R3102-R3103-HP 6600/HSR6600 Routers Security Command Reference

ManualsBrandsHP ManualsNetwork HardwareHP HSR6602-XG Router

401

402

403

404

405

406

407

408

409

410

395

Usage guidelines

If you do not specify a PKI domain for an SSL server policy, the SSL server generates and signs a

certificate for itself rather than obtaining one from a CA server.

Examples

# Configure SSL server policy policy1 to use PKI domain server-domain.

<Sysname> system-view

[Sysname] ssl server-policy policy1

[Sysname-ssl-server-policy-policy1] pki-domain server-domain

# Configure SSL client policy policy1 to use PKI domain client-domain.

<Sysname> system-view

[Sysname] ssl client-policy policy1

[Sysname-ssl-client-policy-policy1] pki-domain client-domain

Related commands

• display ssl server-policy

• display ssl client-policy

prefer-cipher

Use prefer-cipher to specify the preferred cipher suite for an SSL client policy.

Use undo prefer-cipher to restore the default.

Syntax

In non-FIPS mode:

prefer-cipher { rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha |

rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha }

undo prefer-cipher

In FIPS mode:

prefer-cipher { dhe_rsa_aes_128_cbc_sha | dhe_rsa_aes_256_cbc_sha | rsa_aes_128_cbc_sha |

rsa_aes_256_cbc_sha }

undo prefer-cipher

Default

The preferred cipher suite for an SSL client policy is rsa_rc4_128_md5.

Views

SSL client policy view

Default command level

2: System level

Parameters

dhe_rsa_aes_128_cbc_sha: Specifies the key exchange algorithm of DH_RSA, the data encryption

algorithm of 128-bit AES_CBC, and the MAC algorithm of SHA.

dhe_rsa_aes_256_cbc_sha: Specifies the key exchange algorithm of DH_RSA, the data encryption

algorithm of 256-bit AES_CBC, and the MAC algorithm of SHA.