HPE FlexFabric 7900 Series Security Configuration Manual page 109

NOTE:
• SSL versions include SSL 2.0, SSL 3.0, and TLS 1.0 (or SSL 3.1). By default, the SSL server can
communicate with clients running SSL 3.0 or TLS 1.0. When the server receives an SSL 2.0
Client Hello message from a client supporting both SSL 2.0 and SSL 3.0/TLS 1.0, it notifies the
client to use SSL 3.0 or TLS 1.0 for communication.
• You can disable SSL 3.0 on the device to enhance system security.
To configure an SSL server policy:
Step
1. Enter system view.
2. (Optional.) Disable SSL 3.0 for
the SSL server.
3. Create an SSL server policy
and enter its view.
4. (Optional.) Specify a PKI
domain for the SSL server
policy.
5. Specify the cipher suites that
the SSL server policy supports.
6. Set the maximum number of
sessions that the SSL server
can cache.
7. Enable the SSL server to
authenticate SSL clients
through digital certificates.
Command
system-view
ssl version ssl3.0 disable
ssl server-policy policy-name
pki-domain domain-name
•
In non-FIPS mode:
ciphersuite
{ dhe_rsa_aes_128_cbc_sha
| exp_rsa_des_cbc_sha |
exp_rsa_rc2_md5 |
exp_rsa_rc4_md5 |
rsa_3des_ede_cbc_sha |
rsa_aes_128_cbc_sha |
rsa_aes_256_cbc_sha |
rsa_des_cbc_sha |
rsa_rc4_128_md5 |
rsa_rc4_128_sha } *
•
In FIPS mode:
ciphersuite
{ dhe_rsa_aes_128_cbc_sha
| dhe_rsa_aes_256_cbc_sha
| rsa_aes_128_cbc_sha |
rsa_aes_256_cbc_sha } *
session cachesize size
client-verify enable
101
Remarks
N/A
By default, SSL 3.0 is enabled.
By default, no SSL server
policies exist on the device.
By default, no PKI domain is
specified for an SSL server
policy.
If SSL server authentication is
required, you must specify a
PKI domain and request a
local certificate for the SSL
server in the domain.
For information about how to
create and configure a PKI
domain, see "Configuring PKI."
By default, an SSL server
policy supports all cipher
suites.
By default, an SSL server can
cache a maximum of 500
sessions.
By default, SSL client
authentication is disabled.