R0106-HP MSR Router Series Security Configuration Guide(V7)
360
NOTE:
SSL versions include SSL 2.0, SSL 3.0, and TLS 1.0 (or SSL 3.1). When the device acts as the SSL server,
it can communicate with clients running SSL 3.0 or TLS 1.0. When the SSL server receives SSL 2.0 Clien
t
Hello message from a client supporting both SSL 2.0 and SSL 3.0/TLS 1.0, it notifies the client to use SSL
3.0 or TLS 1.0 for communication.
To configure an SSL server policy:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Create an SSL server policy and
enter its view.
ssl server-policy policy-name
By default, no SSL server policy
exists on the device.
3. (Optional.) Specify a PKI domain
for the SSL server policy.
pki-domain domain-name
By default, no PKI domain is
specified for an SSL server
policy.
If SSL server authentication is
required, you must specify a PKI
domain and request a local
certificate for the SSL server in
the domain.
For information about how to
create and configure a PKI
domain, see "Configuring PKI."
4. Specify the cipher suites that the
SSL server policy supports.
• Low encryption:
ciphersuite
{ exp_rsa_des_cbc_sha |
rsa_des_cbc_sha } *
• High encryption (in non-FIPS
mode):
ciphersuite
{ dhe_rsa_aes_128_cbc_sha |
exp_rsa_des_cbc_sha |
exp_rsa_rc2_md5 |
exp_rsa_rc4_md5 |
rsa_3des_ede_cbc_sha |
rsa_aes_128_cbc_sha |
rsa_aes_256_cbc_sha |
rsa_des_cbc_sha |
rsa_rc4_128_md5 |
rsa_rc4_128_sha } *
• In FIPS mode:
ciphersuite
{ dhe_rsa_aes_128_cbc_sha |
dhe_rsa_aes_256_cbc_sha |
rsa_aes_128_cbc_sha |
rsa_aes_256_cbc_sha } *
By default, an SSL server policy
supports all cipher suites.
5. Set the maximum number of
sessions that the SSL server can
cache.
session cachesize size
By default, an SSL server can
cache up to 500 sessions.