HPE FlexNetwork 7500 Series Security Configuration Manual page 246

Step
2. (Optional.) Disable specific
SSL protocol versions on the
device.
3. (Optional.) Disable SSL
session renegotiation.
4. Create an SSL server policy
and enter its view.
5. (Optional.) Specify a PKI
domain for the SSL server
policy.
6. Specify the cipher suites that
the SSL server policy supports.
Command
•
In non-FIPS mode:
ssl version { ssl3.0 | tls1.0 |
tls1.1 } * disable
•
In FIPS mode:
ssl version { tls1.0 | tls1.1 } *
disable
ssl renegotiation disable
ssl server-policy policy-name
pki-domain domain-name
•
In non-FIPS mode:
ciphersuite
{ dhe_rsa_aes_128_cbc_sh
a |
dhe_rsa_aes_128_cbc_sha
256 |
dhe_rsa_aes_256_cbc_sha
|
dhe_rsa_aes_256_cbc_sha
256 |
ecdhe_rsa_aes_128_cbc_s
ha256 |
ecdhe_rsa_aes_256_cbc_s
ha384 |
ecdhe_rsa_aes_128_gcm_s
ha256 |
ecdhe_rsa_aes_256_gcm_s
ha384 |
ecdhe_ecdsa_aes_128_cbc
_sha256 |
ecdhe_ecdsa_aes_256_cbc
_sha384 |
ecdhe_ecdsa_aes_128_gc
m_sha256 |
ecdhe_ecdsa_aes_256_gc
m_sha384 |
exp_rsa_des_cbc_sha |
exp_rsa_rc2_md5 |
exp_rsa_rc4_md5 |
rsa_3des_ede_cbc_sha |
rsa_aes_128_cbc_sha |
rsa_aes_128_cbc_sha256 |
rsa_aes_256_cbc_sha |
rsa_aes_256_cbc_sha256 |
rsa_des_cbc_sha |
rsa_rc4_128_md5 |
234
Remarks
By default:
•
In non-FIPS mode, the
device supports SSL 3.0,
TLS 1.0, TLS 1.1, and
TLS 1.2.
•
In FIPS mode, the device
supports TLS 1.0, TLS
1.1, and TLS 1.2.
By default, SSL session
renegotiation is enabled.
By default, no SSL server
policies exist on the device.
By default, no PKI domain is
specified for an SSL server
policy.
If SSL server authentication is
required, you must specify a
PKI domain and request a
local certificate for the SSL
server in the domain.
For information about how to
create and configure a PKI
domain, see "Configuring
By default, an SSL server
policy supports all cipher
suites.
PKI."