Configuring an ssl client policy – H3C Technologies H3C S6300 Series Switches User Manual

309

Step Command

Remarks

7.

Enable the SSL server to
authenticate SSL clients through

digital certificates.

client-verify enable

The default setting is disabled.

Configuring an SSL client policy

An SSL client policy is a set of SSL parameters that the client uses to establish a connection to the server.

An SSL client policy takes effect only after it is associated with an application such as DDNS.
You can specify the SSL version (SSL 3.0 or TLS 1.0) for an SSL client policy:

•

If TLS 1.0 is specified and SSL 3.0 is not disabled, the client first uses TLS 1.0 to connect to the SSL
server. If the connection attempt fails, the client uses SSL 3.0.

•

If TLS 1.0 is specified and SSL 3.0 is disabled, the client only uses TLS 1.0 to connect to the SSL
server.

•

If SSL 3.0 is specified, the client uses SSL 3.0 to connect to the SSL server, whether you disable SSL
3.0 or not.

To ehance system security, H3C recommends disabling SSL 3.0 on the device and specifying TLS 1.0 for

an SSL client policy.
To configure an SSL client policy:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

(Optional.) Disable SSL 3.0.

ssl version ssl3.0 disable

By default, the device supports
SSL 3.0.
This command is available in
Release 2311P05 and later

versions.

3.

Create an SSL client policy and

enter its view.

ssl client-policy policy-name

By default, no SSL client policies
exist on the device.

4.

(Optional.) Specify a PKI

domain for the SSL client policy. pki-domain domain-name

By default, no PKI domain is
specified for an SSL client

policy.
If the SSL server authenticates
the SSL client through a digital

certificate, you must use this

command to specify a PKI
domain and request a local

certificate for the SSL client

through the PKI domain.
For information about how to

create and configure a PKI
domain, see "

Configuring PKI

."