Login
- Table of Contents
-
- 03-Security Command Reference
- 00-Preface
- 01-Security zone commands
- 02-Security policy commands
- 03-Object group commands
- 04-Object policy commands
- 05-AAA commands
- 06-IPoE commands
- 07-Portal commands
- 08-User identification commands
- 09-Password control commands
- 10-Public key management commands
- 11-PKI commands
- 12-SSH commands
- 13-SSL commands
- 14-ASPF commands
- 15-APR commands
- 16-Session management commands
- 17-Connection limit commands
- 18-Attack detection and prevention commands
- 19-DDoS protection commands
- 20-uRPF commands
- 21-ARP attack protection commands
- 22-ND attack defense commands
- 23-IP-MAC binding commands
- 24-Keychain commands
- 25-Crypto engine commands
- 26-SMS commands
- 27-Terminal identification commands
- 28-Flow manager commands
- 29-Location identification commands
- 30-Server connection detection commands
- 31-Trusted access control commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 13-SSL commands | 125.52 KB |
Contents
certificate-chain-sending enable
ciphersuite server-preferred enable
pki-domain (SSL client policy view)
pki-domain (SSL server policy view)
SSL commands
The M9000-X06 and M9000-X10 firewall modules do not support GM algorithms.
Non-default vSystems do not support some of the SSL commands. For information about vSystem support for a command, see the usage guidelines on that command. For information about vSystem, see Virtual Technologies Configuration Guide.
certificate-chain-sending enable
Use certificate-chain-sending enable to enable the SSL server to send the complete certificate chain to the client during SSL negotiation.
Use undo certificate-chain-sending enable to restore the default.
Syntax
certificate-chain-sending enable
undo certificate-chain-sending enable
Default
During SSL negotiation, the SSL server sends the server certificate rather than the complete certificate chain to the client.
Views
SSL server policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
This feature causes additional overheads in the SSL negotiation process. Enable it only when the SSL client does not have the complete certificate chain to verify the server certificate.
Examples
# Enable the SSL server to send the complete certificate chain to the client during SSL negotiation.
<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1] certificate-chain-sending enable
ciphersuite
Use ciphersuite to specify the cipher suites supported by an SSL server policy.
Use undo ciphersuite to restore the default.
Syntax
ciphersuite { dhe_rsa_aes_128_cbc_sha | dhe_rsa_aes_128_cbc_sha256 | dhe_rsa_aes_256_cbc_sha | dhe_rsa_aes_256_cbc_sha256 | ecc_sm2_sm1_sm3 | ecc_sm2_sm4_sm3 | ecdhe_ecdsa_aes_128_cbc_sha256 | ecdhe_ecdsa_aes_128_gcm_sha256 | ecdhe_ecdsa_aes_256_cbc_sha384 | ecdhe_ecdsa_aes_256_gcm_sha384 | ecdhe_rsa_aes_128_cbc_sha256 | ecdhe_rsa_aes_128_gcm_sha256 | ecdhe_rsa_aes_256_cbc_sha384 | ecdhe_rsa_aes_256_gcm_sha384 | ecdhe_sm2_sm1_sm3 | ecdhe_sm2_sm4_sm3 | exp_rsa_des_cbc_sha | rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_128_cbc_sha256 | rsa_aes_128_gcm_sha256 | rsa_aes_256_cbc_sha | rsa_aes_256_cbc_sha256 | rsa_aes_256_gcm_sha384 | rsa_des_cbc_sha | rsa_sm1_sha | rsa_sm1_sm3 | rsa_sm4_sha | rsa_sm4_sm3 | tls_aes_128_ccm_sha256 | tls_aes_128_ccm_8_sha256 | tls_aes_128_gcm_sha256 | tls_aes_256_gcm_sha384 | tls_chacha20_poly1305_sha256 } *<1-11>
Default
An SSL server policy supports the following cipher suites: ECC_SM2_SM1_SM3, ECC_SM2_SM4_SM3, ECDHE_SM2_SM1_SM3, ECDHE_SM2_SM4_SM3, RSA_SM1_SHA, RSA_SM1_SM3, RSA_SM4_SHA, RSA_SM4_SM3, RSA_AES_128_CBC_SHA, RSA_AES_256_CBC_SHA, DHE_RSA_AES_128_CBC_SHA, DHE_RSA_AES_256_CBC_SHA, RSA_AES_128_CBC_SHA256, RSA_AES_256_CBC_SHA256, DHE_RSA_AES_128_CBC_SHA256, DHE_RSA_AES_256_CBC_SHA256, ECDHE_RSA_AES_128_CBC_SHA256, ECDHE_RSA_AES_256_CBC_SHA384, ECDHE_RSA_AES_128_GCM_SHA256, ECDHE_RSA_AES_256_GCM_SHA384, ECDHE_ECDSA_AES_128_CBC_SHA256, ECDHE_ECDSA_AES_256_CBC_SHA384, ECDHE_ECDSA_AES_128_GCM_SHA256, ECDHE_ECDSA_AES_256_GCM_SHA384, RSA_AES_128_GCM_SHA256, RSA_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_CCM_SHA256, TLS_AES_128_CCM_8_SHA256.
Views
SSL server policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
dhe_rsa_aes_128_cbc_sha: Specifies the cipher suite that uses key exchange algorithm DHE RSA, data encryption algorithm 128-bit AES_CBC, and MAC algorithm SHA.
dhe_rsa_aes_128_cbc_sha256: Specifies the cipher suite that uses key exchange algorithm DHE RSA, data encryption algorithm 128-bit AES_CBC, and MAC algorithm SHA256.
dhe_rsa_aes_256_cbc_sha: Specifies the cipher suite that uses key exchange algorithm DHE RSA, data encryption algorithm 256-bit AES_CBC, and MAC algorithm SHA.
dhe_rsa_aes_256_cbc_sha256: Specifies the cipher suite that uses key exchange algorithm DHE RSA, data encryption algorithm 256-bit AES_CBC, and MAC algorithm SHA256.
ecc_sm2_sm1_sm3: Specifies the cipher suite that uses key exchange algorithm ECC SM2, data encryption algorithm 128-bit SM1, and MAC algorithm SM3.
ecc_sm2_sm4_sm3: Specifies the cipher suite that uses key exchange algorithm ECC SM2, data encryption algorithm SM4, and MAC algorithm SM3.
ecdhe_ecdsa_aes_128_cbc_sha256: Specifies the cipher suite that uses key exchange algorithm ECDHE ECDSA, data encryption algorithm 128-bit AES_CBC, and MAC algorithm SHA256.
ecdhe_ecdsa_aes_128_gcm_sha256: Specifies the cipher suite that uses key exchange algorithm ECDHE ECDSA, data encryption algorithm 128-bit AES_GCM, and MAC algorithm SHA256.
ecdhe_ecdsa_aes_256_cbc_sha384: Specifies the cipher suite that uses key exchange algorithm ECDHE ECDSA, data encryption algorithm 256-bit AES_CBC, and MAC algorithm SHA384.
ecdhe_ecdsa_aes_256_gcm_sha384: Specifies the cipher suite that uses key exchange algorithm ECDHE ECDSA, data encryption algorithm 256-bit AES_GCM, and MAC algorithm SHA384.
ecdhe_rsa_aes_128_cbc_sha256: Specifies the cipher suite that uses key exchange algorithm ECDHE RSA, data encryption algorithm 128-bit AES_CBC, and MAC algorithm SHA256.
ecdhe_rsa_aes_128_gcm_sha256: Specifies the cipher suite that uses key exchange algorithm ECDHE RSA, data encryption algorithm 128-bit AES_GCM, and MAC algorithm SHA256.
ecdhe_rsa_aes_256_cbc_sha384: Specifies the cipher suite that uses key exchange algorithm ECDHE RSA, data encryption algorithm 256-bit AES_CBC, and MAC algorithm SHA384.
ecdhe_rsa_aes_256_gcm_sha384: Specifies the cipher suite that uses key exchange algorithm ECDHE RSA, data encryption algorithm 256-bit AES_GCM, and MAC algorithm SHA384.
ecdhe_sm2_sm1_sm3: Specifies the cipher suite that uses key exchange algorithm ECDHE SM2, data encryption algorithm 128-bit SM1, and MAC algorithm SM3.
ecdhe_sm2_sm4_sm3: Specifies the cipher suite that uses key exchange algorithm ECDHE SM2, data encryption algorithm SM4, and MAC algorithm SM3.
exp_rsa_des_cbc_sha: Specifies the export cipher suite that uses key exchange algorithm RSA, data encryption algorithm DES_CBC, and MAC algorithm SHA.
rsa_3des_ede_cbc_sha: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm 3DES_EDE_CBC, and MAC algorithm SHA.
rsa_aes_128_cbc_sha: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm 128-bit AES_CBC, and MAC algorithm SHA.
rsa_aes_128_cbc_ sha256: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm 128-bit AES_CBC, and MAC algorithm SHA256.
rsa_aes_128_gcm_sha256: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm 128-bit AES_GCM, and MAC algorithm SHA256.
rsa_aes_256_cbc_sha: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm 256-bit AES_CBC, and MAC algorithm SHA.
rsa_aes_256_cbc_ sha256: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm 256-bit AES_CBC, and MAC algorithm SHA256.
rsa_aes_256_gcm_sha384: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm 256-bit AES_GCM, and MAC algorithm SHA384.
rsa_des_cbc_sha: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm DES_CBC, and MAC algorithm SHA.
rsa_sm1_sha: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm 128-bit SM1, and MAC algorithm SHA.
rsa_sm1_sm3: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm 128-bit SM1, and MAC algorithm SM3.
rsa_sm4_sha: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm SM4, and MAC algorithm SHA.
rsa_sm4_sm3: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm SM4, and MAC algorithm SM3.
tls_aes_128_ccm_sha256: Specifies the cipher suite that uses data encryption algorithm AES_128_CCM and MAC algorithm SHA256. This cipher suite is TLS1.3 exclusive and is supported only by SSL VPN.
tls_aes_128_ccm_8_sha256: Specifies the cipher suite that uses data encryption algorithm AES_128_CCM_8 and MAC algorithm SHA256. This cipher suite is TLS1.3 exclusive and is supported only by SSL VPN.
tls_aes_128_gcm_sha256: Specifies the cipher suite that uses data encryption algorithm 128-bit AES_GCM and MAC algorithm SHA256. This cipher suite is TLS1.3 exclusive and is supported only by SSL VPN.
tls_aes_256_gcm_sha384: Specifies the cipher suite that uses data encryption algorithm 256-bit AES_GCM and MAC algorithm SHA384. This cipher suite is TLS1.3 exclusive and is supported only by SSL VPN.
tls_chacha20_poly1305_sha256: Specifies the cipher suite that uses data encryption algorithm CHACHA20 POLY1305 and MAC algorithm SHA256. This cipher suite is TLS1.3 exclusive and is supported only by SSL VPN.
<1-11>: Indicates that you can specify a maximum of 11 cipher suites at a time.
Usage guidelines
SSL employs the following algorithms:
· Data encryption algorithms—Encrypt data to ensure privacy. Commonly used data encryption algorithms are symmetric key algorithms. When a symmetric key algorithm is used, the SSL server and the SSL client must use the same key.
· Message Authentication Code (MAC) algorithms—Calculate the MAC value for data to ensure integrity. Commonly used MAC algorithms include SHA. When a MAC algorithm is used, the SSL server and the SSL client must use the same key.
· Key exchange algorithms—Implement secure exchange of the keys used by the symmetric key algorithm and the MAC algorithm. Commonly used key exchange algorithms are usually asymmetric key algorithms, such as RSA.
After the SSL server receives cipher suites from a client, the server compares the received cipher suites with the cipher suites it supports. If a match is found, the cipher suite negotiation succeeds. If no match is found, the negotiation fails. The cipher suite matching can use the server-preferred order or the client-preferred order, depending on the configuration of the ciphersuite server-preferred enable command.
The earlier a cipher suite is configured, the higher priority it has during the cipher suite negotiation.
When executing the ciphersuite command, you can specify a maximum of 11 cipher suites at a time. If you execute this command multiple times, the SSL server policy supports all the specified cipher suites.
Examples
# Configure SSL server policy policy1 to support the following cipher suites:
· Key exchange algorithm DHE RSA, data encryption algorithm 128-bit AES, and MAC algorithm SHA.
· Key exchange algorithm RSA, data encryption algorithm 128-bit AES, and MAC algorithm SHA.
<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1] ciphersuite dhe_rsa_aes_128_cbc_sha rsa_aes_128_cbc_sha
Related commands
display ssl server-policy
prefer-cipher
ciphersuite server-preferred enable
ciphersuite server-preferred enable
Use ciphersuite server-preferred enable to enable the server-preferred order for the cipher suite negotiation between the SSL server and SSL client.
Use undo ciphersuite server-preferred enable to restore the default.
Syntax
ciphersuite server-preferred enable
undo ciphersuite server-preferred enable
Default
The SSL server uses the client-preferred order to choose a cipher suite during the cipher suite negotiation.
Views
SSL server policy view
Predefined user roles
network-admin
context-admin
Usage guidelines
Non-default vSystems do not support this command.
During the SSL connection negotiation process, the SSL server and client present a list of cipher suites that they each support, in order of preference. By default, the SSL server uses the order of cipher suites presented by the client to negotiate the cipher suite. That is, the SSL server chooses the first cipher suite in the client's list that matches any one of the server's cipher suites. If no match is found, the negotiation fails.
After this command is executed, the server-preferred order is used for cipher suite negotiation. That is, the SSL server chooses the first cipher suite in its list that matches any one of the client's cipher suites. If no match is found, the negotiation fails.
The earlier a cipher suite is configured, the higher priority it has during the cipher suite negotiation.
Examples
# Enable the server-preferred order for cipher suite negotiation.
<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1] ciphersuite server-preferred enable
Related commands
ciphersuite
display ssl server-policy
prefer-cipher
client-verify
Use client-verify to enable mandatory or optional SSL client authentication.
Use undo client-verify to restore the default.
Syntax
client-verify { enable | optional }
undo client-verify [ enable ]
Default
SSL client authentication is disabled. The SSL server does not authenticate SSL clients based on digital certificates.
Views
SSL server policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
enable: Enables mandatory SSL client authentication.
optional: Enables optional SSL client authentication.
Usage guidelines
SSL uses digital certificates to authenticate communicating parties. For more information about digital certificates, see Security Configuration Guide.
Mandatory SSL client authentication—The SSL server requires an SSL client to submit its digital certificate for identity authentication. The SSL client can access the SSL server only after it passes identity authentication.
Optional SSL client authentication—The SSL server does not require an SSL client to submit its digital certificate for identity authentication.
· If an SSL client submits its certificate to the SSL server, the server authenticates the client identity. The client must pass authentication to access the server.
· If an SSL client does not submit its certificate to the SSL server, the server does not authenticate the client identity. The client can access the SSL server without authentication.
If SSL client authentication is disabled, the SSL server does not authenticate SSL clients regardless of whether the clients submit digital certificates or not. SSL clients can access the SSL server without authentication.
When authenticating a client by using the digital certificate, the SSL server performs the following operations:
· Verifies the certificate chain presented by the client.
· Checks that the certificates in the certificate chain (except the root CA certificate) are not revoked.
Examples
# Enable mandatory SSL client authentication.
<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1] client-verify enable
# Enable optional SSL client authentication.
<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1] client-verify optional
# Disable SSL client authentication.
<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1] undo client-verify
Related commands
display ssl server-policy
display ssl client-policy
Use display ssl client-policy to display SSL client policy information.
Syntax
display ssl client-policy [ policy-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Parameters
policy-name: Specifies an SSL client policy by its name, a case-insensitive string of 1 to 31 characters. If you do not specify a policy name, this command displays information about all SSL client policies.
Examples
# Display information about the SSL client policy policy1.
<Sysname> display ssl client-policy policy1
SSL client policy: policy1
SSL version: SSL 3.0
PKI domain: client-domain
Preferred ciphersuite:
RSA_AES_128_CBC_SHA
Server-verify: enabled
# Display information about the SSL client policy policy2.
<Sysname> display ssl client-policy policy2
SSL client policy: policy2
SSL version: TLS 1.3
PKI domain:
Preferred ciphersuite:
TLS_AES_128_GCM_SHA256
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_256_GCM_SHA384
TLS_AES_128_CCM_8_SHA256
TLS_AES_128_CCM_SHA256
Server-verify: enabled
Table 1 Command output
|
Field |
Description |
|
Server-verify |
Indicates whether the client is enabled to use digital certificates to authenticate servers. |
|
SSL version |
SSL protocol version in the SSL client policy. Possible versions include: · SSL 3.0. · TLS 1.0. · TLS 1.1. · TLS 1.2. · TLS 1.3 (supported only by SSL VPN). · GM-TLS 1.1. |
display ssl server-policy
Use display ssl server-policy to display SSL server policy information.
Syntax
display ssl server-policy [ policy-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Parameters
policy-name: Specifies an SSL server policy by its name, a case-insensitive string of 1 to 31 characters. If you do not specify a policy name, this command displays information about all SSL server policies.
Examples
# Display information about the SSL server policy policy1.
<Sysname> display ssl server-policy policy1
SSL server policy: policy1
Version info:
SSL3.0: Disabled
TLS1.0: Enabled
TLS1.1: Disabled
TLS1.2: Enabled
TLS1.3: Enabled
GM-TLS1.1: Disabled
PKI domains: server-domain
Ciphersuites:
DHE_RSA_AES_128_CBC_SHA
RSA_AES_128_CBC_SHA
TLS_AES_128_GCM_SHA256
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_256_GCM_SHA384
TLS_AES_128_CCM_8_SHA256
TLS_AES_128_CCM_SHA256
Session cache size: 600
Caching timeout: 3600 seconds
Client-verify: Enabled
Ciphersuite server-perferred: Disabled
Table 2 Command output
|
Field |
Description |
|
Version info |
Enabling status of the SSL protocol versions in the SSL server policy. The SSL server can use only the enabled SSL protocol versions for session negotiation. Possible SSL protocol versions include: · SSL 3.0. · TLS 1.0. · TLS 1.1. · TLS 1.2. · TLS 1.3 (supported only by SSL VPN). · GM-TLS 1.1. |
|
Caching timeout |
Session cache timeout time in seconds. |
|
Client-verify |
SSL client authentication mode, including: · Disabled—SSL client authentication is disabled. · Enabled—SSL client authentication is mandatory. · Optional—SSL client authentication is optional. |
|
Ciphersuite server-preferred |
Enabling status of using the server-preferred order during the cipher suite negotiation between the SSL server and SSL client: · Enabled—The server-preferred order is used. · Disabled—The client-preferred order is used. |
pki-domain (SSL client policy view)
Use pki-domain to specify a PKI domain for an SSL client policy.
Use undo pki-domain to restore the default.
Syntax
pki-domain domain-name
undo pki-domain
Default
No PKI domain is specified for an SSL client policy.
Views
SSL client policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
If you specify a PKI domain for an SSL client policy, the SSL client that uses the SSL client policy will obtain its digital certificate through the specified PKI domain.
Examples
# Specify PKI domain client-domain for SSL client policy policy1.
<Sysname> system-view
[Sysname] ssl client-policy policy1
[Sysname-ssl-client-policy-policy1] pki-domain client-domain
Related commands
display ssl client-policy
pki domain
pki-domain (SSL server policy view)
Use pki-domain to specify a PKI domain for an SSL server policy.
Use undo pki-domain to restore the default.
Syntax
pki-domain domain-name
undo pki-domain
Default
No PKI domain is specified for an SSL server policy.
Views
SSL server policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters. You must specify a minimum of one domain name. A maximum of two domain names are supported.
Usage guidelines
If you specify a PKI domain for an SSL server policy, the SSL server that uses the SSL server policy will obtain its digital certificate through the specified PKI domain.
Some services (such as SSL VPN, load balancing, and proxy policy) might require using two digital certificates on the server. To meet the requirement, you can use this command to specify two PKI domains in the SSL server policy at a time. If the two digital certificates obtained through the specified PKI domains are of the same type, only the digital certificate obtained through the first PKI domain takes effect.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify PKI domain server-domain for SSL server policy policy1.
<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1] pki-domain server-domain
Related commands
display ssl server-policy
pki domain
prefer-cipher
Use prefer-cipher to specify a preferred cipher suite for an SSL client policy.
Use undo prefer-cipher to restore the default.
Syntax
prefer-cipher { dhe_rsa_aes_128_cbc_sha | dhe_rsa_aes_128_cbc_sha256 | dhe_rsa_aes_256_cbc_sha | dhe_rsa_aes_256_cbc_sha256 | ecc_sm2_sm1_sm3 | ecc_sm2_sm4_sm3 | ecdhe_ecdsa_aes_128_cbc_sha256 | ecdhe_ecdsa_aes_128_gcm_sha256 | ecdhe_ecdsa_aes_256_cbc_sha384 | ecdhe_ecdsa_aes_256_gcm_sha384 | ecdhe_rsa_aes_128_cbc_sha256 | ecdhe_rsa_aes_128_gcm_sha256 | ecdhe_rsa_aes_256_cbc_sha384 | ecdhe_rsa_aes_256_gcm_sha384 | ecdhe_sm2_sm1_sm3 | ecdhe_sm2_sm4_sm3 | exp_rsa_des_cbc_sha | rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_128_cbc_sha256 | rsa_aes_128_gcm_sha256 | rsa_aes_256_cbc_sha | rsa_aes_256_cbc_sha256 | rsa_aes_256_gcm_sha384 | rsa_des_cbc_sha | rsa_sm1_sha | rsa_sm1_sm3 | rsa_sm4_sha | rsa_sm4_sm3 | tls_aes_128_ccm_sha256 | tls_aes_128_ccm_8_sha256 | tls_aes_128_gcm_sha256 | tls_aes_256_gcm_sha384 | tls_chacha20_poly1305_sha256 } *<1-11>
undo prefer-cipher
Default
The preferred cipher suites of an SSL client policiy are DHE_RSA_AES_256_CBC_SHA, RSA_AES_256_CBC_SHA, DHE_RSA_AES_128_CBC_SHA, and RSA_AES_128_CBC_SHA.
Views
SSL client policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
dhe_rsa_aes_128_cbc_sha: Specifies the cipher suite that uses key exchange algorithm DHE RSA, data encryption algorithm 128-bit AES_CBC, and MAC algorithm SHA.
dhe_rsa_aes_128_cbc_sha256: Specifies the cipher suite that uses key exchange algorithm DHE RSA, data encryption algorithm 128-bit AES_CBC, and MAC algorithm SHA256.
dhe_rsa_aes_256_cbc_sha: Specifies the cipher suite that uses key exchange algorithm DHE RSA, data encryption algorithm 256-bit AES_CBC, and MAC algorithm SHA.
dhe_rsa_aes_256_cbc_sha256: Specifies the cipher suite that uses key exchange algorithm DHE RSA, data encryption algorithm 256-bit AES_CBC, and MAC algorithm SHA256.
ecc_sm2_sm1_sm3: Specifies the cipher suite that uses key exchange algorithm ECC SM2, data encryption algorithm 128-bit SM1, and MAC algorithm SHA256.
ecc_sm2_sm4_sm3: Specifies the cipher suite that uses key exchange algorithm ECC SM2, data encryption algorithm SM4, and MAC algorithm SM3.
ecdhe_ecdsa_aes_128_cbc_sha256: Specifies the cipher suite that uses key exchange algorithm ECDHE ECDSA, data encryption algorithm 128-bit AES_CBC, and MAC algorithm SHA256.
ecdhe_ecdsa_aes_128_gcm_sha256: Specifies the cipher suite that uses key exchange algorithm ECDHE ECDSA, data encryption algorithm 128-bit AES_GCM, and MAC algorithm SHA256.
ecdhe_ecdsa_aes_256_cbc_sha384: Specifies the cipher suite that uses key exchange algorithm ECDHE ECDSA, data encryption algorithm 256-bit AES_CBC, and MAC algorithm SHA384.
ecdhe_ecdsa_aes_256_gcm_sha384: Specifies the cipher suite that uses key exchange algorithm ECDHE ECDSA, data encryption algorithm 256-bit AES_GCM, and MAC algorithm SHA384.
ecdhe_rsa_aes_128_cbc_sha256: Specifies the cipher suite that uses key exchange algorithm ECDHE RSA, data encryption algorithm 128-bit AES_CBC, and MAC algorithm SHA256.
ecdhe_rsa_aes_128_gcm_sha256: Specifies the cipher suite that uses key exchange algorithm ECDHE RSA, data encryption algorithm 128-bit AES_GCM, and MAC algorithm SHA256.
ecdhe_rsa_aes_256_cbc_sha384: Specifies the cipher suite that uses key exchange algorithm ECDHE RSA, data encryption algorithm 256-bit AES_CBC, and MAC algorithm SHA384.
ecdhe_rsa_aes_256_gcm_sha384: Specifies the cipher suite that uses key exchange algorithm ECDHE RSA, data encryption algorithm 256-bit AES_GCM, and MAC algorithm SHA384.
ecdhe_sm2_sm1_sm3: Specifies the cipher suite that uses key exchange algorithm ECDHE SM2, data encryption algorithm 128-bit SM1, and MAC algorithm SM3.
ecdhe_sm2_sm4_sm3: Specifies the cipher suite that uses key exchange algorithm ECDHE SM2, data encryption algorithm SM4, and MAC algorithm SM3.
exp_rsa_des_cbc_sha: Specifies the export cipher suite that uses key exchange algorithm RSA, data encryption algorithm DES_CBC, and MAC algorithm SHA.
rsa_3des_ede_cbc_sha: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm 3DES_EDE_CBC, and MAC algorithm SHA.
rsa_aes_128_cbc_sha: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm 128-bit AES_CBC, and MAC algorithm SHA.
rsa_aes_128_cbc_ sha256: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm 128-bit AES_CBC, and MAC algorithm SHA256.
rsa_aes_128_gcm_sha256: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm 128-bit AES_CBC, and MAC algorithm SHA256.
rsa_aes_256_cbc_sha: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm 256-bit AES_CBC, and MAC algorithm SHA.
rsa_aes_256_cbc_ sha256: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm 256-bit AES_CBC, and MAC algorithm SHA256.
rsa_aes_256_gcm_sha384: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm 256-bit AES_GCM, and MAC algorithm SHA384.
rsa_des_cbc_sha: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm DES_CBC, and MAC algorithm SHA.
rsa_sm1_sha: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm 128-bit SM1, and MAC algorithm SHA.
rsa_sm1_sm3: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm 128-bit SM1, and MAC algorithm SM3.
rsa_sm4_sha: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm SM4, and MAC algorithm SHA.
rsa_sm4_sm3: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm SM4, and MAC algorithm SM3.
tls_aes_128_ccm_sha256: Specifies the cipher suite that uses data encryption algorithm AES_128_CCM and MAC algorithm SHA256. This cipher suite is TLS1.3 exclusive and is supported only by SSL VPN.
tls_aes_128_ccm_8_sha256: Specifies the cipher suite that uses data encryption algorithm AES_128_CCM_8 and MAC algorithm SHA256. This cipher suite is TLS1.3 exclusive and is supported only by SSL VPN.
tls_aes_128_gcm_sha256: Specifies the cipher suite that uses data encryption algorithm 128-bit AES_GCM and MAC algorithm SHA256. This cipher suite is TLS1.3 exclusive and is supported only by SSL VPN.
tls_aes_256_gcm_sha384: Specifies the cipher suite that uses data encryption algorithm 256-bit AES_GCM and MAC algorithm SHA384. This cipher suite is TLS1.3 exclusive and is supported only by SSL VPN.
tls_chacha20_poly1305_sha256: Specifies the cipher suite that uses data encryption algorithm CHACHA20 POLY1305 and MAC algorithm SHA256. This cipher suite is TLS1.3 exclusive and is supported only by SSL VPN.
<1-11>: Indicates that you can specify a maximum of 11 cipher suites at a time.
Usage guidelines
SSL employs the following algorithms:
· Data encryption algorithms—Encrypt data to ensure privacy. Commonly used data encryption algorithms are usually symmetric key algorithms. When using a symmetric key algorithm, the SSL server and the SSL client must use the same key.
· Message Authentication Code (MAC) algorithms—Calculate the MAC value for data to ensure integrity. Commonly used MAC algorithms include SHA. When using a MAC algorithm, the SSL server and the SSL client must use the same key.
· Key exchange algorithms—Implement secure exchange of the keys used by the symmetric key algorithm and MAC algorithm. Commonly used key exchange algorithms are asymmetric key algorithms, such as RSA.
The SSL client sends the preferred cipher suites to the SSL server. The server compares the received cipher suites with the cipher suites it supports. If a match is found, the cipher suite negotiation succeeds. If no match is found, the negotiation fails. The cipher suite matching can use the server-preferred order or the client-preferred order, depending on the configuration of the ciphersuite server-preferred enable command.
The earlier a cipher suite is configured, the higher priority it has during the cipher suite negotiation.
When executing the prefer-cipher command, you can specify a maximum of 11 cipher suites at a time. If you execute this command multiple times, the SSL client policy supports all the specified cipher suites.
Examples
# Configure SSL client policy policy1 to support the key exchange algorithm RSA, data encryption algorithm 128-bit AES_CBC, and MAC algorithm SHA.
<Sysname> system-view
[Sysname] ssl client-policy policy1
[Sysname-ssl-client-policy-policy1] prefer-cipher rsa_aes_128_cbc_sha
Related commands
ciphersuite
display ssl client-policy
server-preferred ciphersuite
server-verify enable
Use server-verify enable to enable the SSL client to use digital certificates to authenticate the SSL server.
Use undo server-verify enable to disable SSL server authentication. The SSL client does not authenticate the SSL server.
Syntax
server-verify enable
undo server-verify enable
Default
The SSL client uses digital certificates to authenticate the SSL server.
Views
SSL client policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
SSL uses digital certificates to authenticate communicating parties. For more information about digital certificates, see Security Configuration Guide.
If you execute the server-verify enable command, the SSL server must send its digital certificate to the SSL client for authentication. The client can access the SSL server only after the server passes the authentication.
Examples
# Enable the SSL client to use digital certificates to authenticate the SSL server.
<Sysname> system-view
[Sysname] ssl client-policy policy1
[Sysname-ssl-client-policy-policy1] server-verify enable
Related commands
display ssl client-policy
session
Use session to set the maximum number of sessions that the SSL server can cache and the timeout time for cached sessions.
Use undo session to restore the default.
Syntax
session { cachesize size | timeout time } *
undo session { cachesize | timeout } *
Default
The SSL server can cache a maximum of 500 sessions, and the timeout time for cached sessions is 3600 seconds.
Views
SSL server policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
cachesize size: Sets the maximum number of cached sessions, in the range of 100 to 20480.
timeout time: Sets the session cache timeout in the range of 1 to 4294967295 seconds.
Usage guidelines
The SSL server caches SSL sessions to reuse negotiated session parameters to simplify SSL handshake. Use this command to limit the maximum number and timeout time for cached sessions. When the number of cached sessions reaches the maximum, SSL does not cache new sessions. When the timeout timer for a cached session expires, SSL deletes the session.
Examples
# Set the maximum number of cached sessions to 600, and the timeout time for cached sessions to 1800 seconds.
<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1] session cachesize 600 timeout 1800
Related commands
display ssl server-policy
ssl client-policy
Use ssl client-policy to create an SSL client policy and enter its view, or enter the view of an existing SSL client policy.
Use undo ssl client-policy to delete an SSL client policy.
Syntax
ssl client-policy policy-name
undo ssl client-policy policy-name
Default
No SSL client policies exist.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
policy-name: Specifies an SSL client policy by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
This command creates an SSL client policy for which you can configure SSL parameters that the client uses to establish a connection to the server. The parameters include a PKI domain and a preferred cipher suite. An SSL client policy takes effect only after it is associated with an application such as DDNS.
Examples
# Create an SSL client policy named policy1 and enter its view.
<Sysname> system-view
[Sysname] ssl client-policy policy1
[Sysname-ssl-client-policy-policy1]
Related commands
display ssl client-policy
ssl renegotiation disable
Use ssl renegotiation disable to disable SSL session renegotiation.
Use undo ssl renegotiation disable to restore the default.
Syntax
ssl renegotiation disable
undo ssl renegotiation disable
Default
SSL session renegotiation is enabled.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
The SSL session renegotiation feature enables the SSL client and server to reuse a previously negotiated SSL session for an abbreviated handshake.
Disabling session renegotiation causes more computational overhead to the system but it can avoid potential risks. Disable SSL session renegotiation only when explicitly required.
Examples
#Disable SSL session renegotiation.
<Sysname> system-view
[Sysname] ssl renegotiation disable
ssl server-policy
Use ssl server-policy to create an SSL server policy and enter its view, or enter the view of an existing SSL server policy.
Use undo ssl server-policy to delete an SSL server policy.
Syntax
ssl server-policy policy-name
undo ssl server-policy policy-name
Default
No SSL server policies exist.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
policy-name: Specifies a name for the SSL server policy, a case-insensitive string of 1 to 31 characters.
Usage guidelines
This command creates an SSL server policy for which you can configure SSL parameters such as a PKI domain and supported cipher suits. An SSL server policy takes effect only after it is associated with an application such as HTTPS.
Examples
# Create an SSL server policy named policy1 and enter its view.
<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1]
Related commands
display ssl server-policy
ssl version disable
Use ssl version disable to disable the SSL server from using specific SSL protocol versions for session negotiation.
Use undo ssl version disable restore the default.
Syntax
ssl version { gm-tls1.1 | ssl3.0 | tls1.0 | tls1.1 | tls1.2 | tls1.3 } * disable
undo ssl version { gm-tls1.1 | ssl3.0 | tls1.0 | tls1.1 | tls1.2 | tls1.3 } * disable
Default
The SSL server supports GM-TLS 1.1, SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
gm-tls1.1: Specifies GM-TLS 1.1.
ssl3.0: Specifies SSL 3.0.
tls1.0: Specifies TLS 1.0.
tls1.1: Specifies TLS 1.1.
tls1.2: Specifies TLS 1.2.
tls1.3: Specifies TLS 1.3. This version is supported only by SSL VPN.
Usage guidelines
To enhance security, you can disable the SSL server from using specific SSL protocol versions.
This command allows you to disable SSL protocol versions in system view. You can also enable or disable an SSL protocol version in SSL server policy view by using the version disable command. An SSL server policy prefers the policy-specific setting over the system global setting.
Make sure the SSL server is allowed to use a minimum of one SSL protocol version for session negotiation.
Disabling an SSL protocol version does not affect the availability of earlier SSL protocol versions. For example, if you execute the ssl version tls1.1 disable command, TLS 1.1 is disabled but TLS 1.0 is still available for the SSL server.
Examples
# Disable TLS 1.0.
<Sysname> system-view
[Sysname] ssl version tls1.0 disable
Related commands
version disable
version
Use version to specify an SSL protocol version for an SSL client policy.
Use undo version to restore the default.
Syntax
version { gm-tls1.1 | ssl3.0 | tls1.0 | tls1.1 | tls1.2 | tls1.3 }
undo version
Default
An SSL client policy uses SSL protocol version TLS 1.2.
Views
SSL client policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
gm-tls1.1: Specifies GM-TLS 1.1.
ssl3.0: Specifies SSL 3.0.
tls1.0: Specifies TLS 1.0.
tls1.1: Specifies TLS 1.1.
tls1.2: Specifies TLS 1.2.
tls1.3: Specifies TLS 1.3. This version is supported only by SSL VPN.
Usage guidelines
To ensure security, do not specify SSL 3.0 for an SSL client policy.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Set the SSL protocol version to TLS 1.0 for SSL client policy policy1.
<Sysname> system-view
[Sysname] ssl client-policy policy1
[Sysname-ssl-client-policy-policy1] version tls1.0
Related commands
display ssl client-policy
version disable
Use version disable to disable SSL protocol versions for the SSL server in an SSL server policy.
Use undo ssl version disable restore the default.
Syntax
version { gm-tls1.1 | ssl3.0 | tls1.0 | tls1.1 | tls1.2 | tls1.3 } * disable
undo version { gm-tls1.1 | ssl3.0 | tls1.0 | tls1.1 | tls1.2 | tls1.3 } * disable
Default
The SSL server supports GM-TLS 1.1, SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3.
Views
SSL server policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
gm-tls1.1: Specifies GM-TLS 1.1.
ssl3.0: Specifies SSL 3.0.
tls1.0: Specifies TLS 1.0.
tls1.1: Specifies TLS 1.1.
tls1.2: Specifies TLS 1.2.
tls1.3: Specifies TLS 1.3. This version is supported only by SSL VPN.
Usage guidelines
You can enable or disable an SSL protocol version in system view or in SSL server policy view. An SSL server can use an SSL protocol version for session negotiation only when the status of the SSL protocol version in the SSL server policy is Enabled. The status of an SSL protocol version in an SSL server policy is determined in the following sequence:
1. Configuration of the version disable command in SSL server policy view.
2. Configuration of the ssl version disable command in system view.
3. Default setting (Enabled).
Make sure the SSL server is allowed to use a minimum of one SSL protocol version for session negotiation.
Disabling an SSL protocol version does not affect the availability of earlier SSL protocol versions. For example, if you execute the version tls1.1 disable command in SSL server policy view, TLS 1.1 is disabled but TLS 1.0 is still available for the SSL server.
Examples
# Disable TLS 1.0 in SSL server policy policy1.
<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1] version tls1.0 disable
Related commands
ssl version disable
