Configuration Prerequisites
If the SSL server is configured to authenticate the SSL client, when configuring the SSL client policy,
you need to specify the PKI domain to be used for obtaining the certificate of the client. Therefore,
before configuring an SSL client policy, you must configure a PKI domain. For details about PKI
domain configuration, refer to PKI Configuration in the Security Volume.
Configuration Procedure
Follow these steps to configure an SSL client policy:
To do...
Enter system view
Create an SSL client policy and
enter its view
Specify a PKI domain for the
SSL client policy
Specify the preferred cipher
suite for the SSL client policy
Specify the SSL protocol
version for the SSL client policy
If you enable client authentication on the server, you must request a local certificate for the client.
Displaying and Maintaining SSL
To do...
Display SSL server policy
information
Display SSL client policy
information
Troubleshooting SSL
SSL Handshake Failure
Symptom
As the SSL server, the device fails to handshake with the SSL client.
Use the command...
system-view
ssl client-policy policy-name
pki-domain domain-name
prefer-cipher
{ rsa_aes_128_cbc_sha |
rsa_des_cbc_sha |
rsa_rc4_128_md5 |
rsa_rc4_128_sha }
version { ssl3.0 | tls1.0 }
Use the command...
display ssl server-policy
{ policy-name | all }
display ssl client-policy
{ policy-name | all }
11-6
Remarks
—
Required
Required
No PKI domain is configured by
default.
Optional
rsa_rc4_128_md5 by default
Optional
TLS 1.0 by default
Remarks
Available in any view