R2511-HP MSR Router Series Security Configuration Guide(V5)
394
Configuring an SSL server policy
An SSL server policy is a set of SSL parameters for a server to use when booting up. An SSL server policy
takes effect only after it is associated with an application such as HTTPS.
SSL versions include SSL 2.0, SSL 3.0, and TLS 1.0 (or SSL 3.1). When the device acts as the SSL server,
it can communicate with clients running SSL 3.0 or TLS 1.0, and can identify the SSL 2.0 Client Hello
message from a client supporting both SSL 2.0 and SSL 3.0/TLS 1.0, and notify the client to use SSL 3.0
or TLS 1.0 for communication.
In FIPS mode, only TLS 1.0 is supported.
To configure an SSL server policy:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Set the encryption mode of the
ESM encryption card to SSL.
card-mode slot slot-number ssl
Required when an ESM encryption
card is used.
This configuration takes effect after
the device reboots.
3. Create an SSL server policy
and enter its view.
ssl server-policy policy-name N/A
4. Specify a PKI domain for the
SSL server policy.
pki-domain domain-name
Optional.
By default, no PKI domain is
specified for an SSL server policy,
and the SSL server generates and
signs a certificate for itself and
does not obtain a certificate from a
CA server.
If SSL clients authenticate the server
through a digital certificate, you
must use this command to specify a
PKI domain and request a local
certificate for the SSL server in the
PKI domain.
For information about how to
configure a PKI domain, see
"Configuring PKI."
5. Specify the cipher suites for
the SSL server policy to
support.
• In non-FIPS mode:
ciphersuite
[ rsa_3des_ede_cbc_sha |
rsa_aes_128_cbc_sha |
rsa_aes_256_cbc_sha |
rsa_des_cbc_sha |
rsa_rc4_128_md5 |
rsa_rc4_128_sha ] *
• In FIPS mode:
ciphersuite
[ dhe_rsa_aes_128_cbc_sha |
dhe_rsa_aes_256_cbc_sha |
rsa_aes_128_cbc_sha |
rsa_aes_256_cbc_sha ] *
Optional.
By default, an SSL server policy
supports all cipher suites.