Displaying And Maintaining Ssl - H3C S5830V2 Security Configuration Manual

To configure an SSL client policy:
Step
1. Enter system view.
2. Create an SSL client policy and
enter its view.
3. (Optional.) Specify a PKI
domain for the SSL client policy.
4. Specify the preferred cipher
suite for the SSL client policy.
5. Specify the SSL version for the
SSL client policy.
6. Enable the SSL client to
authenticate servers through
digital certificates.

Displaying and maintaining SSL

Execute display commands in any view.
Command
system-view
ssl client-policy policy-name
pki-domain domain-name
In non-FIPS mode:
prefer-cipher
{ dhe_rsa_aes_128_cbc_sha |
dhe_rsa_aes_256_cbc_sha |
exp_rsa_des_cbc_sha |
exp_rsa_rc2_md5 |
exp_rsa_rc4_md5 |
rsa_3des_ede_cbc_sha |
rsa_aes_128_cbc_sha |
rsa_aes_256_cbc_sha |
rsa_des_cbc_sha |
rsa_rc4_128_md5 |
rsa_rc4_128_sha }
In FIPS mode:
prefer-cipher
{ dhe_rsa_aes_128_cbc_sha |
dhe_rsa_aes_256_cbc_sha |
rsa_aes_128_cbc_sha |
rsa_aes_256_cbc_sha }
n non-FIPS mode:
version { ssl3.0 | tls1.0 }
In FIPS mode:
version tls1.0
server-verify enable
200
Remarks
N/A
By default, no SSL client policy exists
on the device.
By default, no PKI domain is specified
for an SSL client policy.
If the SSL server authenticates the SSL
client through a digital certificate,
you must use this command to specify
a PKI domain and request a local
certificate for the SSL client through
the PKI domain.
For information about how to create
and configure a PKI domain, see
"Configuring PKI."
In non-FIPS mode, the preferred
cipher suite is rsa_rc4_128_md5 by
default.
In FIPS mode, the preferred cipher
suite is rsa_aes_128_cbc_sha by
default.
By default, an SSL client policy uses
TLS 1.0.
The default setting is enabled.