Displaying and Maintaining SSL 1211
Configuration
Prerequisites
Before configuring an SSL client policy, you must configure a PKI domain. For
details about PKI domain configuration, refer to “Configuring a PKI Domain” on
page 1223.
Configuration Procedure Follow these steps to configure an SSL client policy:
n
If you enable client authentication on the server, you must request a local
certificate for the client.
Displaying and
Maintaining SSL
Troubleshooting SSL
SSL Handshake Failure Symptom
As the SSL server, the device fails to handshake with the SSL client.
Analysis
SSL handshake failure may result from the following causes:
■ No SSL server certificate exists, or the certificate is not trusted.
■ The server is expected to authenticate the client, but the SSL client has no
certificate or the certificate is not trusted.
■ The cipher suites used by the server and the client do not match.
Solution
1 You can issue the debugging ssl command and view the debugging information
to locate the problem:
2 If the SSL server has no certificate, request one for it.
To do… Use the command… Remarks
Enter system view system-view -
Create an SSL client policy
and enter its view
ssl client-policy policy-name Required
Specify a PKI domain for the
SSL client policy
pki-domain domain-name Required
No PKI domain is configured
by default.
Specify the preferred cipher
suite for the SSL client policy
prefer-cipher
{ rsa_aes_128_cbc_sha |
rsa_des_cbc_sha |
rsa_rc4_128_md5 |
rsa_rc4_128_sha }
Optional
rsa_rc4_128_md5 by default
Specify the SSL protocol
version for the SSL client
policy
version { ssl3.0 | tls1.0 } Optional
TLS 1.0 by default
To do… Use the command… Remarks
Display SSL server policy
information
display ssl server-policy { policy-name |
all }
Available in any
view
Display SSL client policy
information
display ssl client-policy { policy-name |
all }
To Next Page
Loading...
