Configuring an SSL client policy

An SSL client policy is a set of SSL parameters for a client to use when connecting to the server. An SSL client policy takes effect only after it is associated with an application layer protocol.

You can specify the SSL protocol version (SSL 3.0 or TLS 1.0) for an SSL client policy:

As a best practice, disable SSL 3.0 on the device and specify TLS 1.0 for an SSL client policy to enhance system security.

To configure an SSL client policy:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Disable SSL 3.0 on the device.

ssl version ssl3.0 disable

Optional.

By default, SSL 3.0 is enabled.

3. Create an SSL client policy and enter its view.

ssl client-policy policy-name

N/A

4. Specify a PKI domain for the SSL client policy.

pki-domain domain-name

Optional.

No PKI domain is configured by default.

After you specify a PKI domain, the SSL client requests a certificate through the PKI domain.

If the SSL server requires certificate-based authentication for SSL clients, you must use this command to specify a PKI domain for the client.

For more information about PKI domain configuration, see "Configuring PKI."

5. Specify the preferred cipher suite for the SSL client policy.

  • In non-FIPS mode:prefer-cipher { rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha }

  • In FIPS mode:prefer-cipher { rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha }

Optional.

rsa_rc4_128_md5 by default.

6. Specify the SSL protocol version for the SSL client policy.

  • In non-FIPS mode:version { ssl3.0 | tls1.0 }

  • In FIPS mode:version tls1.0

Optional.

TLS 1.0 by default.

7. Enable the SSL client to perform certificate-based authentication for the SSL server.

server-verify enable

Optional.

Enabled by default.