To do...
Specify the preferred cipher suite
for the SSL client policy
Specify the SSL protocol version for
the SSL client policy
Enable certificate-based SSL server
authentication
NOTE:
If you enable client authentication on the server, you must request a local certificate for the client.
Displaying and maintaining SSL
To do...
Display SSL server policy
information
Display SSL client policy
information
Troubleshooting SSL
SSL handshake failure
Symptom
As the SSL server, the device fails to handshake with the SSL client.
Analysis
SSL handshake failure may result from the following causes:
•
The SSL client is configured to authenticate the SSL server, but the SSL server has no certificate or the
certificate is not trusted.
The SSL server is configured to authenticate the SSL client, but the SSL client has no certificate or the
•
certificate is not trusted.
Use the command...
•
In non-FIPS mode:
prefer-cipher
{ rsa_aes_128_cbc_sha |
rsa_des_cbc_sha |
rsa_rc4_128_md5 |
rsa_rc4_128_sha }
•
In FIPS mode
prefer-cipher
{ dhe_rsa_aes_128_cbc_sha |
rsa_aes_128_cbc_sha }
•
In non-FIPS mode:
version { ssl3.0 | tls1.0 }
•
In FIPS mode
version tls1.0
server-verify enable
Use the command...
display ssl server-policy
{ policy-name | all } [ | { begin |
exclude | include }
regular-expression ]
display ssl client-policy
{ policy-name | all } [ | { begin |
exclude | include }
regular-expression ]
286
Remarks
Optional
rsa_rc4_128_md5 by default
Optional
TLS 1.0 by default
Optional
Enabled by default
Remarks
Available in any view