Configuring SSL 1

Overview·· 1

SSL security mechanism·· 1

SSL protocol stack· 1

Configuration task list 2

Configuring an SSL server policy· 2

Configuring an SSL client policy· 3

Displaying and maintaining SSL 4

SSL server policy configuration example· 4

Troubleshooting SSL 6

SSL handshake failure· 6

 

Overview

Secure Sockets Layer (SSL) is a security protocol that providessecure connection servicesfor TCP-based application layer protocols such as HTTP. It is widely used in e-business and online banking to providesecuredata transmission over the Internet.

SSL security mechanism

Secure connections provided by SSL have these features:

·          Confidentiality—SSL uses a symmetric encryption algorithm to encrypt data anduses the asymmetric key algorithm of RSA to encrypt the keyto be used by the symmetric encryption algorithm.

·          Authentication—SSL supports certificate-based identity authenticationof the server and clientby using the digital signatures. The SSL server and clientobtain certificates from a CA through the PKI.

·          Reliability—SSL uses the key-based message authentication code (MAC) to verify messageintegrity.AMAC algorithm transforms a message of any length to a fixed-length message. With the key, the sender uses the MAC algorithm to compute the MAC value of a message. Then, the sender appendsthe MAC value to the message and sends the result to the receiver. The receiver uses the same key and MAC algorithm to compute the MAC value of the received message, and compares the locally computed MAC value with that received. If the two values match, the receiver considers the message intact; otherwise, the receiver considersthat the message has been tampered with in transit and discards the message.

Figure 1 Message integrity verification by a MAC algorithm

 

For more information about symmetric key algorithms, asymmetric key algorithm RSA and digital signature, see "Managing public keys."

For more information about PKI, certificate, and CA, see "Configuring PKI."

SSL protocol stack

The SSL protocol consists of two layers of protocols: the SSL record protocol at the lower layer and theSSL handshake protocol, change cipher spec protocol, and alert protocol at the upper layer.

Figure 2 SSL protocol stack

 

·          SSL record protocol—Fragments data to be transmitted, computes and adds MAC to the data, and encrypts the data before transmitting it to the peer end.

·          SSL handshake protocol—Negotiates the cipher suite to be used for secure communication (including the symmetric encryption algorithm, key exchange algorithm, and MAC algorithm), securely exchanges the key between the server and client, and implements identity authentication of the server and client.Through the SSL handshake protocol, a session is established between aclient and the server. A session consists of a set of parameters,including the session ID, peer certificate, cipher suite, and master secret.

·          SSL change cipher spec protocol—Used for notification between theclient and the server that the subsequent packets areto be protected and transmitted based on the newly negotiated cipher suite and key.

·          SSL alert protocol—EnablestheSSL client and server to send alert messagesto each other. An alert message contains the alert severity level and a description.

Configuration task list

 

Task	Remarks
Configuring an SSL server policy	Required
Configuring an SSL client policy	Optional

 

Configuring an SSL server policy

An SSL server policy isa set of SSL parametersfor a server to use when booting up.An SSL server policy takes effect only after it is associated withan application such asHTTPS.

SSL versions include SSL 2.0, SSL 3.0, and TLS 1.0 (or SSL 3.1). By default, the SSL servercan communicate with clients running SSL 3.0 or TLS 1.0. When the server receives an SSL 2.0 Client Hello message from a client that supports both SSL 2.0 and SSL 3.0/TLS 1.0, it notifies the client to use SSL 3.0 or TLS 1.0 for communication.

To configure an SSL server policy:

 

Step	Command	Remarks
1.       Enter system view.	system-view	N/A
2.       Create an SSL server policy and enter its view.	ssl server-policypolicy-name	N/A
3.       Specifya PKI domain for the SSL server policy.	pki-domaindomain-name	Optional. By default, no PKI domain is specified for an SSL server policy, and the SSL server generates and signs a certificate for itself and does not obtain a certificate from a CA server. If SSL clients authenticate the server through a digital certificate, you must use this command to specify a PKI domain and request a local certificate for the SSL server in the PKI domain. For information about how to configure a PKI domain, see"Configuring PKI."
4.       Specify the cipher suitesfor the SSL server policy to support.	ciphersuite[ rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha ] *	Optional. By default, an SSL server policy supports all cipher suites.
5.       Set the handshake timeout time for the SSL server.	handshaketimeout time	Optional. 3,600 seconds by default.
6.       Set the SSL connection close mode.	close-mode wait	Optional. Not wait by default.
7.       Set the maximum number of cached sessions and the caching timeout time.	session{ cachesize size| timeout time } *	Optional. The defaults are as follows: ·         500 for the maximum number of cached sessions,. ·         3600 seconds for the caching timeout time.
8.       Configure the server to require certificate-based SSL client authentication.	client-verify enable	Optional. By default, the SSL server does not require the client to be authenticated.
9.       Enable SSL client weak authentication.	client-verify weaken	Optional. Disabled by default. This command takes effect only when the client-verify enable command is configured.

 

Configuring an SSL client policy

An SSL client policy is a set of SSL parametersfor aclient to use when connectingto the server. An SSL client policy takes effect only after it is associated with an application layer protocol.

To configure an SSL client policy:

 

Step	Command	Remarks
1.       Enter system view.	system-view	N/A
2.       Create an SSL client policy and enter its view.	ssl client-policypolicy-name	N/A
3.       Specifya PKI domain for the SSL client policy.	pki-domaindomain-name	Optional. No PKI domain is specified by default. If the SSL server authenticates the SSL client through a digital certificate, you must use this command to specify a PKI domain and request a local certificate for the SSL client in the PKI domain. For information about how to configure a PKI domain, see"Configuring PKI."
4.       Specify the preferred cipher suite for the SSL client policy.	prefer-cipher {rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha}	Optional. rsa_rc4_128_md5 by default.
5.       Specify the SSL protocol version forthe SSL client policy.	version {ssl3.0 | tls1.0 }	Optional. TLS1.0 by default.
6.       Enable certificate-based SSL server authentication.	server-verify enable	Optional. Enabled by default.

 

Displaying and maintaining SSL

 

Task	Command	Remarks
Display SSL server policy information.	display ssl server-policy{ policy-name| all } [ | { begin | exclude | include } regular-expression ]	Available in any view.
Display SSL client policy information.	display ssl client-policy {policy-name| all } [| { begin | exclude | include } regular-expression ]	Available in any view.

 

SSL server policy configuration example

Network requirements

As shown inFigure 3, users need to access and managethe AP through the Web page.

To protect the AP and prevent data from being eavesdropped or tampered with, configure the AP to be accessible through HTTPS only.

In this example, the CA server runs Windows Server and has the SCEP plug-in installed.

Figure 3 Network diagram

 

Configuration considerations

To meet the network requirements, perform the following tasks:

·          Configure the AP as the HTTPS server and request a server certificatefor the AP.For more information about HTTPS, see Fundamentals Configuration Guide.

·          Request a client certificate for the client so that the AP can authenticate the identity of the client.

Configuration procedure

1.        Make sure the AP, the client, and the CA server can reach each other. (Details not shown.)

2.        Configure the HTTPS server on the AP:

# Create a PKI entity named en. Set the common name and FQDN for the entity.

<AP> system-view

[AP] pki entity en

[AP-pki-entity-en] common-namehttp-server1

[AP-pki-entity-en] fqdnssl.security.com

[AP-pki-entity-en] quit

# Create PKI domain 1 and specify ca serveras the trusted CA name. Specify the URL of the registration server as, the authority for certificate request as RA, and the entity for certificate request as en.

[AP] pki domain 1

[AP-pki-domain-1] ca identifier caserver

[AP-pki-domain-1]certificate request url http://10.1.2.2/certsrv/mscep/mscep.dll

[AP-pki-domain-1] certificate request from ra

[AP-pki-domain-1] certificate request entityen

[AP-pki-domain-1] quit

# Create the local RSA key pairs.

[AP] public-key local create rsa

# Obtainthe CA certificate.

[AP] pki retrieval-certificate ca domain 1

# Request a servercertificate for the AP.

[AP] pki request-certificate domain 1

# Create an SSL server policy named myssl.

[AP] ssl server-policy myssl

# Specify PKI domain 1for the SSL server policy.

[AP-ssl-server-policy-myssl] pki-domain 1

# Enable client authentication.

[AP-ssl-server-policy-myssl] client-verify enable

[AP-ssl-server-policy-myssl] quit

# Configure the HTTPS service to use the SSL server policy myssl.

[AP] ip https ssl-server-policy myssl

# Enable the HTTPS service.

[AP] ip https enable

# Create a local user named usera, and set the password to 123 and service type to web.

[AP] local-user usera

[AP-luser-usera] password simple 123

[AP-luser-usera] service-type web

[AP-luser-usera] authorization-attribute level 3

3.        Request a client certificate for the client:

a.    Launch IE on the client, and then enter http://10.1.2.2/certsrv in the address bar.

b.    Request client a certificate for the client. (Details not shown.)

Verify theconfiguration

Perform the following tasks on the client:

1.        Launch IE and enter https://10.1.1.1 in the address bar.

2.        Select the certificate issuedby the CA server to the client.

The login page of the APshould appear.

3.        Enter username usera and password 123.

Verify that now you canlog in to the Web interface to access and manage the AP.

For more information about PKI configuration commands, see Security Command Reference.

For more information about the public-key local create rsa command, see Security Command Reference.

Troubleshooting SSL

SSL handshake failure

Symptom

As the SSL server, the device fails to handshake with the SSL client.

Analysis

SSL handshake failure may result from the following causes:

·          The SSL client is configured to authenticate the SSL server, but theSSL server has no certificate or the certificate is not trusted.

·          TheSSL server is configured to authenticate the SSL client, but the SSL client has no certificate or the certificate is not trusted.

·          The server and the client have no matching cipher suite.

Solution

1.        Issue the debugging ssl command and view the debugging information to locate the problem:

¡  If the SSL client is configured to authenticate the SSL server but the SSL server has no certificate, request one for it.

¡  If the server’s certificate cannot be trusted, install the root certificate of the CA that issuedthe local certificate to the SSL serveron the SSL client, or let the server request a certificate from the CA that the SSL client trusts.

¡  If theSSL server is configured to authenticate the client, but the SSL client has no certificate or the certificate cannot be trusted, request and install a certificate for the client.

2.        Use the display ssl server-policy command to view the cipher suitesthat the SSL server policy supports. If the server and the client have no matching cipher suite, use the ciphersuite command to modify the cipher suiteconfiguration of the SSL server.