205
To do… Use the command… Remarks
3. Specify a PKI domain for the
SSL client policy.
pki-domain domain-name
Optional.
No PKI domain is configured by
default.
4. Specify the preferred cipher
suite for the SSL client policy.
prefer-cipher {
rsa_3des_ede_cbc_sha |
rsa_aes_128_cbc_sha |
rsa_aes_256_cbc_sha |
rsa_des_cbc_sha |
rsa_rc4_128_md5 |
rsa_rc4_128_sha }
Optional.
rsa_rc4_128_md5 by default.
5. Specify the SSL protocol
version for the SSL client
policy.
version { ssl3.0 | tls1.0 }
Optional.
TLS 1.0 by default.
6. Enable certificate-based SSL
server authentication.
server-verify enable
Optional.
Enabled by default.
If you enable client authentication on the server, you must request a local certificate for the client.
Displaying and maintaining SSL
To do… Use the command… Remarks
Display SSL server policy
information
display ssl server-policy { policy-
name | all } [ | { begin | exclude
| include } regular-expression ]
Available in any view
Display SSL client policy
information
display ssl client-policy { policy-
name | all } [ | { begin | exclude
| include } regular-expression ]
Troubleshooting SSL
SSL handshake failure
Symptom
As the SSL server, the switch fails to handshake with the SSL client.
Analysis
SSL handshake failure may result from the following causes:
• The SSL client is configured to authenticate the SSL server, but the SSL server has no certificate, or
the certificate is not trusted.
• The SSL server is configured to authenticate the SSL client, but the SSL client has no certificate, or
the certificate is not trusted.
• The server and the client have no matching cipher suite.
To Next Page
Loading...
Need help?
General