Configuring an SSL server policy
About SSL server policies
An SSL server policy is a set of SSL parameters used by the device when the device acts as the SSL server. An SSL server policy takes effect only after it is associated with an application such as HTTPS.
Procedure
Enter system view.
system-view
Create an SSL server policy and enter its view.
ssl server-policy policy-name
Specify a PKI domain for the SSL server policy.
pki-domain domain-name
By default, no PKI domain is specified for an SSL server policy.
If SSL server authentication is required, you must specify a PKI domain and request a local certificate for the SSL server in the domain.
For information about configuring a PKI domain, see "Configuring PKI."
Specify the cipher suites that the SSL server policy supports.
In non-FIPS mode:
ciphersuite { dhe_rsa_aes_128_cbc_sha | dhe_rsa_aes_128_cbc_sha256 | dhe_rsa_aes_256_cbc_sha | dhe_rsa_aes_256_cbc_sha256 | ecdhe_ecdsa_aes_128_cbc_sha256 | ecdhe_ecdsa_aes_128_gcm_sha256 | ecdhe_ecdsa_aes_256_cbc_sha384 | ecdhe_ecdsa_aes_256_gcm_sha384 | ecdhe_rsa_aes_128_cbc_sha256 | ecdhe_rsa_aes_128_gcm_sha256 | ecdhe_rsa_aes_256_cbc_sha384 | ecdhe_rsa_aes_256_gcm_sha384 | exp_rsa_des_cbc_sha | exp_rsa_rc2_md5 | exp_rsa_rc4_md5 | rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_128_cbc_sha256 | rsa_aes_256_cbc_sha | rsa_aes_256_cbc_sha256 | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha } *
In FIPS mode:
ciphersuite { ecdhe_ecdsa_aes_128_cbc_sha256 | ecdhe_ecdsa_aes_256_cbc_sha384 | ecdhe_ecdsa_aes_128_gcm_sha256 | ecdhe_ecdsa_aes_256_gcm_sha384 | ecdhe_rsa_aes_128_cbc_sha256 | ecdhe_rsa_aes_128_gcm_sha256 | ecdhe_rsa_aes_256_cbc_sha384 | ecdhe_rsa_aes_256_gcm_sha384 | rsa_aes_128_cbc_sha | rsa_aes_128_cbc_sha256 | rsa_aes_256_cbc_sha | rsa_aes_256_cbc_sha256 } *
By default, an SSL server policy supports all cipher suites.
(Optional.) Set the maximum number of sessions that the SSL server can cache and the session cache timeout time.
session { cachesize size | timeout time } *
By default, the SSL server can cache a maximum of 500 sessions, and the session cache timeout time is 3600 seconds.
Enable mandatory or optional SSL client authentication.
client-verify { enable | optional }
By default, SSL client authentication is disabled. The SSL server does not perform digital certificate-based authentication on SSL clients.
When authenticating a client by using the digital certificate, the SSL server verifies the certificate chain presented by the client. It also verifies that the certificates in the certificate chain (except the root CA certificate) are not revoked.