Configuring An Ssl Client Policy - HPE FlexFabric 7900 Series Security Configuration Manual
Hide thumbs
Also See for FlexFabric 7900 Series:
- Layer 3 ip routing command reference (414 pages) ,
- Security configuration manual (323 pages) ,
- Security command reference (320 pages)
Table of Contents
Advertisement
Configuring an SSL client policy
An SSL client policy is a set of SSL parameters that the client uses to establish a connection to the
server. An SSL client policy takes effect only after it is associated with an application such as DDNS.
You can specify the SSL version (SSL 3.0 or TLS 1.0) for an SSL client policy:
•
If TLS 1.0 is specified and SSL 3.0 is not disabled, the client first uses TLS 1.0 to connect to the
SSL server. If the connection attempt fails, the client uses SSL 3.0.
•
If TLS 1.0 is specified and SSL 3.0 is disabled, the client only uses TLS 1.0 to connect to the
SSL server.
•
If SSL 3.0 is specified, the client uses SSL 3.0 to connect to the SSL server, whether you disable
SSL 3.0 or not.
As a best practice to enhance system security, disable SSL 3.0 on the device and specify TLS 1.0 for
an SSL client policy.
To configure an SSL client policy:
Step
1.
Enter system view.
2.
(Optional.) Disable SSL 3.0 for
the SSL server.
3.
Create an SSL client policy and
enter its view.
4.
(Optional.) Specify a PKI
domain for the SSL client
policy.
5.
Specify the preferred cipher
suite for the SSL client policy.
6.
Specify the SSL version for the
SSL client policy.
Command
system-view
ssl version ssl3.0 disable
ssl client-policy policy-name
pki-domain domain-name
•
In non-FIPS mode:
prefer-cipher
{ dhe_rsa_aes_128_cbc_sh
a |
dhe_rsa_aes_256_cbc_sha
| exp_rsa_des_cbc_sha |
exp_rsa_rc2_md5 |
exp_rsa_rc4_md5 |
rsa_3des_ede_cbc_sha |
rsa_aes_128_cbc_sha |
rsa_aes_256_cbc_sha |
rsa_des_cbc_sha |
rsa_rc4_128_md5 |
rsa_rc4_128_sha }
•
In FIPS mode:
prefer-cipher
{ dhe_rsa_aes_128_cbc_sh
a |
dhe_rsa_aes_256_cbc_sha
| rsa_aes_128_cbc_sha |
rsa_aes_256_cbc_sha }
•
In non-FIPS mode:
version { ssl3.0 | tls1.0 }
102
Remarks
N/A
By default, SSL 3.0 is enabled.
By default, no SSL client policies
exist on the device.
By default, no PKI domain is
specified for an SSL client policy.
If SSL client authentication is
required, you must specify a PKI
domain and request a local
certificate for the SSL client in
the PKI domain.
For information about how to
create and configure a PKI
domain, see "Configuring PKI."
•
In non-FIPS mode:
The default preferred cipher
suite is rsa_rc4_128_md5.
•
In FIPS mode:
The default preferred cipher
suite is
sa_aes_128_cbc_sha.
By default, an SSL client policy
uses TLS 1.0.
Advertisement
Table of Contents
Troubleshooting
