User's Manual
2-105
Catalyst 6500 Series Switch WebVPN Module Command Reference—Release 1.1
OL-7310-01
Chapter 2 Commands for the Catalyst 6500 Series Switch WebVPN Module
webvpn policy ssl
You can define the SSL policy templates using the ssl-proxy policy ssl ssl-policy-name command and
associate an SSL policy with a particular proxy server using the proxy server configuration CLI. The
SSL policy template allows you to define various parameters that are associated with the SSL handshake
stack.
When you enable close-notify, a close-notify alert message is sent to the client and a close-notify alert
message is expected from the client as well. When disabled, the server sends a close-notify alert message
to the client; however, the server does not expect or wait for a close-notify message from the client before
tearing down the session.
The cipher-suite names follow the same convention as the existing SSL stacks.
The cipher-suites that are acceptable to the proxy-server are as follows:
• RSA_WITH_3DES_EDE_CBC_SHA— RSA with 3des-sha
• RSA_WITH_DES_CBC_SHA—RSA with des-sha
• RSA_WITH_RC4_128_MD5—RSA with rc4-md5
• RSA_WITH_RC4_128_SHA—RSA with rc4-sha
• all—All supported ciphers
If you enter the timeout session timeout absolute command, the session entry is kept in the session
cache for the configured timeout before it is cleaned up. If the session cache is full, the timers are active
for all the entries, the absolute keyword is configured, and all further new sessions are rejected.
exit Exits from SSL-policy configuration submode.
help Provides a description of the interactive help system.
[no] session-cache enable Allows you to enable the session-caching feature. Use the no form of this
command to disable session-caching.
session-cache size size Specifies the maximum number of session entries to be allocated for a given
service; valid values are from 1 to 262143 entries.
timeout handshake timeout Allows you to configure the amount of time that the module keeps the
connection in handshake phase; valid values are from 0 to 65535 seconds.
timeout session timeout [absolute] Allows you to configure the session timeout. The syntax description is as
follows:
• timeout—Session timeout; valid values are from 0 to 72000 seconds.
• absolute—(Optional) The session entry is not removed until the
configured timeout has completed.
tls-rollback [current | any] Allows you to specify if the SSL protocol version number in the TLS/SSL
premaster secret message is either the maximum version or the negotiated
version (current), or if the version is not checked (any).
version {all | ssl3 | tls1} Allows you to set the version of SSL to one of the following:
• all—Both SSL3 and TLS1 versions are used.
• ssl3—SSL version 3 is used.
• tls1—TLS version 1 is used.
Table 2-10 SSL-Policy Configuration Submode Command Descriptions (continued)