Table of Contents
Advertisement
•
Key exchange algorithms—Implement secure exchange of the keys used by the symmetric
key algorithm and the MAC algorithm. Commonly used key exchange algorithms are usually
asymmetric key algorithms, such as RSA.
After the SSL server receives a cipher suite from a client, the server matches the received cipher
suite against the cipher suits it supports. If a match is found, the cipher suite negotiation succeeds.
Otherwise, the negotiation fails.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Configure SSL server policy policy1 to support the following cipher suites:
•
Key exchange algorithm DHE RSA, data encryption algorithm 128-bit AES, and MAC algorithm
SHA.
•
Key exchange algorithm RSA, data encryption algorithm 128-bit AES, and MAC algorithm SHA.
<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1] ciphersuite dhe_rsa_aes_128_cbc_sha
rsa_aes_128_cbc_sha
Related commands
display ssl server-policy
prefer-cipher
client-verify
Use client-verify to enable mandatory or optional SSL client authentication.
Use undo client-verify to restore the default.
Syntax
client-verify { enable | optional }
undo client-verify [ enable ]
Default
SSL client authentication is disabled. The SSL server does not authenticate SSL clients based on
digital certificates.
Views
SSL server policy view
Predefined user roles
network-admin
mdc-admin
Parameters
enable: Enables mandatory SSL client authentication.
optional: Enables optional SSL client authentication.
Usage guidelines
SSL uses digital certificates to authenticate communicating parties. For more information about
digital certificates, see Security Configuration Guide.
Mandatory SSL client authentication—The SSL server requires an SSL client to submit its digital
certificate for identity authentication. The SSL client can access the SSL server only after it passes
identity authentication.
507
Advertisement
Table of Contents
