Assigning A Crl Record To The Virtual Ssl Server; Handling Client Authentication Failures - Cisco 11503 - CSS Content Services Switch Configuration Manual

Chapter 4 Configuring SSL Termination

Assigning a CRL Record to the Virtual SSL Server

Handling Client Authentication Failures

Note
Note
OL-5655-01
After you configure the CRL record, you can assign it to the virtual SSL server.
To assign the CRL record to the virtual SSL server, use the ssl-server number crl
command. You can assign only one CRL record to a virtual SSL server. For
example, to assign the mycrl CRL record, enter:
(config-ssl-proxy-list[ssl_list1])# ssl-server 20 crl mycrl
To remove the mycrl CRL record from a virtual SSL server, enter:
(config-ssl-proxy-list[ssl_list1])# no ssl-server 20 crl mycrl
A client certificate can fail if it is invalid, expired, or revoked by a CA. By default,
when authentication of a client certificate fails on the CSS, the CSS rejects the
client connection.
If a CSS cannot download the CRL, client connections will fail using a Revoked
SSL alert. To verify that the CRL has successfully loaded, use the show ssl
statistics ssl command.
You can configure how the CSS handles a failed client certificate through the
ssl-server number failure command and the following options:
ignore - The CSS ignores client authentication failures and allows both
•
invalid and valid certificates to connect. For example, to configure the CSS to
ignore client authentication failures, enter:
(config-ssl-proxy-list[ssl_list1])# ssl-server 20 failure ignore
If you configure the ignore option, it may create a security risk.
• reject - Resets the CSS default behavior of rejecting the client connection
when client authentication fails. For example, enter:
(config-ssl-proxy-list[ssl_list1])# ssl-server 20 failure reject
Configuring Virtual SSL Servers for an SSL Proxy List
Cisco Content Services Switch SSL Configuration Guide
4-19