Ssl server policy configuration example, Network requirements – H3C Technologies H3C SecPath F1000-E User Manual
Page 959
934
Step Command
Remarks
5.
Set the handshake timeout
time for the SSL server.
handshake timeout time
Optional.
3600 seconds by default.
6.
Set the SSL connection close
mode.
close-mode wait
Optional.
Not wait by default.
7.
Set the maximum number of
cached sessions and the
caching timeout time.
session { cachesize size | timeout
time } *
Optional.
The defaults are as follows:
•
500 for the maximum number
of cached sessions,
•
3600 seconds for the caching
timeout time.
8.
Enable the SSL server to
perform digital
certificate-based
authentication for SSL clients.
client-verify enable
Optional.
By default, the SSL server does not
require clients to be authenticated.
9.
Enable SSL client weak
authentication.
client-verify weaken
Optional.
Disabled by default.
This command takes effect only
when the client-verify enable
command is configured.
NOTE:
SSL mainly comes in these versions: SSL 2.0, SSL 3.0, and TLS 1.0, where TLS 1.0 corresponds to SSL 3.1.
When the switch acts as an SSL server, it can communicate with clients running SSL 3.0 or TLS 1.0, and
can identify the SSL 2.0 Client Hello message from a client supporting SSL 2.0 and SSL 3.0/TLS 1.0 and
notify the client to use SSL 3.0 or TLS 1.0 to communicate with the server. In FIPS mode, only TLS 1.0 is
supported.
SSL server policy configuration example
Network requirements
As shown in
, users need to access and control the device through web pages.
For security of the device and to make sure that data is not eavesdropped or tampered with, configure the
device so that users must use HTTPS (Hypertext Transfer Protocol Secure, which uses SSL) to log in to the
web interface of the device.
NOTE:
•
In this example, Windows Server works as the CA server and the Simple Certificate Enrollment Protocol
(SCEP) plug-in is installed on the CA server.
•
Before performing the following configurations, make sure that SecPath, the host, and the CA server
have IP connectivity between each other.
- H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS H3C SecBlade LB Cards H3C SecPath L1000-A Load Balancer