F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices Network Management Configuration Guide-6PW100
945
Ste
p
Command
Remarks
1623. Specify a PKI domain
for the SSL server policy.
pki-domain domain-name
Optional.
By default, no PKI domain is
specified for an SSL server policy,
and the SSL server generates and
signs a certificate for itself and
does not obtain a certificate from a
CA server.
If SSL clients authenticate the server
through a digital certificate, you
must use this command to specify a
PKI domain and request a local
certificate for the SSL server in the
PKI domain.
For information about how to
configure a PKI domain, see VPN
Configuration Guide.
1624. Specify the cipher
suite(s) for the SSL server
policy to support.
In non-FIPS mode:
ciphersuite
[dhe_rsa_aes_128_cbc_sha |
dhe_rsa_aes_256_cbc_sha |
rsa_3des_ede_cbc_sha |
rsa_aes_128_cbc_sha |
rsa_aes_256_cbc_sha |
rsa_des_cbc_sha |
rsa_rc4_128_md5 |
rsa_rc4_128_sha ] *
In FIPS mode:
ciphersuite
{ dhe_rsa_aes_128_cbc_sha |
dhe_rsa_aes_256_cbc_sha |
rsa_aes_128_cbc_sha |
rsa_aes_256_cbc_sha }
Optional.
By default, an SSL server policy
supports all cipher suites.
Support for the
rsa_3des_ede_cbc_sha and the
rsa_aes_256_cbc_sha keywords
depends on the device model. For
more information, see the
command reference.
1625. Set the handshake
timeout time for the SSL server.
handshake timeout time
Optional.
3,600 seconds by default.
1626. Set the SSL connection
close mode.
close-mode wait
Optional.
Not wait by default.
1627. Set the maximum
number of cached sessions
and the caching timeout time.
session { cachesize size | timeout
time } *
Optional.
The defaults are as follows:
• 500 for the maximum number
of cached sessions,.
• 3600 seconds for the caching
timeout time.
1628. Configure the server to
require certificate-based SSL
client authentication.
client-verify enable
Optional.
By default, the SSL server does not
require the client to be
authenticated.