420
Figure 119 SSL protocol stack
The following describes the major functions of SSL protocols:
• SSL record protocol—Fragments data received from the upper layer, computes and adds
MAC to the data, and encrypts the data.
• SSL handshake protocol—Negotiates the cipher suite used for secure communication,
authenticates the server and client, and securely exchanges the keys between the server and
client. The cipher suite that needs to be negotiated includes the symmetric encryption algorithm,
key exchange algorithm, and MAC algorithm.
• SSL change cipher spec protocol—Notifies the receiver that subsequent packets are to be
protected based on the negotiated cipher suite and key.
• SSL alert protocol—Sends alert messages to the receiving party. An alert message contains
the alert severity level and a description.
FIPS compliance
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for
features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and
non-FIPS mode.
SSL configuration task list
Tasks at a glance Remarks
Configuring an SSL server policy Perform this configuration task on the SSL server.
Configuring an SSL client policy Perform this configuration task on the SSL client.
Configuring an SSL server policy
An SSL server policy is a set of SSL parameters used by the SSL server. An SSL server policy takes
effect only after it is associated with an application such as HTTPS.
SSL protocol versions include SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2. By default, the SSL
server can communicate with clients running all SSL protocol versions. When the server receives an
SSL 2.0 Client Hello message from a client, it notifies the client to use a later version for
communication.
To enhance system security, you can disable specific SSL protocol versions so the SSL server
cannot use them for session negotiation.
To configure an SSL server policy:
Step Command Remarks
1. Enter system view.
system-view
N/A
To Next Page
Loading...
Need help?
General