Displaying and maintaining ssl, Troubleshooting ssl, Symptom – H3C Technologies H3C SecBlade LB Cards User Manual

154

Step Command

Remarks

3.

Specify a PKI domain for the

SSL client policy.

pki-domain domain-name

Optional.
No PKI domain is specified by

default.
If the SSL server authenticates the
SSL client through a digital

certificate, you must use this

command to specify a PKI domain
and request a local certificate for

the SSL client in the PKI domain.
For information about how to
configure a PKI domain, see

"Configuring PKI."

4.

Specify the preferred cipher
suite for the SSL client policy.

prefer-cipher
{ rsa_aes_128_cbc_sha |
rsa_des_cbc_sha |

rsa_rc4_128_md5 |

rsa_rc4_128_sha }

Optional.
rsa_rc4_128_md5 by default.

5.

Specify the SSL protocol
version for the SSL client

policy.

version { ssl3.0 | tls1.0 }

Optional.
TLS 1.0 by default.

6.

Enable certificate-based SSL
server authentication.

server-verify enable

Optional.
Enabled by default.

Displaying and maintaining SSL

Task Command

Remarks

Display SSL server policy

information.

display ssl server-policy { policy-name | all } [ |

{ begin | exclude | include } regular-expression ]

Available in any view.

Display SSL client policy
information.

display ssl client-policy { policy-name | all } [ | { begin
| exclude | include } regular-expression ]

Available in any view.

Troubleshooting SSL

Symptom

SSL handshake failed. As the SSL server, the device fails to handshake with the SSL client.

Analysis

SSL handshake failure may result from the following causes:

•

The SSL client is configured to authenticate the SSL server, but the SSL server has no certificate or the

certificate is not trusted.

•

The SSL server is configured to authenticate the SSL client, but the SSL client has no certificate or the
certificate is not trusted.

•

The server and the client have no matching cipher suite.