Ssl configuration task list, Configuring an ssl server policy – H3C Technologies H3C SecPath F1000-E User Manual

933

SSL configuration task list

Task Remarks

Configuring an SSL server policy

Required

Configuring an SSL client policy

Optional

Configuring an SSL server policy

An SSL server policy is a set of SSL parameters for a server to use when booting up. An SSL server policy
takes effect only after it is associated with an application layer protocol such as HTTP.
Before configuring an SSL server policy, configure the PKI domain for the SSL server policy to use to

obtain a certificate for the SSL server. For more information about PKI domain configuration, see VPN

Configuration Guide.
To configure an SSL server policy:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Create an SSL server policy

and enter its view.

ssl server-policy policy-name N/A

3.

Specify a PKI domain for the
SSL server policy.

pki-domain domain-name

By default, no PKI domain is
specified for an SSL server policy.
If the client requires
certificate-based authentication for

the SSL server, you must use this

command to specify a PKI domain
for the server and request a local

certificate for the server through the

PKI domain.

4.

Specify the cipher suite(s) for
the SSL server policy to

support.

•

In non-FIPS mode:
ciphersuite

[ dhe_rsa_aes_128_cbc_sha |

dhe_rsa_aes_256_cbc_sha |

rsa_3des_ede_cbc_sha |
rsa_aes_128_cbc_sha |

rsa_aes_256_cbc_sha |

rsa_des_cbc_sha |
rsa_rc4_128_md5 |

rsa_rc4_128_sha ] *

•

In FIPS mode:

prefer-cipher

{ dhe_rsa_aes_128_cbc_sha |

dhe_rsa_aes_256_cbc_sha |

rsa_aes_128_cbc_sha |
rsa_aes_256_cbc_sha }

Optional.
By default, an SSL server policy
supports all cipher suites.
Support for the commands

depends on the firewall model. For
more information, see the SSL

command reference.