client-verify

Use client-verify to enable mandatory or optional SSL client authentication.

Use undo client-verify to restore the default.

Syntax

client-verify { enable | optional }

undo client-verify [ enable ]

Default

SSL client authentication is disabled. The SSL server does not authenticate SSL clients based on digital certificates.

Views

SSL server policy view

Predefined user roles

network-admin

mdc-admin

Parameters

enable: Enables mandatory SSL client authentication.

optional: Enables optional SSL client authentication.

Usage guidelines

SSL uses digital certificates to authenticate communicating parties. For more information about digital certificates, see Security Configuration Guide.

Mandatory SSL client authentication—The SSL server requires an SSL client to submit its digital certificate for identity authentication. The SSL client can access the SSL server only after it passes identity authentication.

Optional SSL client authentication—The SSL server does not require an SSL client to submit its digital certificate for identity authentication.

If SSL client authentication is disabled, the SSL server does not authenticate SSL clients regardless of whether the clients submit digital certificates or not. SSL clients can access the SSL server without authentication.

When authenticating a client by using the digital certificate, the SSL server performs the following operations:

Examples

# Enable mandatory SSL client authentication.

<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1] client-verify enable

# Enable optional SSL client authentication.

<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1] client-verify optional

# Disable SSL client authentication.

<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1] undo client-verify

Related commands

display ssl server-policy