Configuring an SSL server policy

An SSL server policy is a set of SSL parameters for a server to use when booting up. An SSL server policy takes effect only after it is associated with an application such as HTTPS.

SSL protocol versions include SSL 2.0, SSL 3.0, and TLS 1.0 (or SSL 3.1). By default, the SSL server can communicate with clients running SSL 3.0 or TLS 1.0. When the server receives an SSL 2.0 Client Hello message from a client that supports both SSL 2.0 and SSL 3.0/TLS 1.0, it notifies the client to use SSL 3.0 or TLS 1.0 for communication.

You can disable SSL 3.0 on the device to enhance system security.

In FIPS mode, only TLS 1.0 is supported.

To configure an SSL server policy:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Disable SSL 3.0 on the device.

ssl version ssl3.0 disable

Optional.

By default, SSL 3.0 is enabled on the device.

3. Set the encryption mode of the ESM encryption card to SSL.

card-mode slot slot-number ssl

Required when an ESM encryption card is used.

This configuration takes effect after the device reboots.

4. Create an SSL server policy and enter its view.

ssl server-policy policy-name

N/A

5. Specify a PKI domain for the SSL server policy.

pki-domain domain-name

Optional.

By default, no PKI domain is specified for an SSL server policy, and the SSL server generates and signs a certificate for itself and does not obtain a certificate from a CA server.

If SSL clients authenticate the server through a digital certificate, you must use this command to specify a PKI domain and request a local certificate for the SSL server in the PKI domain.

For information about how to configure a PKI domain, see "Configuring PKI."

6. Specify the cipher suites for the SSL server policy to support.

  • In non-FIPS mode:ciphersuite [ rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha ] *

  • In FIPS mode:ciphersuite [ dhe_rsa_aes_128_cbc_sha | dhe_rsa_aes_256_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha ] *

Optional.

By default, an SSL server policy supports all cipher suites.

7. Set the handshake timeout time for the SSL server.

handshake timeout time

Optional.

The default handshake timeout time is 3600 seconds.

8. Set the SSL connection close mode.

close-mode wait

Optional.

By default, An SSL server sends a close-notify alert message to the client and closes the connection without waiting for the close-notify alert message from the client.

9. Set the maximum number of cached sessions and the caching timeout time.

session { cachesize size | timeout time } *

Optional.

The defaults are as follows:

  • 500 for the maximum number of cached sessions.

  • 3600 seconds for the caching timeout time.

10. Configure the server to require certificate-based SSL client authentication.

client-verify enable

Optional.

By default, the SSL server does not require the client to be authenticated.

11. Enable SSL client weak authentication.

client-verify weaken

Optional.

Disabled by default.

This command takes effect only when the client-verify enable command is configured.