Configuring an SSL client policy

An SSL client policy is a set of SSL parameters that the client uses to establish a connection to the server. An SSL client policy takes effect only after it is associated with an application such as DDNS. For information about DDNS, see Layer 3—IP Services Configuration Guide.

You can specify the SSL protocol version (SSL 3.0 or TLS 1.0) for an SSL client policy:

If TLS 1.0 is specified and SSL 3.0 is not disabled, the client first uses TLS 1.0 to connect to the SSL server. If the connection attempt fails, the client uses SSL 3.0.
If TLS 1.0 is specified and SSL 3.0 is disabled, the client only uses TLS 1.0 to connect to the SSL server.
If SSL 3.0 is specified, the client uses SSL 3.0 to connect to the SSL server, whether you disable SSL 3.0 or not.

As a best practice to enhance system security, disable SSL 3.0 on the device and specify TLS 1.0 for an SSL client policy.

To configure an SSL client policy:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. (Optional.) Disable SSL 3.0 on the device.	ssl version ssl3.0 disable	By default, SSL 3.0 is enabled on the device.
3. (Optional.) Disable SSL session renegotiation for the SSL client.	ssl renegotiation disable	By default, SSL session renegotiation is enabled.
4. Create an SSL client policy and enter its view.	ssl client-policy policy-name	By default, no SSL client policies exist on the device.
5. (Optional.) Specify a PKI domain for the SSL client policy.	pki-domain domain-name	By default, no PKI domain is specified for an SSL client policy. If SSL client authentication is required, you must specify a PKI domain and request a local certificate for the SSL client in the PKI domain. For information about how to create and configure a PKI domain, see "Configuring PKI."
6. Specify the preferred cipher suite for the SSL client policy.	In non-FIPS mode:prefer-cipher { dhe_rsa_aes_128_cbc_sha \| dhe_rsa_aes_256_cbc_sha \| exp_rsa_des_cbc_sha \| exp_rsa_rc2_md5 \| exp_rsa_rc4_md5 \| rsa_3des_ede_cbc_sha \| rsa_aes_128_cbc_sha \| rsa_aes_256_cbc_sha \| rsa_des_cbc_sha \| rsa_rc4_128_md5 \| rsa_rc4_128_sha } In FIPS mode:prefer-cipher { rsa_aes_128_cbc_sha \| rsa_aes_256_cbc_sha }	In non-FIPS mode: The default preferred cipher suite is rsa_rc4_128_md5. In FIPS mode: The default preferred cipher suite is sa_aes_128_cbc_sha.
7. Specify the SSL protocol version for the SSL client policy.	In non-FIPS mode:version { ssl3.0 \| tls1.0 } In FIPS mode:version tls1.0	By default, an SSL client policy uses TLS 1.0.
8. Enable the SSL client to authenticate servers through digital certificates.	server-verify enable	By default, SSL server authentication is enabled.

prev	up	next
Configuring an SSL server policy	home	Displaying and maintaining SSL