Configuring an SSL client policy
An SSL client policy is a set of SSL parameters for a client to use when connecting to the server. An SSL client policy takes effect only after it is associated with an application layer protocol.
You can specify the SSL protocol version (SSL 3.0 or TLS 1.0) for an SSL client policy:
If TLS 1.0 is specified and SSL 3.0 is not disabled, the client first uses TLS 1.0 to connect to the SSL server. If the connection attempt fails, the client uses SSL 3.0.
If TLS 1.0 is specified and SSL 3.0 is disabled, the client only uses TLS 1.0 to connect to the SSL server.
If SSL 3.0 is specified, the client uses SSL 3.0 to connect to the SSL server, whether you disable SSL 3.0 or not.
As a best practice to enhance system security, disable SSL 3.0 on the device and specify TLS 1.0 for an SSL client policy.
To configure an SSL client policy:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Disable SSL 3.0 on the device. | ssl version ssl3.0 disable | Optional. By default, SSL 3.0 is enabled on the device. |
3. Create an SSL client policy and enter its view. | ssl client-policy policy-name | N/A |
4. Specify a PKI domain for the SSL client policy. | pki-domain domain-name | Optional. No PKI domain is specified by default. If the SSL server authenticates the SSL client through a digital certificate, you must use this command to specify a PKI domain and request a local certificate for the SSL client in the PKI domain. For information about how to configure a PKI domain, see "Configuring PKI." |
5. Specify the preferred cipher suite for the SSL client policy. |
| Optional. rsa_rc4_128_md5 by default. |
6. Specify the SSL protocol version for the SSL client policy. | version { ssl3.0 | tls1.0 } | Optional. TLS 1.0 by default. |
7. Enable certificate-based SSL server authentication. | server-verify enable | Optional. Enabled by default. |