[x]

 > Configuring an SSL server policy

 

 Next

Configuring an SSL server policy

An SSL server policy is a set of SSL parameters used by the SSL server. An SSL server policy takes effect only after it is associated with an application such as HTTPS.

SSL protocol versions include SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2. By default:

You can disable specific SSL protocol versions on the device to enhance system security.

To configure an SSL server policy:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. (Optional.) Disable specific SSL protocol versions on the device.

In Release 1111:ssl version ssl3.0 disable

In Release 1121 and later:

  • In non-FIPS mode:ssl version { ssl3.0 | tls1.0 | tls1.1 } * disable

  • In FIPS mode:ssl version { tls1.0 | tls1.1 } * disable

In Release 1111, SSL 3.0 is enabled on the device by default.

In Release 1121 and later, the default setting is as follows:

  • In non-FIPS mode, the device supports SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2.

  • In FIPS mode, the device supports TLS 1.0, TLS 1.1, and TLS 1.2.

3. (Optional.) Disable SSL session renegotiation.

ssl renegotiation disable

By default, SSL session renegotiation is enabled.

This command is available in Release 1121 and later.

4. Create an SSL server policy and enter its view.

ssl server-policy policy-name

By default, no SSL server policies exist on the device.

5. (Optional.) Specify a PKI domain for the SSL server policy.

pki-domain domain-name

By default, no PKI domain is specified for an SSL server policy.

If SSL server authentication is required, you must specify a PKI domain and request a local certificate for the SSL server in the domain.

For information about how to create and configure a PKI domain, see "Configuring PKI."

6. Specify the cipher suites that the SSL server policy supports.

In Release 1111:

  • In non-FIPS mode:ciphersuite { dhe_rsa_aes_128_cbc_sha | dhe_rsa_aes_256_cbc_sha | exp_rsa_des_cbc_sha | exp_rsa_rc2_md5 | exp_rsa_rc4_md5 | rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha } *

  • In FIPS mode:ciphersuite { dhe_rsa_aes_128_cbc_sha | dhe_rsa_aes_256_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha } *

In Release 1121 and later:

  • In non-FIPS mode:ciphersuite { dhe_rsa_aes_128_cbc_sha | dhe_rsa_aes_128_cbc_sha256 | dhe_rsa_aes_256_cbc_sha | dhe_rsa_aes_256_cbc_sha256 | ecdhe_ecdsa_aes_128_cbc_sha256 | ecdhe_ecdsa_aes_128_gcm_sha256 | ecdhe_ecdsa_aes_256_cbc_sha384 | ecdhe_ecdsa_aes_256_gcm_sha384 | ecdhe_rsa_aes_128_cbc_sha256 | ecdhe_rsa_aes_128_gcm_sha256 | ecdhe_rsa_aes_256_cbc_sha384 | ecdhe_rsa_aes_256_gcm_sha384 | exp_rsa_des_cbc_sha | exp_rsa_rc2_md5 | exp_rsa_rc4_md5 | rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_128_cbc_sha256 | rsa_aes_256_cbc_sha | rsa_aes_256_cbc_sha256 | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha } *

  • In FIPS mode:ciphersuite { ecdhe_ecdsa_aes_128_cbc_sha256 | ecdhe_ecdsa_aes_128_gcm_sha256 | ecdhe_ecdsa_aes_256_cbc_sha384 | ecdhe_ecdsa_aes_256_gcm_sha384 | ecdhe_rsa_aes_128_cbc_sha256 | ecdhe_rsa_aes_128_gcm_sha256 | ecdhe_rsa_aes_256_cbc_sha384 | ecdhe_rsa_aes_256_gcm_sha384 | rsa_aes_128_cbc_sha | rsa_aes_128_cbc_sha256 | rsa_aes_256_cbc_sha | rsa_aes_256_cbc_sha256} *

By default, an SSL server policy supports all cipher suites.

7. Set the maximum number of sessions that the SSL server can cache.

session cachesize size

By default, an SSL server can cache a maximum of 500 sessions.

8. Enable the SSL server to authenticate SSL clients through digital certificates.

client-verify enable

By default, SSL client authentication is disabled.

prev

 

up

 next

SSL configuration task list 

home

 Configuring an SSL client policy

© Copyright 2015, 2017 Hewlett Packard Enterprise Development LP