To configure an SSL server policy:
Step
1.
Enter system view.
2.
Create an SSL server policy and
enter its view.
3.
(Optional.) Specify a PKI
domain for the SSL server policy.
4.
Specify the cipher suites that the
SSL server policy supports.
5.
Set the maximum number of
sessions that the SSL server can
cache.
6.
Enable the SSL server to
authenticate SSL clients through
digital certificate.
Configuring an SSL client policy
An SSL client policy comprises a set of SSL parameters that the client uses to establish a connection to the
server. An SSL client policy takes effect only after it is associated with an application such as the DDNS.
Command
system-view
ssl server-policy policy-name
pki-domain domain-name
In non-FIPS mode:
ciphersuite
{ dhe_rsa_aes_128_cbc_sha |
dhe_rsa_aes_256_cbc_sha |
exp_rsa_des_cbc_sha |
exp_rsa_rc2_md5 |
exp_rsa_rc4_md5 |
rsa_3des_ede_cbc_sha |
rsa_aes_128_cbc_sha |
rsa_aes_256_cbc_sha |
rsa_des_cbc_sha |
rsa_rc4_128_md5 |
rsa_rc4_128_sha } *
In FIPS mode:
ciphersuite
{ dhe_rsa_aes_128_cbc_sha |
dhe_rsa_aes_256_cbc_sha |
rsa_aes_128_cbc_sha |
rsa_aes_256_cbc_sha } *
session cachesize size
client-verify enable
199
Remarks
N/A
By default, no SSL server policy
exists on the device.
By default, no PKI domain is
specified for an SSL server
policy.
If SSL clients authenticate the
server through a digital
certificate, you must use this
command to specify a PKI
domain and request a local
certificate for the SSL server
through the PKI domain.
For information about how to
create and configure a PKI
domain, see
"Configuring
By default, an SSL server policy
supports all cipher suites.
By default, an SSL server can
cache 500 sessions at most.
The default setting is disabled.
PKI."