[x]

Configuring SSL > Configuring an SSL client policy

 

 Next

Configuring an SSL client policy

About SSL client policies

An SSL client policy is a set of SSL parameters used by the device when the device acts as the SSL client. The SSL client uses the settings in the client policy to establish a connection to the server. An SSL client policy takes effect only after it is associated with an application such as FTP. For information about FTP, see Fundamental Configuration Guide.

Restrictions and guidelines

As a best practice to enhance system security, do not specify SSL 3.0 for the SSL client policy.

Procedure

  1. Enter system view.

    system-view

  2. Create an SSL client policy and enter its view.

    ssl client-policy policy-name

  3. Specify a PKI domain for the SSL client policy.

    pki-domain domain-name

    By default, no PKI domain is specified for an SSL client policy.

    If SSL client authentication is required, you must specify a PKI domain and request a local certificate for the SSL client in the PKI domain.

    For information about configuring a PKI domain, see "Configuring PKI."

  4. Specify the preferred cipher suite for the SSL client policy.

    In non-FIPS mode:

    prefer-cipher { dhe_rsa_aes_128_cbc_sha | dhe_rsa_aes_128_cbc_sha256 | dhe_rsa_aes_256_cbc_sha | dhe_rsa_aes_256_cbc_sha256 | ecdhe_ecdsa_aes_128_cbc_sha256 | ecdhe_ecdsa_aes_128_gcm_sha256 | ecdhe_ecdsa_aes_256_cbc_sha384 | ecdhe_ecdsa_aes_256_gcm_sha384 | ecdhe_rsa_aes_128_cbc_sha256 | ecdhe_rsa_aes_128_gcm_sha256 | ecdhe_rsa_aes_256_cbc_sha384 | ecdhe_rsa_aes_256_gcm_sha384 | exp_rsa_des_cbc_sha | exp_rsa_rc2_md5 | exp_rsa_rc4_md5 | rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_128_cbc_sha256 | rsa_aes_256_cbc_sha | rsa_aes_256_cbc_sha256 | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha }

    The default preferred cipher suite in non-FIPS mode is rsa_rc4_128_md5.

    In FIPS mode:

    prefer-cipher { ecdhe_ecdsa_aes_128_cbc_sha256 | ecdhe_ecdsa_aes_128_gcm_sha256 | ecdhe_ecdsa_aes_256_cbc_sha384 | ecdhe_ecdsa_aes_256_gcm_sha384 | ecdhe_rsa_aes_128_cbc_sha256 | ecdhe_rsa_aes_128_gcm_sha256 | ecdhe_rsa_aes_256_cbc_sha384 | ecdhe_rsa_aes_256_gcm_sha384 | rsa_aes_128_cbc_sha | rsa_aes_128_cbc_sha256 | rsa_aes_256_cbc_sha | rsa_aes_256_cbc_sha256 }

    The default preferred cipher suite in FIPS mode is rsa_aes_128_cbc_sha.

  5. Specify the SSL protocol version for the SSL client policy.

    In non-FIPS mode:

    version { ssl3.0 | tls1.0 | tls1.1 | tls1.2 }

    In FIPS mode:

    version { tls1.0 | tls1.1 | tls1.2 }

    By default, an SSL client policy uses TLS 1.0.

  6. Enable the SSL client to authenticate servers through digital certificates.

    server-verify enable

    By default, SSL server authentication is enabled.

prev

 

up

 next

Configuring an SSL server policy 

home

 Disabling SSL protocol versions for the SSL server

© Copyright 2017 Hewlett Packard Enterprise Development LP