Configuring an SSL server policy
An SSL server policy is a set of SSL parameters used by the SSL server. An SSL server policy takes
effect only after it is associated with an application such as HTTPS.
NOTE:
SSL versions include SSL 2.0, SSL 3.0, and TLS 1.0 (or SSL 3.1). By default, the SSL server can
communicate with clients running SSL 3.0 or TLS 1.0. When the server receives an SSL 2.0 Client
Hello message from a client that supports both SSL 2.0 and SSL 3.0/TLS 1.0, it notifies the client to
use SSL 3.0 or TLS 1.0 for communication.
To configure an SSL server policy:
Step
1.
Enter system view.
2.
Create an SSL server policy
and enter its view.
3.
(Optional.) Specify a PKI
domain for the SSL server
policy.
4.
Specify the cipher suites that
the SSL server policy supports.
5.
Set the maximum number of
sessions that the SSL server
can cache and the session
cache timeout time.
Command
system-view
ssl server-policy policy-name
pki-domain domain-name
•
In non-FIPS mode:
ciphersuite
{ dhe_rsa_aes_128_cbc_sh
a | exp_rsa_des_cbc_sha |
exp_rsa_rc2_md5 |
exp_rsa_rc4_md5 |
rsa_3des_ede_cbc_sha |
rsa_aes_128_cbc_sha |
rsa_aes_256_cbc_sha |
rsa_des_cbc_sha |
rsa_rc4_128_md5 |
rsa_rc4_128_sha } *
•
In FIPS mode:
ciphersuite
{ dhe_rsa_aes_128_cbc_sh
a |
dhe_rsa_aes_256_cbc_sha
| rsa_aes_128_cbc_sha |
rsa_aes_256_cbc_sha } *
session { cachesize size |
timeout time }
434
Remarks
N/A
By default, no SSL server
policies exist on the device.
By default, no PKI domain is
specified for an SSL server
policy.
If SSL server authentication is
required, you must specify a
PKI domain and request a
local certificate for the SSL
server in the domain.
For information about how to
create and configure a PKI
domain, see
"Configuring
By default, an SSL server
policy supports all cipher
suites.
By default, the SSL server can
cache a maximum of 500
sessions, and the session
cache timeout time is 3600
seconds.
PKI."