Configuring an SSL server policy

1. Enter system view.

system-view

N/A

2. Create an SSL server policy and enter its view.

ssl server-policy policy-name

N/A

3. Specify a PKI domain for the SSL server policy.

pki-domain domain-name

Optional.

By default, no PKI domain is specified for an SSL server policy. The SSL server generates and signs a certificate for itself and does not obtain a certificate from a CA server.

If SSL server authentication is required, you must specify a PKI domain and request a local certificate for the SSL server in the domain.

For information about how to configure a PKI domain, see "Configuring PKI."

4. Specify the cipher suites that the SSL server policy supports.

• In non-FIPS mode:ciphersuite [ rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha ] *

• In FIPS mode:ciphersuite [ rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha ] *

Optional.

By default, an SSL server policy supports all cipher suites.

5. Set the handshake timeout time for the SSL server.

handshake timeout time

Optional.

The default handshake timeout time is 3600 seconds.

6. Set the SSL connection close mode.

close-mode wait

Optional.

By default, the SSL server sends a close-notify alert message to the client and closes the connection without waiting for the close-notify alert message from the client.

7. Set the maximum number of cached sessions and the caching timeout time.

session { cachesize size | timeout time } *

Optional.

The defaults are as follows:

• 500 for the maximum number of cached sessions.

• 3600 seconds for the caching timeout time.

8. Configure the server to require certificate-based SSL client authentication.

client-verify enable

Optional.

By default, SSL client authentication is disabled.

9. Enable SSL client weak authentication.

client-verify weaken

Optional.

SSL client weak authentication is disabled by default.

This command takes effect only when the client-verify enable command is configured.