423
Step Command Remarks
3. Create an SSL client policy and
enter its view.
ssl client-policy
policy-name
By default, no SSL client policies
exist.
4. (Optional.) Specify a PKI
domain for the SSL client
policy.
pki-domain
domain-name
By default, no PKI domain is
specified for an SSL client policy.
If SSL client authentication is
required, you must specify a PKI
domain and request a local
certificate for the SSL client in
the PKI domain.
For information about
configuring a PKI domain, see
"Configuring PKI."
5. Specify the preferred cipher
suite for the SSL client policy.
• In non-FIPS mode:
prefer-cipher
{ dhe_rsa_aes_128_cbc_s
ha |
dhe_rsa_aes_128_cbc_sh
a256 |
dhe_rsa_aes_256_cbc_sh
a |
dhe_rsa_aes_256_cbc_sh
a256 |
ecdhe_ecdsa_aes_128_c
bc_sha256 |
ecdhe_ecdsa_aes_128_g
cm_sha256 |
ecdhe_ecdsa_aes_256_c
bc_sha384 |
ecdhe_ecdsa_aes_256_g
cm_sha384 |
ecdhe_rsa_aes_128_cbc_
sha256 |
ecdhe_rsa_aes_128_gcm
_sha256 |
ecdhe_rsa_aes_256_cbc_
sha384 |
ecdhe_rsa_aes_256_gcm
_sha384 |
exp_rsa_des_cbc_sha |
exp_rsa_rc2_md5 |
exp_rsa_rc4_md5 |
rsa_3des_ede_cbc_sha |
rsa_aes_128_cbc_sha |
rsa_aes_128_cbc_sha256
| rsa_aes_256_cbc_sha |
rsa_aes_256_cbc_sha256
| rsa_des_cbc_sha |
rsa_rc4_128_md5 |
rsa_rc4_128_sha }
• In FIPS mode:
prefer-cipher
{ ecdhe_ecdsa_aes_128_
cbc_sha256 |
ecdhe_ecdsa_aes_128_g
cm_sha256 |
ecdhe_ecdsa_aes_256_c
bc_sha384 |
ecdhe_ecdsa_aes_256_g
cm_sha384 |
ecdhe_rsa_aes_128_cbc_
sha256 |
• In non-FIPS mode:
The default preferred cipher
suite is rs
a_rc4_128_md5.
• In FIPS mode:
The default preferred cipher
suite is
sa_aes_128_cbc_sha.
To Next Page
Loading...
Need help?
General