Configuring an SSL server policy

An SSL server policy is a set of SSL parameters used by the SSL server. An SSL server policy takes effect only after it is associated with an application such as HTTPS.

SSL protocol versions include SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2. By default, the SSL server can communicate with clients running all SSL protocol versions. When the server receives an SSL 2.0 Client Hello message from a client, it notifies the client to use a later version for communication.

To enhance system security, you can disable specific SSL protocol versions so the SSL server cannot use them for session negotiation.

To configure an SSL server policy:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. (Optional.) Disable the SSL server from using specific SSL protocol versions for session negotiation.	In non-FIPS mode:ssl version { ssl3.0 \| tls1.0 \| tls1.1 } * disable In FIPS mode:ssl version { tls1.0 \| tls1.1 } * disable	By default: In non-FIPS mode, the SSL server supports SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2. In FIPS mode, the SSL server supports TLS 1.0, TLS 1.1, and TLS 1.2.
3. (Optional.) Disable SSL session renegotiation for the SSL server.	ssl renegotiation disable	By default, SSL session renegotiation is enabled.
4. Create an SSL server policy and enter its view.	ssl server-policy policy-name	By default, no SSL server policies exist.
5. (Optional.) Specify a PKI domain for the SSL server policy.	pki-domain domain-name	By default, no PKI domain is specified for an SSL server policy. If SSL server authentication is required, you must specify a PKI domain and request a local certificate for the SSL server in the domain. For information about configuring a PKI domain, see "Configuring PKI."
6. Specify the cipher suites that the SSL server policy supports.	In non-FIPS mode:ciphersuite { dhe_rsa_aes_128_cbc_sha \| dhe_rsa_aes_128_cbc_sha256 \| dhe_rsa_aes_256_cbc_sha \| dhe_rsa_aes_256_cbc_sha256 \| ecdhe_ecdsa_aes_128_cbc_sha256 \| ecdhe_ecdsa_aes_128_gcm_sha256 \| ecdhe_ecdsa_aes_256_cbc_sha384 \| ecdhe_ecdsa_aes_256_gcm_sha384 \| ecdhe_rsa_aes_128_cbc_sha256 \| ecdhe_rsa_aes_128_gcm_sha256 \| ecdhe_rsa_aes_256_cbc_sha384 \| ecdhe_rsa_aes_256_gcm_sha384 \| exp_rsa_des_cbc_sha \| exp_rsa_rc2_md5 \| exp_rsa_rc4_md5 \| rsa_3des_ede_cbc_sha \| rsa_aes_128_cbc_sha \| rsa_aes_128_cbc_sha256 \| rsa_aes_256_cbc_sha \| rsa_aes_256_cbc_sha256 \| rsa_des_cbc_sha \| rsa_rc4_128_md5 \| rsa_rc4_128_sha } * In FIPS mode: ciphersuite { ecdhe_ecdsa_aes_128_cbc_sha256 \| ecdhe_ecdsa_aes_256_cbc_sha384 \| ecdhe_ecdsa_aes_128_gcm_sha256 \| ecdhe_ecdsa_aes_256_gcm_sha384 \| ecdhe_rsa_aes_128_cbc_sha256 \| ecdhe_rsa_aes_128_gcm_sha256 \| ecdhe_rsa_aes_256_cbc_sha384 \| ecdhe_rsa_aes_256_gcm_sha384 \| rsa_aes_128_cbc_sha \| rsa_aes_128_cbc_sha256 \| rsa_aes_256_cbc_sha \| rsa_aes_256_cbc_sha256 } *	By default, an SSL server policy supports all cipher suites.
7. Set the maximum number of sessions that the SSL server can cache and the session cache timeout time.	session { cachesize size \| timeout time }	By default, the SSL server can cache a maximum of 500 sessions, and the session cache timeout time is 3600 seconds.
8. (Optional.) Enable mandatory or optional SSL client authentication.	client-verify { enable \| optional }	By default, SSL client authentication is disabled. The SSL server does not perform digital certificate-based authentication on SSL clients. When authenticating a client by using the digital certificate, the SSL server verifies the certificate chain presented by the client. It also verifies that the certificates in the certificate chain (except the root CA certificate) are not revoked.

prev	up	next
SSL configuration task list	home	Configuring an SSL client policy