Displaying and maintaining ssl – H3C Technologies H3C SecPath F1000-E User Manual
Page 962
937
Step Command
Remarks
3.
Specify a PKI domain for the
SSL client policy.
pki-domain domain-name
Optional
No PKI domain is configured by
default.
If the SSL server requires
certificate-based authentication for
SSL clients, you must use this
command to specify a PKI domain
for the client and request a local
certificate for the client through the
PKI domain.
4.
Specify the preferred cipher
suite for the SSL client policy.
•
In non-FIPS mode:
prefer-cipher
{ dhe_rsa_aes_128_cbc_sha |
dhe_rsa_aes_256_cbc_sha |
rsa_3des_ede_cbc_sha |
rsa_aes_128_cbc_sha |
rsa_aes_256_cbc_sha |
rsa_des_cbc_sha |
rsa_rc4_128_md5 |
rsa_rc4_128_sha
•
In FIPS mode:
prefer-cipher
{ dhe_rsa_aes_128_cbc_sha |
dhe_rsa_aes_256_cbc_sha |
rsa_aes_128_cbc_sha |
rsa_aes_256_cbc_sha }
Optional.
rsa_rc4_128_md5 by default.
Support for the commands
depends on the firewall model. For
more information, see the SSL
command reference.
5.
Specify the SSL protocol
version for the SSL client
policy.
version { ssl3.0 | tls1.0 }
Optional.
TLS 1.0 by default.
6.
Enable the SSL client to
perform certificate-based
authentication for the SSL
server.
server-verify enable
Optional.
Enabled by default.
Displaying and maintaining SSL
Task Command
Remarks
Display SSL server policy
information.
display ssl server-policy
{ policy-name | all } [ | { begin |
exclude | include }
regular-expression ]
Available in any view
Display SSL client policy
information.
display ssl client-policy
{ policy-name | all } [ | { begin |
exclude | include }
regular-expression ]
Available in any view