4-19
Cisco Content Services Switch SSL Configuration Guide
OL-5655-01
Chapter 4 Configuring SSL Termination
Configuring Virtual SSL Servers for an SSL Proxy List
Assigning a CRL Record to the Virtual SSL Server
After you configure the CRL record, you can assign it to the virtual SSL server.
To assign the CRL record to the virtual SSL server, use the ssl-server number crl
command. You can assign only one CRL record to a virtual SSL server. For
example, to assign the mycrl CRL record, enter:
(config-ssl-proxy-list[ssl_list1])# ssl-server 20 crl mycrl
To remove the mycrl CRL record from a virtual SSL server, enter:
(config-ssl-proxy-list[ssl_list1])# no ssl-server 20 crl mycrl
Handling Client Authentication Failures
A client certificate can fail if it is invalid, expired, or revoked by a CA. By default,
when authentication of a client certificate fails on the CSS, the CSS rejects the
client connection.
Note If a CSS cannot download the CRL, client connections will fail using a Revoked
SSL alert. To verify that the CRL has successfully loaded, use the show ssl
statistics ssl command.
You can configure how the CSS handles a failed client certificate through the
ssl-server number failure command and the following options:
• ignore - The CSS ignores client authentication failures and allows both
invalid and valid certificates to connect. For example, to configure the CSS to
ignore client authentication failures, enter:
(config-ssl-proxy-list[ssl_list1])# ssl-server 20 failure ignore
Note If you configure the ignore option, it may create a security risk.
• reject - Resets the CSS default behavior of rejecting the client connection
when client authentication fails. For example, enter:
(config-ssl-proxy-list[ssl_list1])# ssl-server 20 failure reject