286
To do… Use the command…
Remarks
Specify the preferred cipher suite
for the SSL client policy
• In non-FIPS mode:
prefer-cipher
{ rsa_aes_128_cbc_sha |
rsa_des_cbc_sha |
rsa_rc4_128_md5 |
rsa_rc4_128_sha }
• In FIPS mode
prefer-cipher
{ dhe_rsa_aes_128_cbc_sha |
rsa_aes_128_cbc_sha }
Optional
rsa_rc4_128_md5 by default
Specify the SSL protocol version for
the SSL client policy
• In non-FIPS mode:
version { ssl3.0 | tls1.0 }
• In FIPS mode
version tls1.0
Optional
TLS 1.0 by default
Enable certificate-based SSL server
authentication
server-verify enable
Optional
Enabled by default
NOTE:
If you enable client authentication on the server, you must request a local certificate for the client.
Displaying and maintaining SSL
To do… Use the command… Remarks
Display SSL server policy
information
display ssl server-policy
{ policy-name | all } [ | { begin |
exclude | include }
regular-expression ]
Available in any view
Display SSL client policy
information
display ssl client-policy
{ policy-name | all } [ | { begin |
exclude | include }
regular-expression ]
Troubleshooting SSL
SSL handshake failure
Symptom
As the SSL server, the device fails to handshake with the SSL client.
Analysis
SSL handshake failure may result from the following causes:
• The SSL client is configured to authenticate the SSL server, but the SSL server has no certificate or the
certificate is not trusted.
• The SSL server is configured to authenticate the SSL client, but the SSL client has no certificate or the
certificate is not trusted.
To Next Page
Loading...
