Contents

SSL configuration commands· 1

ciphersuite· 1

client-verify enable· 2

client-verify weaken· 2

close-mode wait 3

display ssl client-policy· 4

display ssl server-policy· 4

handshake timeout 6

pki-domain· 6

prefer-cipher 7

server-verify enable· 8

session· 9

ssl client-policy· 9

ssl server-policy· 10

ssl version ssl3.0 disable· 11

version· 11

 

SSL configuration commands

ciphersuite

Use ciphersuite to specify the cipher suites supported by an SSL server policy.

Syntax

In non-FIPS mode:

ciphersuite [ rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha ] *

In FIPS mode:

ciphersuite [ dhe_rsa_aes_128_cbc_sha | dhe_rsa_aes_256_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha ] *

Default

An SSL server policy supports all cipher suites.

Views

SSL server policy view

Default command level

2: System level

Parameters

rsa_3des_ede_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 3DES_EDE_CBC, and the MAC algorithm of SHA.

rsa_aes_128_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit AES_CBC, and the MAC algorithm of SHA.

rsa_aes_256_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 256-bit AES_CBC, and the MAC algorithm of SHA.

rsa_des_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of DES_CBC, and the MAC algorithm of SHA.

rsa_rc4_128_md5: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit RC4, and the MAC algorithm of MD5.

rsa_rc4_128_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit RC4, and the MAC algorithm of SHA.

Usage guidelines

If you do not specify a cipher suite, the SSL server policy supports all cipher suites.

If you execute the command multiple times, the most recent configuration takes effect.

Examples

# Configure SSL server policy policy1 to support cipher suites rsa_rc4_128_md5 and rsa_rc4_128_sha.

<Sysname> system-view

[Sysname] ssl server-policy policy1

[Sysname-ssl-server-policy-policy1] ciphersuite rsa_rc4_128_md5 rsa_rc4_128_sha

Related commands

display ssl server-policy

client-verify enable

Use client-verify enable to configure the SSL server to require the client to pass certificate-based authentication.

Use undo client-verify enable to restore the default.

Syntax

client-verify enable

undo client-verify enable

Default

The SSL server does not require certificate-based SSL client authentication.

Views

SSL server policy view

Default command level

2: System level

Usage guidelines

If you configure the client-verify enable command and enable the SSL client weak authentication function, whether the client must be authenticated is up to the client. If the client chooses to be authenticated, the client must pass authentication before accessing the SSL server. Otherwise, the client can access the SSL server without authentication.

If you configure the client-verify enable command but disable the SSL client weak authentication function, the SSL client must pass authentication before accessing the SSL server.

Examples

# Configure the SSL server to require certificate-based SSL client authentication.

<Sysname> system-view

[Sysname] ssl server-policy policy1

[Sysname-ssl-server-policy-policy1] client-verify enable

Related commands

·     client-verify weaken

·     display ssl server-policy

client-verify weaken

Use client-verify weaken to enable SSL client weak authentication.

Use undo client-verify weaken to restore the default.

Syntax

client-verify weaken

undo client-verify weaken

Default

SSL client weak authentication is disabled.

Views

SSL server policy view

Default command level

2: System level

Usage guidelines

The client-verify weaken command takes effect only when the SSL server requires certificate-based client authentication.

If the SSL server requires certificate-based client authentication and the SSL client weak authentication function is enabled, whether the client must be authenticated is up to the client. If the client chooses to be authenticated, the client must pass authentication before accessing the SSL server. Otherwise, the client can access the SSL server without authentication.

If the SSL server requires certificate-based client authentication and SSL client weak authentication is disabled, the SSL client must pass authentication before accessing the SSL server.

Examples

# Enable SSL client weak authentication.

<Sysname> system-view

[Sysname] ssl server-policy policy1

[Sysname-ssl-server-policy-policy1] client-verify enable

[Sysname-ssl-server-policy-policy1] client-verify weaken

Related commands

·     client-verify enable

·     display ssl server-policy

close-mode wait

Use close-mode wait to set the SSL connection close mode to wait mode. In this mode, after sending a close-notify alert message to a client, the server does not close the connection until it receives a close-notify alert message from the client.

Use undo close-mode wait to restore the default.

Syntax

close-mode wait

undo close-mode wait

Default

An SSL server sends a close-notify alert message to the client and closes the connection without waiting for the close-notify alert message from the client.

Views

SSL server policy view

Default command level

2: System level

Examples

# Set the SSL connection close mode to wait.

<Sysname> system-view

[Sysname] ssl server-policy policy1

[Sysname-ssl-server-policy-policy1] close-mode wait

Related commands

display ssl server-policy

display ssl client-policy

Use display ssl client-policy to view information about one or all SSL client policies.

Syntax

display ssl client-policy { policy-name | all } [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

policy-name: Specifies an SSL client policy by its name, a case-insensitive string of 1 to 16 characters.

all: Displays information about all SSL client policies.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display information about SSL client policy policy1.

<Sysname> display ssl client-policy policy1

 SSL Client Policy: policy1

     SSL Version: SSL 3.0

     PKI Domain: 1

     Prefer Ciphersuite:

         RSA_RC4_128_SHA

     Server-verify: enabled

Table 1 Command output

Field	Description
SSL Client Policy	SSL client policy name.
SSL Version	Version of the protocol used by the SSL client policy: SSL 3.0 or TLS 1.0.
PKI Domain	PKI domain of the SSL client policy.
Prefer Ciphersuite	Preferred cipher suite of the SSL client policy.
Server-verify	Whether server authentication is enabled for the SSL client policy.

 

display ssl server-policy

Use display ssl server-policy to view information about one or all SSL server policies.

Syntax

display ssl server-policy { policy-name | all } [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

policy-name: Specifies an SSL server policy by its name, a case-insensitive string of 1 to 16 characters.

all: Displays information about all SSL server policies.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display information about SSL server policy policy1.

<Sysname> display ssl server-policy policy1

 SSL Server Policy: policy1

     PKI Domain: domain1

     Ciphersuite:

         RSA_RC4_128_MD5

         RSA_RC4_128_SHA

         RSA_DES_CBC_SHA

         RSA_3DES_EDE_CBC_SHA

         RSA_AES_128_CBC_SHA

         RSA_AES_256_CBC_SHA

     Handshake Timeout: 3600

     Close-mode: wait disabled

     Session Timeout: 3600

     Session Cachesize: 500

     Client-verify: disabled

     Client-verify weaken: disabled

Table 2 Command output

Field	Description
SSL Server Policy	SSL server policy name.
PKI Domain	PKI domain used by the SSL server policy. If no PKI domain is specified for the SSL server policy, nothing is displayed for this field, and the SSL server generates and signs a certificate for itself and does not obtain a certificate from a CA server.
Ciphersuite	Cipher suites supported by the SSL server policy.
Handshake Timeout	Handshake timeout time of the SSL server policy, in seconds.
Close-mode	Close mode of the SSL server policy: ·     wait disabled—In this mode, the server sends a close-notify alert message to the client and then closes the connection immediately without waiting for the close-notify alert message of the client. ·     wait enabled—In this mode, the server sends a close-notify alert message to the client and then waits for the close-notify alert message of the client. The server closes the connection only after receiving the expected message.
Session Timeout	Session timeout time of the SSL server policy, in seconds.
Session Cachesize	Maximum number of buffered sessions of the SSL server policy.
Client-verify	Whether the SSL server policy requires the client to be authenticated.

 

handshake timeout

Use handshake timeout to set the handshake timeout time for an SSL server policy.

Use undo handshake timeout to restore the default.

Syntax

handshake timeout time

undo handshake timeout

Default

The handshake timeout time is 3600 seconds.

Views

SSL server policy view

Default command level

2: System level

Parameters

time: Specifies the handshake timeout time in seconds. The range is 180 to 7200.

Usage guidelines

If the SSL server receives no packet from the SSL client before the handshake timeout time expires, the SSL server terminates the handshake process.

Examples

# Set the handshake timeout time to 3000 seconds for SSL server policy policy1.

<Sysname> system-view

[Sysname] ssl server-policy policy1

[Sysname-ssl-server-policy-policy1] handshake timeout 3000

Related commands

display ssl server-policy

pki-domain

Use pki-domain to specify a PKI domain for an SSL server policy or SSL client policy.

Use undo pki-domain to restore the default.

Syntax

pki-domain domain-name

undo pki-domain

Default

No PKI domain is configured for an SSL server policy or SSL client policy.

Views

SSL server policy view, SSL client policy view

Default command level

2: System level

Parameters

domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 15 characters.

Usage guidelines

If you do not specify a PKI domain for an SSL server policy, the SSL server generates and signs a certificate for itself rather than obtaining one from a CA server.

Examples

# Configure SSL server policy policy1 to use PKI domain server-domain.

<Sysname> system-view

[Sysname] ssl server-policy policy1

[Sysname-ssl-server-policy-policy1] pki-domain server-domain

# Configure SSL client policy policy1 to use PKI domain client-domain.

<Sysname> system-view

[Sysname] ssl client-policy policy1

[Sysname-ssl-client-policy-policy1] pki-domain client-domain

Related commands

·     display ssl server-policy

·     display ssl client-policy

prefer-cipher

Use prefer-cipher to specify the preferred cipher suite for an SSL client policy.

Use undo prefer-cipher to restore the default.

Syntax

In non-FIPS mode:

prefer-cipher { rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha }

undo prefer-cipher

In FIPS mode:

prefer-cipher { dhe_rsa_aes_128_cbc_sha | dhe_rsa_aes_256_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha }

undo prefer-cipher

Default

The preferred cipher suite for an SSL client policy is rsa_rc4_128_md5.

Views

SSL client policy view

Default command level

2: System level

Parameters

rsa_3des_ede_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 3DES_EDE_CBC, and the MAC algorithm of SHA.

rsa_aes_128_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit AES_CBC, and the MAC algorithm of SHA.

rsa_aes_256_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 256-bit AES_CBC, and the MAC algorithm of SHA.

rsa_des_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of DES_CBC, and the MAC algorithm of SHA.

rsa_rc4_128_md5: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit RC4, and the MAC algorithm of MD5.

rsa_rc4_128_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit RC4, and the MAC algorithm of SHA.

Examples

# Set the preferred cipher suite to rsa_aes_128_cbc_sha for SSL client policy policy1.

<Sysname> system-view

[Sysname] ssl client-policy policy1

[Sysname-ssl-client-policy-policy1] prefer-cipher rsa_aes_128_cbc_sha

Related commands

display ssl client-policy

server-verify enable

Use server-verify enable to enable certificate-based SSL server authentication so that the SSL client authenticates the server by the server’s certificate during the SSL handshake process.

Use undo server-verify enable to disable certificate-based SSL server authentication. When certificate-based SSL server authentication is disabled, it is assumed that the SSL server is valid.

Syntax

server-verify enable

undo server-verify enable

Default

Certificate-based SSL server authentication is enabled.

Views

SSL client policy view

Default command level

2: System level

Examples

# Enable certificate-based SSL server authentication.

<Sysname> system-view

[Sysname] ssl client-policy policy1

[Sysname-ssl-client-policy-policy1] server-verify enable

Related commands

display ssl client-policy

session

Use session to set the maximum number of cached sessions and the caching timeout time.

Use undo session to restore the default.

Syntax

session { cachesize size | timeout time } *

undo session { cachesize | timeout } *

Default

The maximum number of cached sessions is 500, and the caching timeout time is 3600 seconds.

Views

SSL server policy view

Default command level

2: System level

Parameters

cachesize size: Specifies the maximum number of cached sessions. The range is 100 to 1000.

timeout time: Specifies the caching timeout time in seconds. The range is 1800 to 72000.

Usage guidelines

It is a complicated process to use the SSL handshake protocol to negotiate session parameters and establish sessions. To simplify the process, SSL allows reusing negotiated session parameters to establish sessions. This feature requires that the SSL server maintain information about existing sessions.

The number of cached sessions and the session information caching time are limited:

·     If the number of sessions in the cache reaches the maximum, SSL rejects the caching of new sessions.

·     If a session has been cached for a period equal to the caching timeout time, SSL removes the information of the session.

Examples

# Set the caching timeout time to 4000 seconds and the maximum number of cached sessions to 600.

<Sysname> system-view

[Sysname] ssl server-policy policy1

[Sysname-ssl-server-policy-policy1] session timeout 4000 cachesize 600

Related commands

display ssl server-policy

ssl client-policy

Use ssl client-policy to create an SSL policy and enter its view.

Use undo ssl client-policy to delete a specified SSL client policy or all SSL client policies.

Syntax

ssl client-policy policy-name

undo ssl client-policy { policy-name | all }

Views

System view

Default command level

2: System level

Parameters

policy-name: Specifies an SSL client policy by its name, a case-insensitive string of 1 to 16 characters, which cannot be a, al, or all.

all: Specifies all SSL client policies.

Examples

# Create SSL client policy policy1 and enter its view.

<Sysname> system-view

[Sysname] ssl client-policy policy1

[Sysname-ssl-client-policy-policy1]

Related commands

display ssl client-policy

ssl server-policy

Use ssl server-policy to create an SSL server policy and enter its view.

Use undo ssl server-policy to delete a specified SSL server policy or all SSL server policies.

Syntax

ssl server-policy policy-name

undo ssl server-policy { policy-name | all }

Views

System view

Default command level

2: System level

Parameters

policy-name: Specifies an SSL server policy by its name, a case-insensitive string of 1 to 16 characters, which cannot be a, al, or all.

all: Specifies all SSL server policies.

Usage guidelines

You cannot delete an SSL server policy that has been associated with one or more application layer protocols.

Examples

# Create SSL server policy policy1 and enter its view.

<Sysname> system-view

[Sysname] ssl server-policy policy1

[Sysname-ssl-server-policy-policy1]

Related commands

display ssl server-policy

ssl version ssl3.0 disable

Use ssl version ssl3.0 disable to disable SSL 3.0 on the device.

Use undo ssl version ssl3.0 disable restore the default.

Syntax

ssl version ssl3.0 disable

undo ssl version ssl3.0 disable

Default

The device supports SSL 3.0.

Views

System view

Default command level

2: System level

Usage guidelines

Use this command to disable SSL 3.0 on a device to enhance system security.

·     An SSL server supports only TLS 1.0 after SSL 3.0 is disabled.

·     An SSL client always uses SSL 3.0 if SSL 3.0 is specified for the client policy, whether you disable SSL 3.0 or not.

To ensure successful establishment of an SSL connection, do not disable SSL 3.0 on a device when the peer device only supports SSL 3.0. H3C recommends upgrading the peer device to support TLS 1.0 to improve security.

Examples

# Disable SSL 3.0 on the device.

<Sysname> system-view

[Sysname] ssl version ssl3.0 disable

version

Use version to specify the SSL protocol version for an SSL client policy.

Use undo version to restore the default.

Syntax

In non-FIPS mode:

version { ssl3.0 | tls1.0 }

undo version

In FIPS mode:

version tls1.0

undo version

Default

The SSL protocol version for an SSL client policy is TLS 1.0.

Views

SSL client policy view

Default command level

2: System level

Parameters

ssl3.0: Specifies SSL 3.0.

tls1.0: Specifies TLS 1.0.

Examples

# Set the SSL protocol version to SSL 3.0 for SSL client policy policy1.

<Sysname> system-view

[Sysname] ssl client-policy policy1

[Sysname-ssl-client-policy-policy1] version ssl3.0

Related commands

display ssl client-policy