R3303-HP 6600/HSR6600 Routers Security Configuration Guide
356
Ste
p
Command
Remarks
4. Specify the preferred cipher
suite for the SSL client policy.
• In non-FIPS mode:
prefer-cipher
{ rsa_3des_ede_cbc_sha |
rsa_aes_128_cbc_sha |
rsa_aes_256_cbc_sha |
rsa_des_cbc_sha |
rsa_rc4_128_md5 |
rsa_rc4_128_sha }
• In FIPS mode:
prefer-cipher
{ dhe_rsa_aes_128_cbc_sha |
dhe_rsa_aes_256_cbc_sha |
rsa_aes_128_cbc_sha |
rsa_aes_256_cbc_sha }
Optional.
rsa_rc4_128_md5 by default.
5. Specify the SSL protocol
version for the SSL client
policy.
version { ssl3.0 | tls1.0 }
Optional.
TLS 1.0 by default.
6. Enable certificate-based SSL
server authentication.
server-verify enable
Optional.
Enabled by default.
Displaying and maintaining SSL
Task Command
Remarks
Display SSL server policy
information.
display ssl server-policy { policy-name |
all } [ | { begin | exclude | include }
regular-expression ]
Available in any view.
Display SSL client policy
information.
display ssl client-policy { policy-name |
all } [ | { begin | exclude | include }
regular-expression ]
Available in any view.
Troubleshooting SSL
SSL handshake failure
Symptom
As the SSL server, the device fails to handshake with the SSL client.
Analysis
SSL handshake failure may result from the following causes:
• The SSL client is configured to authenticate the SSL server, but the SSL server has no certificate or the
certificate is not trusted.
• The SSL server is configured to authenticate the SSL client, but the SSL client has no certificate or the
certificate is not trusted.