Step
2.
Create an SSL client policy and
enter its view.
3.
(Optional.) Specify a PKI
domain for the SSL client policy.
4.
Specify the preferred cipher
suite for the SSL client policy.
5.
Specify the SSL version for the
SSL client policy.
6.
Enable the SSL client to
authenticate servers through
digital certificates.
Displaying and maintaining SSL
Execute display commands in any view.
Task
Display SSL server policy information.
Display SSL client policy information.
Command
ssl client-policy policy-name
pki-domain domain-name
•
In non-FIPS mode:
prefer-cipher
{ dhe_rsa_aes_128_cbc_sha |
dhe_rsa_aes_256_cbc_sha |
exp_rsa_des_cbc_sha |
exp_rsa_rc2_md5 |
exp_rsa_rc4_md5 |
rsa_3des_ede_cbc_sha |
rsa_aes_128_cbc_sha |
rsa_aes_256_cbc_sha |
rsa_des_cbc_sha |
rsa_rc4_128_md5 |
rsa_rc4_128_sha }
•
In FIPS mode:
prefer-cipher
{ rsa_aes_128_cbc_sha |
rsa_aes_256_cbc_sha }
•
In non-FIPS mode:
version { ssl3.0 | tls1.0 }
•
In FIPS mode:
version tls1.0
server-verify enable
Command
display ssl server-policy [ policy-name ]
display ssl client-policy [ policy-name ]
345
Remarks
By default, no SSL client policy
exists on the device.
By default, no PKI domain is
specified for an SSL client policy.
If SSL client authentication is
required, you must specify a PKI
domain and request a local
certificate for the SSL client in the
PKI domain.
For information about how to
create and configure a PKI
domain, see
"Configuring
•
In non-FIPS mode:
The default preferred cipher
suite is rsa_rc4_128_md5.
•
In FIPS mode:
The default preferred cipher
suite is sa_aes_128_cbc_sha.
By default, an SSL client policy
uses TLS 1.0.
By default, SSL server
authentication is enabled.
PKI."