the handshake timeout time in seconds, in the range of 180 to 7200.

Description

Use handshake timeout to set the handshake timeout time for an SSL server policy.

Use undo handshake timeout to restore the default.

By default, the handshake timeout time is 3600 seconds.

If the SSL server does not receive any packet from the SSL client before the handshake timeout time expires, the SSL server will terminate the handshake process.

Related commands: display ssl server-policy.

Examples

# Set the handshake timeout time of SSL server policy policy1 to 3000 seconds.

<Sysname> system-view

[Sysname] ssl server-policy policy1

[Sysname-ssl-server-policy-policy1] handshake timeout 3000

pki-domain

Syntax

pki-domain domain-name

undo pki-domain

View

SSL server policy view, SSL client policy view

Default level

2: System level

Parameters

domain-name: Specify a PKI domain by its name, a case-insensitive string of 1 to 15 characters.

Description

Use pki-domain to specify a PKI domain for an SSL server policy or SSL client policy.

Use undo pki-domain to restore the default.

By default, no PKI domain is configured for an SSL server policy or SSL client policy.

Related commands: display ssl server-policy and display ssl client-policy.

Examples

# Configure SSL server policy policy1 to use PKI domain server-domain.

<Sysname> system-view

[Sysname] ssl server-policy policy1

[Sysname-ssl-server-policy-policy1] pki-domain server-domain

# Configure SSL client policy policy1 to use PKI domain client-domain.

<Sysname> system-view

[Sysname] ssl client-policy policy1

[Sysname-ssl-client-policy-policy1] pki-domain client-domain

prefer-cipher

Syntax

prefer-cipher { dhe_rsa_aes_128_cbc_sha | dhe_rsa_aes_256_cbc_sha | rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha }

undo prefer-cipher

View

SSL client policy view