HP 12500 Series Configuration Manual page 324

To configure an SSL server policy:
Step
1. Enter system view.
2. Create an SSL server policy
and enter its view.
3. Specify a PKI domain for the
SSL server policy.
4. Specify the cipher suites for
the SSL server policy to
support.
5. Set the handshake timeout
time for the SSL server.
6. Set the SSL connection close
mode.
7. Set the maximum number of
cached sessions and the
caching timeout time.
8. Enable certificate-based
authentication for SSL clients
on the SSL server.
9. Enable SSL client weak
authentication.
Command
system-view
ssl server-policy policy-name
pki-domain domain-name
ciphersuite
[ dhe_rsa_aes_128_cbc_sha |
dhe_rsa_aes_256_cbc_sha |
rsa_3des_ede_cbc_sha |
rsa_aes_128_cbc_sha |
rsa_aes_256_cbc_sha |
rsa_des_cbc_sha |
rsa_rc4_128_md5 |
rsa_rc4_128_sha ] *
handshake timeout time
close-mode wait
session { cachesize size | timeout
time } *
client-verify enable
client-verify weaken
314
Remarks
N/A
N/A
By default, no PKI domain is
specified for an SSL server policy.
If SSL clients authenticate the server
through a digital certificate, you
must use this command to specify a
PKI domain and request a local
certificate for the SSL server in the
PKI domain.
Optional.
By default, an SSL server policy
supports all cipher suites.
The rsa_3des_ede_cbc_sha,
rsa_des_cbc_sha,
rsa_rc4_128_md5, and
rsa_rc4_128_sha keywords are
not available for FIPS mode.
The dhe_rsa_aes_128_cbc_sha
and dhe_rsa_aes_256_cbc_sha
keywords are available only for
FIPS mode.
Optional.
3600 seconds by default.
Optional.
Not wait by default.
Optional.
The defaults are as follows:
•
500 for the maximum number
of cached sessions,.
•
3600 seconds for the caching
timeout time.
Optional.
By default, the SSL server does not
authenticate SSL clients.
Optional.
Disabled by default.
This command takes effect only
when the client-verify enable
command is configured.