395
1. Enter system view.
system-view
N/A
2. (Optional.)
Disable specific
SSL protocol versions on the
device.
In Release 1111:
ssl version ssl3.0 disable
In Release 1121 and later:
• In non-FIPS mode:
ssl version { ssl3.0 | tls1.0 |
tls1.1 } * disable
• In FIPS mode:
ssl version { tls1.0 | tls1.1 } *
disable
In Release 1111, SSL 3.0 is
enabled on the device by
default.
In Release 1121 and later, the
default setting is as follows:
• In non-FIPS mode, the
device supports SSL 3.0,
TLS 1.0, TLS 1.1
TLS 1.2.
• In FIPS mode, the device
supports TLS 1.0, TLS
1.1, and TLS 1.2.
3. (Optional.)
session renegotiation.
ssl renegotiation disable
renegotiation is enabled.
This command is available in
Release 1121 and later.
4.
Create an SSL server policy
and enter its view.
ssl server-policy
policy-name
B
policies exist on the device.
5. (Optional.) Specify a PKI
domain for the
policy.
pki-domain
domain-name
By default, no PKI domain is
specified for an SSL server
policy.
If SSL server authentication is
required
, you must specify a
PKI domain and request a
local certificate for the SSL
server in the domain.
For information about how to
create and configure a PKI
domain, see "Configuring PKI."
6. Specify the cipher suites that
the SSL server policy supports.
In Release 1111:
• In non-FIPS mode:
ciphersuite
{ dhe_rsa_aes_128_cbc_sh
a |
dhe_rsa_aes_256_cbc_sha
| exp_rsa_des_cbc_sha |
exp_rsa_rc2_md5 |
exp_rsa_rc4_md5 |
rsa_3des_ede_cbc_sha |
rsa_aes_128_cbc_sha |
rsa_aes_256_cbc_sha |
rsa_des_cbc_sha |
rsa_rc4_128_md5 |
rsa_rc4_128_sha } *
• In FIPS mode:
ciphersuite
{ dhe_rsa_aes_128_cbc_sh
a |
dhe_rsa_aes_256_cbc_sha
| rsa_aes_128_cbc_sha |
rsa_aes_256_cbc_sha } *
In Release 1121 and later:
• In non-FIPS mode:
ciphersuite
By default, a
n SSL server
policy supports all cipher
suites.
To Next Page
Loading...
