[x]

 > Configuring an SSL client policy

 

 Next

Configuring an SSL client policy

An SSL client policy is a set of SSL parameters that the client uses to establish a connection to the server. An SSL client policy takes effect only after it is associated with an application such as DDNS.

In Release 1111, you can specify the SSL 3.0 or TLS 1.0 for an SSL client policy:

As a best practice to enhance system security, disable SSL 3.0 on the device and specify TLS 1.0 for an SSL client policy.

In Release 1121 and later, the SSL client always uses the SSL protocol version specified for it, whether you disable the SSL protocol version or not.

To configure an SSL client policy:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. (Optional.) Disable SSL session renegotiation.

ssl renegotiation disable

By default, SSL session renegotiation is enabled.

This command is available in Release 1121 and later.

3. Create an SSL client policy and enter its view.

ssl client-policy policy-name

By default, no SSL client policies exist on the device.

4. (Optional.) Specify a PKI domain for the SSL client policy.

pki-domain domain-name

By default, no PKI domain is specified for an SSL client policy.

If SSL client authentication is required, you must specify a PKI domain and request a local certificate for the SSL client in the PKI domain.

For information about how to create and configure a PKI domain, see "Configuring PKI."

5. Specify the preferred cipher suite for the SSL client policy.

In Release 1111:

  • In non-FIPS mode:prefer-cipher { dhe_rsa_aes_128_cbc_sha | dhe_rsa_aes_256_cbc_sha | exp_rsa_des_cbc_sha | exp_rsa_rc2_md5 | exp_rsa_rc4_md5 | rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha }

  • In FIPS mode:prefer-cipher { dhe_rsa_aes_128_cbc_sha | dhe_rsa_aes_256_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha }

In Release 1121 and later:

  • In non-FIPS mode:prefer-cipher { dhe_rsa_aes_128_cbc_sha | dhe_rsa_aes_128_cbc_sha256 | dhe_rsa_aes_256_cbc_sha | dhe_rsa_aes_256_cbc_sha256 | ecdhe_ecdsa_aes_128_cbc_sha256 | ecdhe_ecdsa_aes_128_gcm_sha256 | ecdhe_ecdsa_aes_256_cbc_sha384 | ecdhe_ecdsa_aes_256_gcm_sha384 | ecdhe_rsa_aes_128_cbc_sha256 | ecdhe_rsa_aes_128_gcm_sha256 | ecdhe_rsa_aes_256_cbc_sha384 | ecdhe_rsa_aes_256_gcm_sha384 | exp_rsa_des_cbc_sha | exp_rsa_rc2_md5 | exp_rsa_rc4_md5 | rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_128_cbc_sha256 | rsa_aes_256_cbc_sha | rsa_aes_256_cbc_sha256 | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha }

  • In FIPS mode:prefer-cipher { ecdhe_ecdsa_aes_128_cbc_sha256 | ecdhe_ecdsa_aes_128_gcm_sha256 | ecdhe_ecdsa_aes_256_cbc_sha384 | ecdhe_ecdsa_aes_256_gcm_sha384 | ecdhe_rsa_aes_128_cbc_sha256 | ecdhe_rsa_aes_128_gcm_sha256 | ecdhe_rsa_aes_256_cbc_sha384 | ecdhe_rsa_aes_256_gcm_sha384 | rsa_aes_128_cbc_sha | rsa_aes_128_cbc_sha256 | rsa_aes_256_cbc_sha | rsa_aes_256_cbc_sha256}

  • In non-FIPS mode:The default preferred cipher suite is rsa_rc4_128_md5.

  • In FIPS mode:The default preferred cipher suite is rsa_aes_128_cbc_sha.

6. Specify the SSL protocol version for the SSL client policy.

In Release 1111:

  • In non-FIPS mode:version { ssl3.0 | tls1.0 }

  • In FIPS mode:version tls1.0

In Release 1121 and later:

  • In non-FIPS mode:version { ssl3.0 | tls1.0 | tls1.1 | tls1.2 }

  • In FIPS mode:version { tls1.0 | tls1.1 | tls1.2 }

By default, an SSL client policy uses TLS 1.0.

To ensure security, do not specify SSL 3.0 for an SSL client policy.

7. Enable the SSL client to authenticate servers through digital certificates.

server-verify enable

By default, SSL server authentication is enabled.

prev

 

up

 next

Configuring an SSL server policy 

home

 Displaying and maintaining SSL

© Copyright 2015, 2017 Hewlett Packard Enterprise Development LP