Displaying and maintaining ssl – H3C Technologies H3C SecPath F1000-E User Manual

937

Step Command

Remarks

3.

Specify a PKI domain for the
SSL client policy.

pki-domain domain-name

Optional
No PKI domain is configured by

default.
If the SSL server requires
certificate-based authentication for

SSL clients, you must use this

command to specify a PKI domain
for the client and request a local

certificate for the client through the

PKI domain.

4.

Specify the preferred cipher

suite for the SSL client policy.

•

In non-FIPS mode:
prefer-cipher

{ dhe_rsa_aes_128_cbc_sha |

dhe_rsa_aes_256_cbc_sha |

rsa_3des_ede_cbc_sha |
rsa_aes_128_cbc_sha |

rsa_aes_256_cbc_sha |

rsa_des_cbc_sha |
rsa_rc4_128_md5 |

rsa_rc4_128_sha

•

In FIPS mode:
prefer-cipher

{ dhe_rsa_aes_128_cbc_sha |

dhe_rsa_aes_256_cbc_sha |

rsa_aes_128_cbc_sha |
rsa_aes_256_cbc_sha }

Optional.
rsa_rc4_128_md5 by default.
Support for the commands
depends on the firewall model. For

more information, see the SSL

command reference.

5.

Specify the SSL protocol

version for the SSL client
policy.

version { ssl3.0 | tls1.0 }

Optional.
TLS 1.0 by default.

6.

Enable the SSL client to

perform certificate-based
authentication for the SSL

server.

server-verify enable

Optional.
Enabled by default.

Displaying and maintaining SSL

Task Command

Remarks

Display SSL server policy
information.

display ssl server-policy

{ policy-name | all } [ | { begin |
exclude | include }

regular-expression ]

Available in any view

Display SSL client policy
information.

display ssl client-policy
{ policy-name | all } [ | { begin |

exclude | include }
regular-expression ]

Available in any view