[x]

Configuring SSL > Configuring an SSL server policy

 

 Next

Configuring an SSL server policy

An SSL server policy is a set of SSL parameters used by the SSL server. An SSL server policy takes effect only after it is associated with an application such as HTTPS.

[NOTE: ]

NOTE:

  • SSL protocol versions include SSL 2.0, SSL 3.0, and TLS 1.0 (or SSL 3.1). By default, the SSL server can communicate with clients running SSL 3.0 or TLS 1.0. When the server receives an SSL 2.0 Client Hello message from a client that supports both SSL 2.0 and SSL 3.0/TLS 1.0, it notifies the client to use SSL 3.0 or TLS 1.0 for communication.

  • You can disable SSL 3.0 on the device to enhance system security.

    • To configure an SSL server policy:

    Step

    Command

    Remarks

    1. Enter system view.

    system-view

    N/A

    2. (Optional.) Disable SSL 3.0 on the device.

    ssl version ssl3.0 disable

    By default, SSL 3.0 is enabled on the device.

    3. (Optional.) Disable SSL session renegotiation for the SSL server.

    ssl renegotiation disable

    By default, SSL session renegotiation is enabled.

    4. Create an SSL server policy and enter its view.

    ssl server-policy policy-name

    By default, no SSL server policies exist on the device.

    5. (Optional.) Specify a PKI domain for the SSL server policy.

    pki-domain domain-name

    By default, no PKI domain is specified for an SSL server policy.

    If SSL server authentication is required, you must specify a PKI domain and request a local certificate for the SSL server in the domain.

    For information about how to create and configure a PKI domain, see "Configuring PKI."

    6. Specify the cipher suites that the SSL server policy supports.

    • In non-FIPS mode:ciphersuite { dhe_rsa_aes_128_cbc_sha | exp_rsa_des_cbc_sha | exp_rsa_rc2_md5 | exp_rsa_rc4_md5 | rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha } *

    • In FIPS mode: ciphersuite { rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha } *

    By default, an SSL server policy supports all cipher suites.

    7. Set the maximum number of sessions that the SSL server can cache and the session cache timeout time.

    session { cachesize size | timeout time }

    By default, the SSL server can cache a maximum of 500 sessions, and the session cache timeout time is 3600 seconds.

    8. (Optional.) Enable mandatory or optional SSL client authentication.

    client-verify { enable | optional }

    By default, SSL client authentication is disabled. The SSL server does not perform digital certificate-based authentication on SSL clients.

    When authenticating a client by using the digital certificate, the SSL server verifies the certificate chain presented by the client. It also verifies that the certificates in the certificate chain (except the root CA certificate) are not revoked.

    9. Enable the SSL server to send the complete certificate chain to the client during SSL negotiation.

    certificate-chain-sending enable

    By default, the SSL server sends the server certificate rather than the complete certificate chain to the client during negotiation.

    prev

     

    up

     next

    SSL configuration task list 

    home

     Configuring an SSL client policy

    © Copyright 2017 Hewlett Packard Enterprise Development LP