11-6
Configuration Prerequisites
If the SSL server is configured to authenticate the SSL client, when configuring the SSL client policy,
you need to specify the PKI domain to be used for obtaining the certificate of the client. Therefore,
before configuring an SSL client policy, you must configure a PKI domain. For details about PKI
domain configuration, refer to PKI Configuration in the Security Volume.
Configuration Procedure
Follow these steps to configure an SSL client policy:
To do… Use the command… Remarks
Enter system view system-view —
Create an SSL client policy and
enter its view
ssl client-policy policy-name Required
Specify a PKI domain for the
SSL client policy
pki-domain domain-name
Required
No PKI domain is configured by
default.
Specify the preferred cipher
suite for the SSL client policy
prefer-cipher
{ rsa_aes_128_cbc_sha |
rsa_des_cbc_sha |
rsa_rc4_128_md5 |
rsa_rc4_128_sha }
Optional
rsa_rc4_128_md5 by default
Specify the SSL protocol
version for the SSL client policy
version { ssl3.0 | tls1.0 }
Optional
TLS 1.0 by default
If you enable client authentication on the server, you must request a local certificate for the client.
Displaying and Maintaining SSL
To do… Use the command… Remarks
Display SSL server policy
information
display ssl server-policy
{ policy-name | all }
Display SSL client policy
information
display ssl client-policy
{ policy-name | all }
Available in any view
Troubleshooting SSL
SSL Handshake Failure
Symptom
As the SSL server, the device fails to handshake with the SSL client.
To Next Page
Loading...
