Configuring an SSL server policy

An SSL server policy is a set of SSL parameters for a server to use when booting up. An SSL server policy takes effect only after it is associated with an application such as HTTPS.

SSL protocol versions include SSL 2.0, SSL 3.0, and TLS 1.0 (or SSL 3.1). By default, the SSL server can communicate with clients running SSL 3.0 or TLS 1.0. When the server receives an SSL 2.0 Client Hello message from a client that supports both SSL 2.0 and SSL 3.0/TLS 1.0, it notifies the client to use SSL 3.0 or TLS 1.0 for communication.

You can disable SSL 3.0 on the device to enhance system security.

To configure an SSL server policy:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Disable SSL 3.0 on the device.	ssl version ssl3.0 disable	Optional. By default, SSL 3.0 is enabled.
3. Create an SSL server policy and enter its view.	ssl server-policy policy-name	N/A
4. Specify a PKI domain for the SSL server policy.	pki-domain domain-name	Optional. By default, no PKI domain is specified for an SSL server policy. The SSL server generates a certificate itself instead of requesting one from the CA. After you specify a PKI domain, the SSL server requests a certificate through the PKI domain. If the client requires certificate-based authentication for the SSL server, you must use this command to specify a PKI domain. For more information about PKI domain configuration, see "Configuring PKI."
5. Specify the cipher suites for the SSL server policy to support.	In non-FIPS mode:ciphersuite [ rsa_3des_ede_cbc_sha \| rsa_aes_128_cbc_sha \| rsa_aes_256_cbc_sha \| rsa_des_cbc_sha \| rsa_rc4_128_md5 \| rsa_rc4_128_sha ] * In FIPS mode:ciphersuite [ rsa_aes_128_cbc_sha \| rsa_aes_256_cbc_sha ] *	Optional. By default, an SSL server policy supports all cipher suites.
6. Set the handshake timeout time for the SSL server.	handshake timeout time	Optional. 3600 seconds by default.
7. Set the SSL connection close mode.	close-mode wait	Optional. By default, an SSL server sends a close-notify alert message to the client and closes the connection without waiting for the close-notify alert message from the client.
8. Set the maximum number of cached sessions and the caching timeout time.	session { cachesize size \| timeout time } *	Optional. The defaults are as follows: 500 for the maximum number of cached sessions. 3600 seconds for the caching timeout time.
9. Enable the SSL server to perform digital certificate-based authentication for SSL clients.	client-verify enable	Optional. By default, the SSL server does not require clients to be authenticated.
10. Enable SSL client weak authentication.	client-verify weaken	Optional. Disabled by default. This command takes effect only when the client-verify enable command is configured.

prev	up	next
Configuration task list	home	SSL server policy configuration example