Login
- Table of Contents
-
- 09-Security Command Reference
- 00-Preface
- 01-AAA commands
- 02-802.1X commands
- 03-MAC authentication commands
- 04-Portal commands
- 05-Port security commands
- 06-Password control commands
- 07-Public key management commands
- 08-PKI commands
- 09-IPsec commands
- 10-SSH commands
- 11-SSL commands
- 12-IP source guard commands
- 13-ARP attack protection commands
- 14-MFF commands
- 15-Crypto engine commands
- 16-FIPS commands
- 17-User profile commands
- 18-Attack detection and prevention commands
- 19-ND attack defense commands
- 20-Keychain commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 11-SSL commands | 75.72 KB |
SSL commands
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.
ciphersuite
Use ciphersuite to specify the cipher suites supported by an SSL server policy.
Use undo ciphersuite to restore the default.
Syntax
In non-FIPS mode:
ciphersuite { dhe_rsa_aes_128_cbc_sha | dhe_rsa_aes_128_cbc_sha256 | dhe_rsa_aes_256_cbc_sha | dhe_rsa_aes_256_cbc_sha256 | ecdhe_ecdsa_aes_128_cbc_sha256 | ecdhe_ecdsa_aes_128_gcm_sha256 | ecdhe_ecdsa_aes_256_cbc_sha384 | ecdhe_ecdsa_aes_256_gcm_sha384 | ecdhe_rsa_aes_128_cbc_sha256 | ecdhe_rsa_aes_128_gcm_sha256 | ecdhe_rsa_aes_256_cbc_sha384 | ecdhe_rsa_aes_256_gcm_sha384 | exp_rsa_des_cbc_sha | exp_rsa_rc2_md5 | exp_rsa_rc4_md5 | rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_128_cbc_sha256 | rsa_aes_256_cbc_sha | rsa_aes_256_cbc_sha256 | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha } *
undo ciphersuite
In FIPS mode:
ciphersuite { ecdhe_ecdsa_aes_128_cbc_sha256 | ecdhe_ecdsa_aes_128_gcm_sha256 | ecdhe_ecdsa_aes_256_cbc_sha384 | ecdhe_ecdsa_aes_256_gcm_sha384 | ecdhe_rsa_aes_128_cbc_sha256 | ecdhe_rsa_aes_128_gcm_sha256 | rsa_aes_128_cbc_sha | rsa_aes_128_cbc_sha256 | rsa_aes_256_cbc_sha | rsa_aes_256_cbc_sha256 } *
undo ciphersuite
Default
An SSL server policy supports all cipher suites.
Views
SSL server policy view
Predefined user roles
network-admin
Parameters
dhe_rsa_aes_128_cbc_sha: Specifies the cipher suite that uses key exchange algorithm DHE RSA, data encryption algorithm 128-bit AES_CBC, and MAC algorithm SHA.
dhe_rsa_aes_128_cbc_sha256: Specifies the cipher suite that uses key exchange algorithm DHE RSA, data encryption algorithm 128-bit AES_CBC, and MAC algorithm SHA256.
dhe_rsa_aes_256_cbc_sha: Specifies the cipher suite that uses key exchange algorithm DHE RSA, data encryption algorithm 256-bit AES_CBC, and MAC algorithm SHA.
dhe_rsa_aes_256_cbc_sha256: Specifies the cipher suite that uses key exchange algorithm DHE RSA, data encryption algorithm 256-bit AES_CBC, and MAC algorithm SHA256.
ecdhe_ecdsa_aes_128_cbc_sha256: Specifies the cipher suite that uses key exchange algorithm ECDHE ECDSA, data encryption algorithm 128-bit AES_CBC, and MAC algorithm SHA256.
ecdhe_ecdsa_aes_128_gcm_sha256: Specifies the cipher suite that uses key exchange algorithm ECDHE ECDSA, data encryption algorithm 128-bit AES_GCM, and MAC algorithm SHA256.
ecdhe_ecdsa_aes_256_cbc_sha384: Specifies the cipher suite that uses key exchange algorithm ECDHE ECDSA, data encryption algorithm 256-bit AES_CBC, and MAC algorithm SHA384.
ecdhe_ecdsa_aes_256_gcm_sha384: Specifies the cipher suite that uses key exchange algorithm ECDHE ECDSA, data encryption algorithm 256-bit AES_GCM, and MAC algorithm SHA384.
ecdhe_rsa_aes_128_cbc_sha256: Specifies the cipher suite that uses key exchange algorithm ECDHE RSA, data encryption algorithm 128-bit AES_CBC, and MAC algorithm SHA256.
ecdhe_rsa_aes_128_gcm_sha256: Specifies the cipher suite that uses key exchange algorithm ECDHE RSA, data encryption algorithm 128-bit AES_GCM, and MAC algorithm SHA256.
ecdhe_rsa_aes_256_cbc_sha384: Specifies the cipher suite that uses key exchange algorithm ECDHE RSA, data encryption algorithm 256-bit AES_CBC, and MAC algorithm SHA384.
ecdhe_rsa_aes_256_gcm_sha384: Specifies the cipher suite that uses key exchange algorithm ECDHE RSA, data encryption algorithm 256-bit AES_GCM, and MAC algorithm SHA384.
exp_rsa_des_cbc_sha: Specifies the export cipher suite that uses key exchange algorithm RSA, data encryption algorithm DES_CBC, and MAC algorithm SHA.
exp_rsa_rc2_md5: Specifies the export cipher suite that uses key exchange algorithm RSA, data encryption algorithm RC2, and MAC algorithm MD5.
exp_rsa_rc4_md5: Specifies the export cipher suite that uses key exchange algorithm RSA, data encryption algorithm RC4, and MAC algorithm MD5.
rsa_3des_ede_cbc_sha: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm 3DES_EDE_CBC, and MAC algorithm SHA.
rsa_aes_128_cbc_sha: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm 128-bit AES_CBC, and MAC algorithm SHA.
rsa_aes_128_cbc_ sha256: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm 128-bit AES_CBC, and MAC algorithm SHA256.
rsa_aes_256_cbc_sha: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm 256-bit AES_CBC, and MAC algorithm SHA.
rsa_aes_256_cbc_ sha256: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm 256-bit AES_CBC, and MAC algorithm SHA256.
rsa_des_cbc_sha: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm DES_CBC, and MAC algorithm SHA.
rsa_rc4_128_md5: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm 128-bit RC4, and MAC algorithm MD5.
rsa_rc4_128_sha: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm 128-bit RC4, and MAC algorithm SHA.
Usage guidelines
SSL employs the following algorithms:
· Data encryption algorithms—Encrypt data to ensure privacy. Commonly used data encryption algorithms are symmetric key algorithms. When a symmetric key algorithm is used, the SSL server and the SSL client must use the same key.
· Message Authentication Code (MAC) algorithms—Calculate the MAC value for data to ensure integrity. Commonly used MAC algorithms include MD5 and SHA. When a MAC algorithm is used, the SSL server and the SSL client must use the same key.
· Key exchange algorithms—Implement secure exchange of the keys used by the symmetric key algorithm and the MAC algorithm. Commonly used key exchange algorithms are usually asymmetric key algorithms, such as RSA.
After the SSL server receives a cipher suite from a client, the server compares the received cipher suite with the cipher suits it supports. If a match is found, the cipher suite negotiation succeeds. If no match is found, the negotiation fails.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Configure SSL server policy policy1 to support the following cipher suites:
· Key exchange algorithm DHE RSA, data encryption algorithm 128-bit AES, and MAC algorithm SHA.
· Key exchange algorithm RSA, data encryption algorithm 128-bit AES, and MAC algorithm SHA.
<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1] ciphersuite dhe_rsa_aes_128_cbc_sha rsa_aes_128_cbc_sha
Related commands
· display ssl server-policy
· prefer-cipher
client-verify enable
Use client-verify enable to enable the SSL server to use digital certificates to authenticate clients.
Use undo client-verify enable to restore the default.
Syntax
client-verify enable
undo client-verify enable
Default
The SSL server does not authenticate SSL clients.
Views
SSL server policy view
Predefined user roles
network-admin
Usage guidelines
The SSL client and server use digital certificates to authenticate each other. For more information about digital certificates, see Security Configuration Guide.
If the client-verify enable command is configured, an SSL client must send its own digital certificate to the SSL server for authentication. The client can access the SSL server only after it passes the authentication.
Examples
# Enable the SSL server to use digital certificates to authenticate SSL clients.
<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1] client-verify enable
Related commands
display ssl server-policy
display crypto version
Use display crypto version to display cryptographic library version information.
Syntax
display crypto version
Views
Any view
Predefined user roles
network-admin
network-operator
Usage guidelines
A cryptographic library version represents a set of cryptographic algorithms.
Examples
# Display cryptographic library version information.
<Sysname> display crypto version
7.1.3290
Table 1 Command output
|
Field |
Description |
|
7.1.3290 |
Cryptographic library version information, in the format 7.1.X: · The 7.1 element represents Comware V700R001. · The X element represents the cryptographic library version. |
display ssl client-policy
Use display ssl client-policy to display SSL client policy information.
Syntax
display ssl client-policy [ policy-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
policy-name: Specifies an SSL client policy by its name, a case-insensitive string of 1 to 31 characters. If you do not specify a policy, this command displays information about all SSL client policies.
Examples
# Display information about SSL client policy policy1.
<Sysname> display ssl client-policy policy1
SSL client policy: policy1
SSL version: SSL 3.0
PKI domain: client-domain
Preferred ciphersuite:
RSA_AES_128_CBC_SHA
Server-verify: enabled
Table 2 Command output
|
Field |
Description |
|
Server-verify |
Indicates whether the client is enabled to use digital certificates to authenticate servers. |
display ssl server-policy
Use display ssl server-policy to display SSL server policy information.
Syntax
display ssl server-policy [ policy-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
policy-name: Specifies an SSL server policy by its name, a case-insensitive string of 1 to 31 characters. If you do not specify a policy, this command displays information about all SSL server policies.
Examples
# Display information about SSL server policy policy1.
<Sysname> display ssl server-policy policy1
SSL server policy: policy1
PKI domain: server-domain
Ciphersuites:
DHE_RSA_AES_128_CBC_SHA
RSA_AES_128_CBC_SHA
Session cache size: 600
Client-verify: enabled
Table 3 Command output
|
Field |
Description |
|
Client-verify |
Indicates whether the server is enabled to use digital certificates to authenticate clients. |
pki-domain (SSL client policy view)
Use pki-domain to specify a PKI domain for the SSL client policy.
Use undo pki-domain to restore the default.
Syntax
pki-domain domain-name
undo pki-domain
Default
No PKI domain is specified for an SSL client policy.
Views
SSL client policy view
Predefined user roles
network-admin
Parameters
domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
If you specify a PKI domain for an SSL client policy, the SSL client that uses the SSL client policy will obtain its digital certificate through the specified PKI domain.
Examples
# Specify PKI domain client-domain for SSL client policy policy1.
<Sysname> system-view
[Sysname] ssl client-policy policy1
[Sysname-ssl-client-policy-policy1] pki-domain client-domain
Related commands
· display ssl client-policy
· pki domain
pki-domain (SSL server policy view)
Use pki-domain to specify a PKI domain for an SSL server policy.
Use undo pki-domain to restore the default.
Syntax
pki-domain domain-name
undo pki-domain
Default
No PKI domain is specified for an SSL server policy.
Views
SSL server policy view
Predefined user roles
network-admin
Parameters
domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
If you specify a PKI domain for an SSL server policy, the SSL server that uses the SSL server policy will obtain its digital certificate through the specified PKI domain.
Examples
# Specify PKI domain server-domain for SSL server policy policy1.
<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1] pki-domain server-domain
Related commands
· display ssl server-policy
· pki domain
prefer-cipher
Use prefer-cipher to specify the preferred cipher suite for an SSL client policy.
Use undo prefer-cipher to restore the default.
Syntax
In non-FIPS mode:
prefer-cipher { dhe_rsa_aes_128_cbc_sha | dhe_rsa_aes_128_cbc_sha256 | dhe_rsa_aes_256_cbc_sha | dhe_rsa_aes_256_cbc_sha256 | ecdhe_ecdsa_aes_128_cbc_sha256 | ecdhe_ecdsa_aes_128_gcm_sha256 | ecdhe_ecdsa_aes_256_cbc_sha384 | ecdhe_ecdsa_aes_256_gcm_sha384 | ecdhe_rsa_aes_128_cbc_sha256 | ecdhe_rsa_aes_128_gcm_sha256 | ecdhe_rsa_aes_256_cbc_sha384 | ecdhe_rsa_aes_256_gcm_sha384 | exp_rsa_des_cbc_sha | exp_rsa_rc2_md5 | exp_rsa_rc4_md5 | rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_128_cbc_sha256 | rsa_aes_256_cbc_sha | rsa_aes_256_cbc_sha256 | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha }
undo prefer-cipher
In FIPS mode:
prefer-cipher { ecdhe_ecdsa_aes_128_cbc_sha256 | ecdhe_ecdsa_aes_128_gcm_sha256 | ecdhe_ecdsa_aes_256_cbc_sha384 | ecdhe_ecdsa_aes_256_gcm_sha384 | ecdhe_rsa_aes_128_cbc_sha256 | ecdhe_rsa_aes_128_gcm_sha256 | ecdhe_rsa_aes_256_cbc_sha384 | ecdhe_rsa_aes_256_gcm_sha384 | rsa_aes_128_cbc_sha | rsa_aes_128_cbc_sha256 | rsa_aes_256_cbc_sha | rsa_aes_256_cbc_sha256 }
undo prefer-cipher
Default
In non-FIPS mode:
The preferred cipher suite of an SSL client policy is rsa_rc4_128_md5.
In FIPS mode:
The preferred cipher suite of an SSL client policy is rsa_aes_128_cbc_sha.
Views
SSL client policy view
Predefined user roles
network-admin
Parameters
dhe_rsa_aes_128_cbc_sha: Specifies the cipher suite that uses key exchange algorithm DHE RSA, data encryption algorithm 128-bit AES_CBC, and MAC algorithm SHA.
dhe_rsa_aes_128_cbc_sha256: Specifies the cipher suite that uses key exchange algorithm DHE RSA, data encryption algorithm 128-bit AES_CBC, and MAC algorithm SHA256.
dhe_rsa_aes_256_cbc_sha: Specifies the cipher suite that uses key exchange algorithm DHE RSA, data encryption algorithm 256-bit AES_CBC, and MAC algorithm SHA.
dhe_rsa_aes_256_cbc_sha256: Specifies the cipher suite that uses key exchange algorithm DHE RSA, data encryption algorithm 256-bit AES_CBC, and MAC algorithm SHA256.
ecdhe_ecdsa_aes_128_cbc_sha256: Specifies the cipher suite that uses key exchange algorithm ECDHE ECDSA, data encryption algorithm 128-bit AES_CBC, and MAC algorithm SHA256.
ecdhe_ecdsa_aes_128_gcm_sha256: Specifies the cipher suite that uses key exchange algorithm ECDHE ECDSA, data encryption algorithm 128-bit AES_GCM, and MAC algorithm SHA256.
ecdhe_ecdsa_aes_256_cbc_sha384: Specifies the cipher suite that uses key exchange algorithm ECDHE ECDSA, data encryption algorithm 256-bit AES_CBC, and MAC algorithm SHA384.
ecdhe_ecdsa_aes_256_gcm_sha384: Specifies the cipher suite that uses key exchange algorithm ECDHE ECDSA, data encryption algorithm 256-bit AES_GCM, and MAC algorithm SHA384.
ecdhe_rsa_aes_128_cbc_sha256: Specifies the cipher suite that uses key exchange algorithm ECDHE RSA, data encryption algorithm 128-bit AES_CBC, and MAC algorithm SHA256.
ecdhe_rsa_aes_128_gcm_sha256: Specifies the cipher suite that uses key exchange algorithm ECDHE RSA, data encryption algorithm 128-bit AES_GCM, and MAC algorithm SHA256.
ecdhe_rsa_aes_256_cbc_sha384: Specifies the cipher suite that uses key exchange algorithm ECDHE RSA, data encryption algorithm 256-bit AES_CBC, and MAC algorithm SHA384.
ecdhe_rsa_aes_256_gcm_sha384: Specifies the cipher suite that uses key exchange algorithm ECDHE RSA, data encryption algorithm 256-bit AES_GCM, and MAC algorithm SHA384.
exp_rsa_des_cbc_sha: Specifies the export cipher suite that uses key exchange algorithm RSA, data encryption algorithm DES_CBC, and MAC algorithm SHA.
exp_rsa_rc2_md5: Specifies the export cipher suite that uses key exchange algorithm RSA, data encryption algorithm RC2, and MAC algorithm MD5.
exp_rsa_rc4_md5: Specifies the export cipher suite that uses key exchange algorithm RSA, data encryption algorithm RC4, and MAC algorithm MD5.
rsa_3des_ede_cbc_sha: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm 3DES_EDE_CBC, and MAC algorithm SHA.
rsa_aes_128_cbc_sha: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm 128-bit AES_CBC, and MAC algorithm SHA.
rsa_aes_128_cbc_ sha256: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm 128-bit AES_CBC, and MAC algorithm SHA256.
rsa_aes_256_cbc_sha: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm 256-bit AES_CBC, and MAC algorithm SHA.
rsa_aes_256_cbc_ sha256: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm 256-bit AES_CBC, and MAC algorithm SHA256.
rsa_des_cbc_sha: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm DES_CBC, and MAC algorithm SHA.
rsa_rc4_128_md5: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm 128-bit RC4, and MAC algorithm MD5.
rsa_rc4_128_sha: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm 128-bit RC4, and MAC algorithm SHA.
Usage guidelines
SSL employs the following algorithms:
· Data encryption algorithms—Encrypt data to ensure privacy. Commonly used data encryption algorithms are usually symmetric key algorithms. When using a symmetric key algorithm, the SSL server and the SSL client must use the same key.
· Message Authentication Code (MAC) algorithms—Calculate the MAC value for data to ensure integrity. Commonly used MAC algorithms include MD5 and SHA. When using a MAC algorithm, the SSL server and the SSL client must use the same key.
· Key exchange algorithms—Implement secure exchange of the keys used by the symmetric key algorithm and MAC algorithm. Commonly used key exchange algorithms are asymmetric key algorithms, such as RSA.
The SSL client sends the preferred cipher suite to the SSL server. The server compares the received cipher suite with the cipher suits it supports. If a match is found, the cipher suite negotiation succeeds. If no match is found, the negotiation fails.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Configure SSL client policy policy1 to support the key exchange algorithm RSA, data encryption algorithm 128-bit AES_CBC, and MAC algorithm SHA.
<Sysname> system-view
[Sysname] ssl client-policy policy1
[Sysname-ssl-client-policy-policy1] prefer-cipher rsa_aes_128_cbc_sha
Related commands
· ciphersuite
· display ssl client-policy
server-verify enable
Use server-verify enable to enable the SSL client to use digital certificates to authenticate SSL servers.
Use undo server-verify enable to disable SSL server authentication.
Syntax
server-verify enable
undo server-verify enable
Default
The SSL client uses digital certificates to authenticate SSL servers.
Views
SSL client policy view
Predefined user roles
network-admin
Usage guidelines
The SSL client and server use digital certificates to authenticate each other. For more information about digital certificates, see Security Configuration Guide.
If you execute the server-verify enable command, an SSL server must send its own digital certificate to the SSL client for authentication. The client can access the SSL server only after the server passes the authentication.
Examples
# Enable the SSL client to use digital certificates to authenticate SSL servers.
<Sysname> system-view
[Sysname] ssl client-policy policy1
[Sysname-ssl-client-policy-policy1] server-verify enable
Related commands
display ssl client-policy
session cachesize
Use session cachesize to set the maximum number of sessions that the SSL server can cache.
Use undo session cachesize to restore the default.
Syntax
session cachesize size
undo session cachesize
Default
The SSL server can cache a maximum of 500 sessions.
Views
SSL server policy view
Predefined user roles
network-admin
Parameters
size: Specifies the maximum number of cached sessions, in the range of 100 to 1000.
Usage guidelines
The SSL handshake protocol follows a complicated procedure to negotiate session parameters and establish sessions. To simplify the procedure, SSL allows you to reuse negotiated session parameters to establish sessions. This feature requires that the SSL server maintain information about existing sessions.
This command limits the maximum number of sessions that the SSL server can cache. If the number of sessions in the cache reaches the maximum, SSL does not cache new sessions.
Examples
# Set the maximum number of cached sessions to 600.
<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1] session cachesize 600
Related commands
display ssl server-policy
ssl client-policy
Use ssl client-policy to create an SSL client policy and enter SSL client policy view.
Use undo ssl client-policy to delete an SSL client policy.
Syntax
ssl client-policy policy-name
undo ssl client-policy policy-name
Default
No SSL client policy exists on the device.
Views
System view
Predefined user roles
network-admin
Parameters
policy-name: Specifies an SSL client policy by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
This command creates an SSL client policy for which you can configure SSL parameters that the client uses to establish a connection to the server. The parameters include a PKI domain and a preferred cipher suite. An SSL client policy takes effect only after it is associated with an application such as DDNS.
Examples
# Create SSL client policy policy1 and enter SSL client policy view.
<Sysname> system-view
[Sysname] ssl client-policy policy1
[Sysname-ssl-client-policy-policy1]
Related commands
display ssl client-policy
ssl renegotiation disable
Use ssl renegotiation disable to disable SSL session renegotiation.
Use undo ssl renegotiation disable to restore the default.
Syntax
ssl renegotiation disable
undo ssl renegotiation disable
Default
SSL session renegotiation is enabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
The SSL session renegotiation feature enables the SSL client and server to reuse a previously negotiated SSL session for an abbreviated handshake.
Disabling session renegotiation causes more computational overhead to the system but it can avoid potential risks. Disable SSL session renegotiation only when explicitly required.
Examples
#Disable SSL session renegotiation.
<Sysname> system-view
[Sysname] ssl renegotiation disable
ssl server-policy
Use ssl server-policy to create an SSL server policy and enter SSL server policy view.
Use undo ssl server-policy to delete an SSL server policy.
Syntax
ssl server-policy policy-name
undo ssl server-policy policy-name
Default
No SSL server policy exists on the device.
Views
System view
Predefined user roles
network-admin
Parameters
policy-name: Specifies a name for the SSL server policy, a case-insensitive string of 1 to 31 characters.
Usage guidelines
This command creates an SSL server policy for which you can configure SSL parameters such as a PKI domain and supported cipher suits. An SSL server policy takes effect only after it is associated with an application such as HTTPS.
Examples
# Create SSL server policy policy1 and enter SSL server policy view.
<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1]
Related commands
display ssl server-policy
sl version disable
Use ssl version disable to disable the SSL server from using specific SSL protocol versions for session negotiation.
Use undo ssl version disable restore the default.
Syntax
In non-FIPS mode:
ssl version { ssl3.0 | tls1.0 | tls1.1 } * disable
undo ssl version { ssl3.0 | tls1.0 | tls1.1 } * disable
In FIPS mode:
ssl version { tls1.0 | tls1.1 } * disable
undo ssl version { tls1.0 | tls1.1 } * disable
Default
In non-FIPS mode, the SSL server supports SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2.
In FIPS mode, the SSL server supports TLS 1.0, TLS 1.1, and TLS 1.2.
Views
System view
Predefined user roles
network-admin
Parameters
ssl3.0: Specifies SSL 3.0.
tls1.0: Specifies TLS 1.0.
tls1.1: Specifies TLS 1.1.
Usage guidelines
To enhance system security, you can disable the SSL server from using specific SSL protocol versions (SSL 3.0, TLS 1.0, and TLS 1.1) for session negotiation.
Disabling an SSL protocol version does not affect the availability of earlier SSL protocol versions. For example, if you execute the ssl version tls1.1 disable command, TLS 1.1 is disabled but TLS 1.0 is still available for the SSL server.
Examples
# Disable SSL 3.0 for the SSL server.
<Sysname> system-view
[Sysname] ssl version ssl3.0 disable
version
Use version to specify an SSL protocol version for an SSL client policy.
Use undo version to restore the default.
Syntax
In non-FIPS mode:
version { ssl3.0 | tls1.0 | tls1.1 | tls1.2 }
undo version
In FIPS mode:
version { tls1.0 | tls1.1 | tls1.2 }
undo version
Default
The SSL protocol version for an SSL client policy is TLS 1.0.
Views
SSL client policy view
Predefined user roles
network-admin
Parameters
ssl3.0: Specifies SSL 3.0.
tls1.0: Specifies TLS 1.0.
tls1.1: Specifies TLS 1.1.
tls1.2: Specifies TLS 1.2.
Usage guidelines
To ensure security, do not specify SSL 3.0 for an SSL client policy.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Set the SSL protocol version to TLS 1.0 for SSL client policy policy1.
[Sysname] ssl client-policy policy1
[Sysname-ssl-client-policy-policy1] version tls1.0
Related commands
display ssl client-policy
