422 
Step Command Remarks 
rsa_rc4_128_md5 | 
rsa_rc4_128_sha } * 
•  In FIPS mode:  
ciphersuite 
{ ecdhe_ecdsa_aes_128_cb
c_sha256 | 
ecdhe_ecdsa_aes_256_cbc
_sha384 | 
ecdhe_ecdsa_aes_128_gc
m_sha256 | 
ecdhe_ecdsa_aes_256_gc
m_sha384 | 
ecdhe_rsa_aes_128_cbc_s
ha256 | 
ecdhe_rsa_aes_128_gcm_s
ha256 | 
ecdhe_rsa_aes_256_cbc_s
ha384 | 
ecdhe_rsa_aes_256_gcm_s
ha384 | 
rsa_aes_128_cbc_sha | 
rsa_aes_128_cbc_sha256 | 
rsa_aes_256_cbc_sha | 
rsa_aes_256_cbc_sha256 } 
* 
7.  Set the maximum number of 
sessions that the SSL server 
can cache and the session 
cache timeout time. 
session 
{
 cachesize 
size | 
timeout
 time }  
By default, the SSL server can 
cache a maximum of 500 
sessions, and the session 
cache timeout time is 3600 
seconds. 
8.  (Optional.) Enable mandatory 
or optional SSL client 
authentication. 
client-verify
 { 
enable
 | 
optional
 }
By default, SSL client 
authentication is disabled. The 
SSL server does not perform 
digital certificate-based 
authentication on SSL clients.
When authenticating a client 
by using the digital certificate, 
the SSL server verifies the 
certificate chain presented by 
the client. It also verifies that 
the certificates in the certificate 
chain (except the root CA 
certificate) are not revoked. 
 
Configuring an SSL client policy 
An SSL client policy is a set of SSL parameters that the client uses to establish a connection to the 
server. An SSL client policy takes effect only after it is associated with an application such as FTP. 
For information about FTP, see Fundamentals Configuration Guide. 
To configure an SSL client policy: 
 
Step Command Remarks 
1.  Enter system view. 
system-view 
N/A 
2.  (Optional.) Disable SSL 
session renegotiation for the 
SSL client. 
ssl renegotiation disable 
By default, SSL session 
renegotiation is enabled.