Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 08-SSL Commands | 119.04 KB |
ciphersuite
Use ciphersuiteto specify the cipher suites for an SSL server policy to support.
Syntax
ciphersuite[ rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha ] *
Default
An SSL server policy supports all cipher suites.
Views
SSL server policy view
Default command level
2: System level
Parameters
rsa_3des_ede_cbc_sha: Specifiesthe key exchange algorithm of RSA, the data encryption algorithm of 3DES_EDE_CBC, and the MAC algorithm of SHA.
rsa_aes_128_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit AES_CBC, and the MAC algorithm of SHA.
rsa_aes_256_cbc_sha: Specifiesthe key exchange algorithm of RSA, the data encryption algorithm of 256-bit AES_CBC, and the MAC algorithm of SHA.
rsa_des_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of DES_CBC, and the MAC algorithm of SHA.
rsa_rc4_128_md5: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit RC4, and the MAC algorithm of MD5.
rsa_rc4_128_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit RC4, and the MAC algorithm of SHA.
Usage guidelines
With no keyword specified, the command configures an SSL server policy to support all cipher suites.
If you execute the command repeatedly, the last one takes effect.
Examples
# ConfigureSSL server policy policy1 to support cipher suites rsa_rc4_128_md5 and rsa_rc4_128_sha.
<Sysname> system-view
[Sysname] ssl server-policypolicy1
[Sysname-ssl-server-policy-policy1] ciphersuite rsa_rc4_128_md5 rsa_rc4_128_sha
display ssl server-policy
client-verify enable
Use client-verify enable to configure the SSL server to requirethe client to pass certificate-based authentication.
Use undo client-verify enableto restore the default.
Syntax
client-verify enable
undoclient-verify enable
Default
The SSL server does not require certificate-based SSL client authentication.
Views
SSL server policy view
Default command level
2: System level
Usage guidelines
If you configure the client-verify enable command and enable the SSL client weak authentication function, whether the client must be authenticated is up to the client. If the client chooses to be authenticated, the client must pass authentication before accessing the SSL server; otherwise, the client can access the SSL server without authentication.
If you configure the client-verify enable command but disable the SSL client weak authentication function, the SSL client must pass authentication before accessing the SSL server.
Examples
# Configure the SSL server to require certificate-based SSL client authentication.
<Sysname> system-view
[Sysname] ssl server-policypolicy1
[Sysname-ssl-server-policy-policy1] client-verify enable
· client-verify weaken
· display ssl server-policy
client-verifyweaken
Use client-verify weakento enable SSL client weak authentication.
Use undoclient-verify weakento restore the default.
Syntax
client-verify weaken
undoclient-verify weaken
Default
SSL client weak authentication is disabled.
Views
SSL server policy view
Default command level
2: System level
Usage guidelines
The client-verify weaken command takes effect only when the SSL server requires certificate-based client authentication.
If the SSL server requires certificate-based client authentication and the SSL client weak authentication function is enabled, whether the client must be authenticated is up to the client. If the client chooses to be authenticated, the client must pass authentication before accessing the SSL server; otherwise, the client can access the SSL server without authentication.
If the SSL server requires certificate-based client authentication and SSL client weak authentication is disabled, the SSL client must pass authentication before accessing the SSL server.
Examples
#Enable SSL client weak authentication.
<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1] client-verify enable
[Sysname-ssl-server-policy-policy1]client-verify weaken
Related commands
· client-verify enable
· display ssl server-policy
close-mode wait
Use close-mode waitto set the SSL connection close mode to wait mode. In this mode, after sending a close-notify alert message to a client, the server does not close the connection until it receives a close-notify alert message from the client.
Use undo close-mode waitto restore the default.
Syntax
close-mode wait
undoclose-mode wait
Default
An SSL server sends a close-notify alert message to the client and closes the connection without waiting for the close-notify alert message from the client.
Views
SSL server policy view
Default command level
2: System level
Examples
# Set the SSL connection close mode to wait.
<Sysname> system-view
[Sysname] ssl server-policypolicy1
[Sysname-ssl-server-policy-policy1] close-mode wait
display ssl server-policy
display ssl client-policy
Use display ssl client-policyto view information about one or all SSL client policies.
Syntax
display ssl client-policy {policy-name| all } [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
policy-name: SSL client policy name, a case-insensitive string of 1 to 16 characters.
all: Displays information about all SSL client policies.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display information about SSL client policy policy1.
<Sysname> display ssl client-policy policy1
SSL Client Policy: policy1
SSL Version: SSL 3.0
PKI Domain: 1
Prefer Ciphersuite:
RSA_RC4_128_SHA
Server-verify: enabled
Table 1 Command output
|
Field |
Description |
|
SSL Client Policy |
SSL client policy name. |
|
SSL Version |
Version of the protocol used by the SSL client policy, SSL 3.0 or TLS 1.0. |
|
PKI Domain |
PKI domain of the SSL client policy. |
|
Prefer Ciphersuite |
Preferred cipher suite of the SSL client policy. |
|
Server-verify |
Whether server authentication is enabled for the SSL client policy. |
display ssl server-policy
Use display ssl server-policyto view information about one or all SSL server policies.
Syntax
display ssl server-policy{ policy-name| all } [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
policy-name: SSL server policy name, a case-insensitive string of 1 to 16 characters.
all: Displays information about all SSL server policies.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display information about SSL server policy policy1.
<Sysname>display ssl server-policy policy1
SSL Server Policy: policy1
PKI Domain: domain1
Ciphersuite:
RSA_RC4_128_MD5
RSA_RC4_128_SHA
RSA_DES_CBC_SHA
RSA_3DES_EDE_CBC_SHA
RSA_AES_128_CBC_SHA
RSA_AES_256_CBC_SHA
Handshake Timeout: 3600
Close-mode: wait disabled
Session Timeout: 3600
Session Cachesize: 500
Client-verify: disabled
Client-verify weaken: disabled
Table 2 Command output
|
Field |
Description |
|
SSL Server Policy |
SSL server policy name. |
|
PKI Domain |
PKI domain used by the SSL server policy. If no PKI domain is specified for theSSL server policy, nothing is displayed for this field, and the SSL server generates and signs a certificate for itselfand does not obtain a certificate from a CA server. |
|
Ciphersuite |
Cipher suites supported by the SSL server policy. |
|
Handshake Timeout |
Handshake timeout time of the SSL server policy, in seconds. |
|
Close-mode |
Close mode of the SSL server policy: · wait disabled—In this mode, the server sends a close-notifyalert message to the client and then closes the connection immediately without waiting for the close-notifyalert message of the client. · wait enabled—In this mode, the server sends a close-notifyalert message to the client and then waits for the close-notifyalert message of the client. Only after receiving the expected message, does the server close the connection. |
|
Session Timeout |
Session timeout time of the SSL server policy, in seconds. |
|
Session Cachesize |
Maximum number of buffered sessions of the SSL server policy. |
|
Client-verify |
Whether the SSL server policy requires the client to be authenticated. |
handshaketimeout
Use handshake timeout to setthe handshake timeout time for an SSL server policy.
Use undo handshake timeout to restore the default.
Syntax
handshaketimeout time
undohandshaketimeout
Default
The handshake timeout time is 3600 seconds.
Views
SSL server policy view
Default command level
2: System level
Parameters
time: Handshake timeout time in seconds.The range is 180 to 7200.
Usage guidelines
If the SSL server receivesno packet from the SSL client before the handshake timeout time expires, the SSL server terminates the handshake process.
Examples
# Set the handshake timeout time of SSL server policy policy1to 3000 seconds.
<Sysname> system-view
[Sysname] ssl server-policypolicy1
[Sysname-ssl-server-policy-policy1] handshaketimeout3000
display ssl server-policy
pki-domain
Use pki-domain to specifya PKI domain for an SSL server policy or SSL client policy.
Use undo pki-domainto restore the default.
Syntax
pki-domaindomain-name
undopki-domain
Default
No PKI domain is configured for an SSL server policy or SSL client policy.
Views
SSL server policy view, SSL client policy view
Default command level
2: System level
Parameters
domain-name: Name of a PKI domain, a case-insensitive string of 1 to 15 characters.
Usage guidelines
If you do not specify a PKI domain for an SSL server policy, the SSL server generates and signs a certificate for itself rather than obtaining one from a CA server.
Examples
# Configure SSL server policy policy1to use PKI domain server-domain.
<Sysname> system-view
[Sysname] ssl server-policypolicy1
[Sysname-ssl-server-policy-policy1] pki-domainserver-domain
# Configure SSL client policy policy1to use PKI domain client-domain.
<Sysname> system-view
[Sysname] ssl client-policypolicy1
[Sysname-ssl-client-policy-policy1] pki-domainclient-domain
· display ssl server-policy
· display ssl client-policy
prefer-cipher
Use prefer-cipherto specify the preferred cipher suite for an SSL client policy.
Use undo prefer-cipherto restore the default.
Syntax
prefer-cipher { rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha}
undo prefer-cipher
Default
The preferred cipher suite for an SSL client policy is rsa_rc4_128_md5.
Views
SSL client policy view
Default command level
2: System level
Parameters
rsa_3des_ede_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 3DES_EDE_CBC, and the MAC algorithm of SHA.
rsa_aes_128_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit AES_CBC, and the MAC algorithm of SHA.
rsa_aes_256_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 256-bit AES_CBC, and the MAC algorithm of SHA.
rsa_des_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of DES_CBC, and the MAC algorithm of SHA.
rsa_rc4_128_md5: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit RC4, and the MAC algorithm of MD5.
rsa_rc4_128_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit RC4, and the MAC algorithm of SHA.
Examples
# Set thepreferred cipher suite for SSL client policy policy1 to rsa_aes_128_cbc_sha.
<Sysname> system-view
[Sysname] ssl client-policypolicy1
[Sysname-ssl-client-policy-policy1] prefer-cipher rsa_aes_128_cbc_sha
display ssl client-policy
server-verify enable
Use server-verify enableto enable certificate-based SSL server authentication so that the SSL clientauthenticates the serverby the server’s certificate during the SSL handshake process.
Use undo server-verify enableto disable certificate-based SSL server authentication. When certificate-based SSL server authentication is disabled, it is assumed that the SSL server is valid.
Syntax
server-verify enable
undo server-verify enable
Default
Certificate-based SSL server authentication is enabled.
Views
SSL client policy view
Default command level
2: System level
Examples
# Enable certificate-based SSL server authentication.
<Sysname> system-view
[Sysname]ssl client-policypolicy1
[Sysname-ssl-client-policy-policy1]server-verify enable
Related commands
display ssl client-policy
session
Use session to set the maximum number of cached sessions and the caching timeout time.
Use undo session to restore the default.
Syntax
session{ cachesize size| timeout time } *
undosession{ cachesize | timeout} *
Default
The maximum number of cached sessions is 500 and the caching timeout time is 3600 seconds.
Views
SSL server policy view
Default command level
2: System level
Parameters
cachesize size: Specifies the maximum number of cached sessions.The range is 100 to 1000.
timeout time: Specifies the caching timeout time in seconds.The range is 1800 to 72000.
Usage guidelines
It is a complicated process to use the SSL handshake protocol to negotiate session parameters and establish sessions. To simplify the process, SSL allows reusing negotiated session parameters to establish sessions. This feature requires that the SSL server maintain information about existing sessions.
The number of cached sessions and the session information caching time are limited:
· If the number of sessions in the cache reaches the maximum, SSL rejects to cache new sessions.
· If a session has been cached for a period equal to the caching timeout time, SSL removesthe information of the session.
Examples
# Set the caching timeout time to 4000 seconds and the maximum number of cached sessions to 600.
<Sysname> system-view
[Sysname] ssl server-policypolicy1
[Sysname-ssl-server-policy-policy1] sessiontimeout4000 cachesize600
display ssl server-policy
ssl client-policy
Use ssl client-policyto create an SSL policy and enter its view.
Use undo ssl client-policyto delete a specified SSL client policy or all SSL client policies.
Syntax
ssl client-policypolicy-name
undo ssl client-policy {policy-name | all }
Views
System view
Default command level
2: System level
Parameters
policy-name: SSL client policy name, a case-insensitive string of 1 to 16 characters, which cannot be "a", "al",or"all".
all: Specifies all SSL client policies.
Examples
# Create SSL client policy policy1 and enter its view.
<Sysname> system-view
[Sysname] ssl client-policypolicy1
[Sysname-ssl-client-policy-policy1]
display ssl client-policy
ssl server-policy
Use ssl server-policyto create an SSL server policy and enter its view.
Use undo ssl server-policyto deletea specified SSL server policy or all SSL server policies.
Syntax
ssl server-policypolicy-name
undossl server-policy{ policy-name| all}
Views
System view
Default command level
2: System level
Parameters
policy-name: SSL server policy name, a case-insensitive string of 1 to 16 characters, which cannot be "a", "al",or"all".
all: Specifies all SSL server policies.
Usage guidelines
You cannot delete an SSL server policy that has been associated with one or more application layerprotocols.
Examples
# Create SSL server policy policy1 and enter its view.
<Sysname> system-view
[Sysname] ssl server-policypolicy1
[Sysname-ssl-server-policy-policy1]
display ssl server-policy
version
Use versionto specify the SSL protocol version for an SSL client policy.
Use undo versionto restore the default.
Syntax
version { ssl3.0 | tls1.0 }
undo version
Default
The SSL protocol version for an SSL client policy is TLS 1.0.
Views
SSL client policy view
Default command level
2: System level
Parameters
ssl3.0: Specifies SSL 3.0.
tls1.0: Specifies TLS 1.0.
Examples
# Specify the SSL protocol version for SSL client policy policy1 as SSL 3.0.
<Sysname> system-view
[Sysname] ssl client-policypolicy1
[Sysname-ssl-client-policy-policy1] version ssl3.0
Related commands
display ssl client-policy
