client-verify
Use client-verify to enable mandatory or optional SSL client authentication.
Use undo client-verify to restore the default.
Syntax
client-verify { enable | optional }
undo client-verify [ enable ]
Default
SSL client authentication is disabled. The SSL server does not authenticate SSL clients based on digital certificates.
Views
SSL server policy view
Predefined user roles
network-admin
mdc-admin
Parameters
enable: Enables mandatory SSL client authentication.
optional: Enables optional SSL client authentication.
Usage guidelines
SSL uses digital certificates to authenticate communicating parties. For more information about digital certificates, see Security Configuration Guide.
Mandatory SSL client authentication—The SSL server requires an SSL client to submit its digital certificate for identity authentication. The SSL client can access the SSL server only after it passes identity authentication.
Optional SSL client authentication—The SSL server does not require an SSL client to submit its digital certificate for identity authentication.
If an SSL client submits its certificate to the SSL server, the server authenticates the client identity. The client must pass authentication to access the server.
If an SSL client does not submit its certificate to the SSL server, the server does not authenticate the client identity. The client can access the SSL server without authentication.
If SSL client authentication is disabled, the SSL server does not authenticate SSL clients regardless of whether the clients submit digital certificates or not. SSL clients can access the SSL server without authentication.
When authenticating a client by using the digital certificate, the SSL server performs the following operations:
Verifies the certificate chain presented by the client.
Checks that the certificates in the certificate chain (except the root CA certificate) are not revoked.
Examples
# Enable mandatory SSL client authentication.
<Sysname> system-view [Sysname] ssl server-policy policy1 [Sysname-ssl-server-policy-policy1] client-verify enable
# Enable optional SSL client authentication.
<Sysname> system-view [Sysname] ssl server-policy policy1 [Sysname-ssl-server-policy-policy1] client-verify optional
# Disable SSL client authentication.
<Sysname> system-view [Sysname] ssl server-policy policy1 [Sysname-ssl-server-policy-policy1] undo client-verify
Related commands
display ssl server-policy